Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-1032
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | N/A | SUSE Linux Enterprise Micro for Rancher 5.3 | ||
| SUSE | N/A | SUSE Linux Enterprise Desktop 15 SP6 | ||
| SUSE | N/A | Public Cloud Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.3 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP7 | ||
| SUSE | N/A | SUSE Manager Proxy 4.3 | ||
| SUSE | N/A | Basesystem Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro for Rancher 5.2 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise High Availability Extension 15 SP4 | ||
| SUSE | N/A | Public Cloud Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro for Rancher 5.4 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP4 | ||
| SUSE | N/A | SUSE Manager Retail Branch Server 4.3 | ||
| SUSE | N/A | openSUSE Leap 15.4 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP7 | ||
| SUSE | N/A | openSUSE Leap 15.5 | ||
| SUSE | N/A | SUSE Manager Server 4.3 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | N/A | Legacy Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP4 LTSS | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.2 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | N/A | SUSE Manager Proxy 4.3 LTS | ||
| SUSE | N/A | openSUSE Leap 15.6 | ||
| SUSE | N/A | SUSE Manager Server 4.3 LTS | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP4 | ||
| SUSE | N/A | SUSE Manager Retail Branch Server 4.3 LTS | ||
| SUSE | N/A | SUSE Linux Enterprise Workstation Extension 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.4 | ||
| SUSE | N/A | SUSE Linux Enterprise High Availability Extension 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | N/A | Development Tools Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP6 | ||
| SUSE | N/A | SUSE Real Time Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.5 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Desktop 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Public Cloud Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Proxy 4.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Basesystem Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.2",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Public Cloud Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Retail Branch Server 4.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Server 4.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Legacy Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP4 LTSS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.2",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Proxy 4.3 LTS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Server 4.3 LTS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing LTSS 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Retail Branch Server 4.3 LTS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Workstation Extension 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Development Tools Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Real Time Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2022-50501",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50501"
},
{
"name": "CVE-2023-53645",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53645"
},
{
"name": "CVE-2023-53562",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53562"
},
{
"name": "CVE-2025-39987",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39987"
},
{
"name": "CVE-2025-39812",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39812"
},
{
"name": "CVE-2025-39997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39997"
},
{
"name": "CVE-2023-53247",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53247"
},
{
"name": "CVE-2023-53648",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53648"
},
{
"name": "CVE-2023-53733",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53733"
},
{
"name": "CVE-2025-39808",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39808"
},
{
"name": "CVE-2022-50493",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50493"
},
{
"name": "CVE-2022-50561",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50561"
},
{
"name": "CVE-2022-50498",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50498"
},
{
"name": "CVE-2023-53312",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53312"
},
{
"name": "CVE-2022-50482",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50482"
},
{
"name": "CVE-2022-50527",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50527"
},
{
"name": "CVE-2025-39876",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39876"
},
{
"name": "CVE-2025-40029",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40029"
},
{
"name": "CVE-2023-53311",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53311"
},
{
"name": "CVE-2025-40037",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40037"
},
{
"name": "CVE-2022-50521",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50521"
},
{
"name": "CVE-2025-39947",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39947"
},
{
"name": "CVE-2023-53588",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53588"
},
{
"name": "CVE-2023-53480",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53480"
},
{
"name": "CVE-2023-53303",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53303"
},
{
"name": "CVE-2022-50488",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50488"
},
{
"name": "CVE-2025-39757",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39757"
},
{
"name": "CVE-2025-39902",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39902"
},
{
"name": "CVE-2023-53693",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53693"
},
{
"name": "CVE-2025-40043",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40043"
},
{
"name": "CVE-2023-53150",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53150"
},
{
"name": "CVE-2022-50484",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50484"
},
{
"name": "CVE-2023-53321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53321"
},
{
"name": "CVE-2025-39772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39772"
},
{
"name": "CVE-2023-53362",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53362"
},
{
"name": "CVE-2022-49053",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49053"
},
{
"name": "CVE-2025-39948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39948"
},
{
"name": "CVE-2025-39826",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39826"
},
{
"name": "CVE-2025-39702",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39702"
},
{
"name": "CVE-2025-39973",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39973"
},
{
"name": "CVE-2025-39881",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39881"
},
{
"name": "CVE-2025-39685",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39685"
},
{
"name": "CVE-2025-39761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39761"
},
{
"name": "CVE-2023-53185",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53185"
},
{
"name": "CVE-2023-53674",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53674"
},
{
"name": "CVE-2025-39945",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39945"
},
{
"name": "CVE-2023-53421",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53421"
},
{
"name": "CVE-2023-53441",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53441"
},
{
"name": "CVE-2023-53729",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53729"
},
{
"name": "CVE-2023-53245",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53245"
},
{
"name": "CVE-2022-49465",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49465"
},
{
"name": "CVE-2024-56664",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56664"
},
{
"name": "CVE-2025-40100",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40100"
},
{
"name": "CVE-2025-39827",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39827"
},
{
"name": "CVE-2023-53550",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53550"
},
{
"name": "CVE-2023-53578",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53578"
},
{
"name": "CVE-2025-40019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40019"
},
{
"name": "CVE-2023-7324",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-7324"
},
{
"name": "CVE-2023-53461",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53461"
},
{
"name": "CVE-2023-53531",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53531"
},
{
"name": "CVE-2025-39828",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39828"
},
{
"name": "CVE-2025-39889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39889"
},
{
"name": "CVE-2023-53601",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53601"
},
{
"name": "CVE-2023-53258",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53258"
},
{
"name": "CVE-2022-50562",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50562"
},
{
"name": "CVE-2023-53612",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53612"
},
{
"name": "CVE-2022-50549",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50549"
},
{
"name": "CVE-2023-53429",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53429"
},
{
"name": "CVE-2024-47684",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47684"
},
{
"name": "CVE-2022-50582",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50582"
},
{
"name": "CVE-2023-53653",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53653"
},
{
"name": "CVE-2023-53451",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53451"
},
{
"name": "CVE-2025-40016",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40016"
},
{
"name": "CVE-2023-53667",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53667"
},
{
"name": "CVE-2023-53325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53325"
},
{
"name": "CVE-2024-50125",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50125"
},
{
"name": "CVE-2023-53616",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53616"
},
{
"name": "CVE-2023-53654",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53654"
},
{
"name": "CVE-2023-53726",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53726"
},
{
"name": "CVE-2023-53394",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53394"
},
{
"name": "CVE-2025-39925",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39925"
},
{
"name": "CVE-2023-53659",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53659"
},
{
"name": "CVE-2025-40056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40056"
},
{
"name": "CVE-2025-39911",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39911"
},
{
"name": "CVE-2022-50579",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50579"
},
{
"name": "CVE-2025-40052",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40052"
},
{
"name": "CVE-2022-50546",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50546"
},
{
"name": "CVE-2023-53605",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53605"
},
{
"name": "CVE-2022-50386",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50386"
},
{
"name": "CVE-2025-38644",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38644"
},
{
"name": "CVE-2025-38692",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38692"
},
{
"name": "CVE-2023-53209",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53209"
},
{
"name": "CVE-2024-50302",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50302"
},
{
"name": "CVE-2025-39701",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39701"
},
{
"name": "CVE-2023-53222",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53222"
},
{
"name": "CVE-2023-53264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53264"
},
{
"name": "CVE-2025-40005",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40005"
},
{
"name": "CVE-2023-53615",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53615"
},
{
"name": "CVE-2022-50560",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50560"
},
{
"name": "CVE-2023-53686",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53686"
},
{
"name": "CVE-2023-53719",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53719"
},
{
"name": "CVE-2023-53681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53681"
},
{
"name": "CVE-2025-39967",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39967"
},
{
"name": "CVE-2023-53519",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53519"
},
{
"name": "CVE-2023-53447",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53447"
},
{
"name": "CVE-2023-53472",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53472"
},
{
"name": "CVE-2023-53533",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53533"
},
{
"name": "CVE-2023-53611",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53611"
},
{
"name": "CVE-2023-53248",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53248"
},
{
"name": "CVE-2025-39709",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39709"
},
{
"name": "CVE-2023-53217",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53217"
},
{
"name": "CVE-2023-53491",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53491"
},
{
"name": "CVE-2023-53633",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53633"
},
{
"name": "CVE-2025-39920",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39920"
},
{
"name": "CVE-2023-53354",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53354"
},
{
"name": "CVE-2023-53504",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53504"
},
{
"name": "CVE-2025-40058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40058"
},
{
"name": "CVE-2025-38734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38734"
},
{
"name": "CVE-2025-38653",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38653"
},
{
"name": "CVE-2022-50432",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50432"
},
{
"name": "CVE-2023-53713",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53713"
},
{
"name": "CVE-2022-50478",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50478"
},
{
"name": "CVE-2025-38695",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38695"
},
{
"name": "CVE-2023-52923",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52923"
},
{
"name": "CVE-2023-53323",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53323"
},
{
"name": "CVE-2023-53697",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53697"
},
{
"name": "CVE-2025-39949",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39949"
},
{
"name": "CVE-2023-53617",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53617"
},
{
"name": "CVE-2022-50532",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50532"
},
{
"name": "CVE-2023-53189",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53189"
},
{
"name": "CVE-2023-53692",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53692"
},
{
"name": "CVE-2022-50520",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50520"
},
{
"name": "CVE-2022-50511",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50511"
},
{
"name": "CVE-2023-53309",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53309"
},
{
"name": "CVE-2025-40010",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40010"
},
{
"name": "CVE-2025-39923",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39923"
},
{
"name": "CVE-2022-50334",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50334"
},
{
"name": "CVE-2025-39866",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39866"
},
{
"name": "CVE-2022-50577",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50577"
},
{
"name": "CVE-2023-53577",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53577"
},
{
"name": "CVE-2025-39751",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39751"
},
{
"name": "CVE-2023-53425",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53425"
},
{
"name": "CVE-2022-50568",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50568"
},
{
"name": "CVE-2023-53235",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53235"
},
{
"name": "CVE-2022-50504",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50504"
},
{
"name": "CVE-2023-53304",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53304"
},
{
"name": "CVE-2022-50523",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50523"
},
{
"name": "CVE-2024-56601",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56601"
},
{
"name": "CVE-2023-53339",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53339"
},
{
"name": "CVE-2025-39969",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39969"
},
{
"name": "CVE-2023-53567",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53567"
},
{
"name": "CVE-2023-53280",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53280"
},
{
"name": "CVE-2023-53179",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53179"
},
{
"name": "CVE-2025-38706",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38706"
},
{
"name": "CVE-2025-39750",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39750"
},
{
"name": "CVE-2022-50524",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50524"
},
{
"name": "CVE-2025-38699",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38699"
},
{
"name": "CVE-2023-53603",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53603"
},
{
"name": "CVE-2023-53520",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53520"
},
{
"name": "CVE-2023-53493",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53493"
},
{
"name": "CVE-2023-53665",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53665"
},
{
"name": "CVE-2025-40082",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40082"
},
{
"name": "CVE-2023-53576",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53576"
},
{
"name": "CVE-2025-40104",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40104"
},
{
"name": "CVE-2023-53492",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53492"
},
{
"name": "CVE-2025-21772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21772"
},
{
"name": "CVE-2023-31248",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-31248"
},
{
"name": "CVE-2025-39853",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39853"
},
{
"name": "CVE-2023-53221",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53221"
},
{
"name": "CVE-2025-39871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39871"
},
{
"name": "CVE-2022-50566",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50566"
},
{
"name": "CVE-2023-53619",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53619"
},
{
"name": "CVE-2023-53566",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53566"
},
{
"name": "CVE-2025-40035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40035"
},
{
"name": "CVE-2023-53602",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53602"
},
{
"name": "CVE-2025-39988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39988"
},
{
"name": "CVE-2023-53462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53462"
},
{
"name": "CVE-2022-50490",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50490"
},
{
"name": "CVE-2025-39675",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39675"
},
{
"name": "CVE-2025-39679",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39679"
},
{
"name": "CVE-2025-39763",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39763"
},
{
"name": "CVE-2025-40020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40020"
},
{
"name": "CVE-2022-50494",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50494"
},
{
"name": "CVE-2023-53148",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53148"
},
{
"name": "CVE-2025-38693",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38693"
},
{
"name": "CVE-2023-53505",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53505"
},
{
"name": "CVE-2025-38685",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38685"
},
{
"name": "CVE-2023-53275",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53275"
},
{
"name": "CVE-2022-50479",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50479"
},
{
"name": "CVE-2023-53700",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53700"
},
{
"name": "CVE-2023-53716",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53716"
},
{
"name": "CVE-2024-50154",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50154"
},
{
"name": "CVE-2023-53183",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53183"
},
{
"name": "CVE-2023-53195",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53195"
},
{
"name": "CVE-2025-38008",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38008"
},
{
"name": "CVE-2025-39864",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39864"
},
{
"name": "CVE-2025-39730",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39730"
},
{
"name": "CVE-2025-40013",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40013"
},
{
"name": "CVE-2023-53319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53319"
},
{
"name": "CVE-2024-57996",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57996"
},
{
"name": "CVE-2025-39824",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39824"
},
{
"name": "CVE-2023-53515",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53515"
},
{
"name": "CVE-2023-53420",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53420"
},
{
"name": "CVE-2023-53424",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53424"
},
{
"name": "CVE-2023-53305",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53305"
},
{
"name": "CVE-2025-40049",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40049"
},
{
"name": "CVE-2023-42753",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42753"
},
{
"name": "CVE-2025-38702",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38702"
},
{
"name": "CVE-2023-53177",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53177"
},
{
"name": "CVE-2023-53631",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53631"
},
{
"name": "CVE-2023-53369",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53369"
},
{
"name": "CVE-2022-49563",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49563"
},
{
"name": "CVE-2025-38724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38724"
},
{
"name": "CVE-2023-53641",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53641"
},
{
"name": "CVE-2025-38698",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38698"
},
{
"name": "CVE-2025-38212",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38212"
},
{
"name": "CVE-2023-53328",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53328"
},
{
"name": "CVE-2022-50576",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50576"
},
{
"name": "CVE-2023-53640",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53640"
},
{
"name": "CVE-2025-39739",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39739"
},
{
"name": "CVE-2023-53165",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53165"
},
{
"name": "CVE-2025-39849",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39849"
},
{
"name": "CVE-2022-50512",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50512"
},
{
"name": "CVE-2023-53438",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53438"
},
{
"name": "CVE-2023-53238",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53238"
},
{
"name": "CVE-2025-21791",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21791"
},
{
"name": "CVE-2022-50519",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50519"
},
{
"name": "CVE-2025-39861",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39861"
},
{
"name": "CVE-2023-53600",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53600"
},
{
"name": "CVE-2022-50541",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50541"
},
{
"name": "CVE-2025-39743",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39743"
},
{
"name": "CVE-2022-50505",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50505"
},
{
"name": "CVE-2023-53673",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53673"
},
{
"name": "CVE-2025-38712",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38712"
},
{
"name": "CVE-2022-50526",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50526"
},
{
"name": "CVE-2023-53662",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53662"
},
{
"name": "CVE-2023-53360",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53360"
},
{
"name": "CVE-2023-53707",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53707"
},
{
"name": "CVE-2022-50535",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50535"
},
{
"name": "CVE-2023-53563",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53563"
},
{
"name": "CVE-2023-53698",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53698"
},
{
"name": "CVE-2022-49080",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49080"
},
{
"name": "CVE-2023-53336",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53336"
},
{
"name": "CVE-2023-53426",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53426"
},
{
"name": "CVE-2023-53370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53370"
},
{
"name": "CVE-2023-53448",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53448"
},
{
"name": "CVE-2023-53374",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53374"
},
{
"name": "CVE-2023-53384",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53384"
},
{
"name": "CVE-2025-38727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38727"
},
{
"name": "CVE-2025-38465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38465"
},
{
"name": "CVE-2023-53546",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53546"
},
{
"name": "CVE-2025-39970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39970"
},
{
"name": "CVE-2025-40032",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40032"
},
{
"name": "CVE-2025-39981",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39981"
},
{
"name": "CVE-2025-39994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39994"
},
{
"name": "CVE-2025-39732",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39732"
},
{
"name": "CVE-2024-50115",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50115"
},
{
"name": "CVE-2023-53367",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53367"
},
{
"name": "CVE-2022-50529",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50529"
},
{
"name": "CVE-2023-53705",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53705"
},
{
"name": "CVE-2022-50485",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50485"
},
{
"name": "CVE-2023-53621",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53621"
},
{
"name": "CVE-2024-53173",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53173"
},
{
"name": "CVE-2023-53457",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53457"
},
{
"name": "CVE-2025-40088",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40088"
},
{
"name": "CVE-2025-39845",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39845"
},
{
"name": "CVE-2023-53637",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53637"
},
{
"name": "CVE-2023-53230",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53230"
},
{
"name": "CVE-2023-53397",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53397"
},
{
"name": "CVE-2022-50578",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50578"
},
{
"name": "CVE-2023-53516",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53516"
},
{
"name": "CVE-2022-50551",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50551"
},
{
"name": "CVE-2025-38499",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38499"
},
{
"name": "CVE-2022-50564",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50564"
},
{
"name": "CVE-2024-50264",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50264"
},
{
"name": "CVE-2025-40062",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40062"
},
{
"name": "CVE-2022-50525",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50525"
},
{
"name": "CVE-2023-53543",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53543"
},
{
"name": "CVE-2022-50503",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50503"
},
{
"name": "CVE-2023-53708",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53708"
},
{
"name": "CVE-2025-38079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38079"
},
{
"name": "CVE-2025-38735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38735"
},
{
"name": "CVE-2023-53287",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53287"
},
{
"name": "CVE-2022-50492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50492"
},
{
"name": "CVE-2025-40011",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40011"
},
{
"name": "CVE-2024-56600",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56600"
},
{
"name": "CVE-2025-40085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40085"
},
{
"name": "CVE-2023-53350",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53350"
},
{
"name": "CVE-2022-50572",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50572"
},
{
"name": "CVE-2023-53723",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53723"
},
{
"name": "CVE-2023-53721",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53721"
},
{
"name": "CVE-2023-53660",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53660"
},
{
"name": "CVE-2023-53703",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53703"
},
{
"name": "CVE-2023-53585",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53585"
},
{
"name": "CVE-2023-53672",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53672"
},
{
"name": "CVE-2023-53454",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53454"
},
{
"name": "CVE-2025-37797",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37797"
},
{
"name": "CVE-2023-53731",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53731"
},
{
"name": "CVE-2023-53582",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53582"
},
{
"name": "CVE-2023-53322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53322"
},
{
"name": "CVE-2023-53220",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53220"
},
{
"name": "CVE-2025-40012",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40012"
},
{
"name": "CVE-2022-48956",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48956"
},
{
"name": "CVE-2023-53552",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53552"
},
{
"name": "CVE-2023-53272",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53272"
},
{
"name": "CVE-2022-50388",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50388"
},
{
"name": "CVE-2023-53210",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53210"
},
{
"name": "CVE-2025-38694",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38694"
},
{
"name": "CVE-2023-53657",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53657"
},
{
"name": "CVE-2023-53568",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53568"
},
{
"name": "CVE-2023-3772",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3772"
},
{
"name": "CVE-2023-53528",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53528"
},
{
"name": "CVE-2023-53656",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53656"
},
{
"name": "CVE-2023-53496",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53496"
},
{
"name": "CVE-2025-38729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38729"
},
{
"name": "CVE-2023-53257",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53257"
},
{
"name": "CVE-2023-53523",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53523"
},
{
"name": "CVE-2023-53555",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53555"
},
{
"name": "CVE-2023-53539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53539"
},
{
"name": "CVE-2022-50563",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50563"
},
{
"name": "CVE-2023-53357",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53357"
},
{
"name": "CVE-2025-38681",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38681"
},
{
"name": "CVE-2023-53574",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53574"
},
{
"name": "CVE-2023-53556",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53556"
},
{
"name": "CVE-2023-53607",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53607"
},
{
"name": "CVE-2025-39968",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39968"
},
{
"name": "CVE-2022-50515",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50515"
},
{
"name": "CVE-2025-38687",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38687"
},
{
"name": "CVE-2022-50499",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50499"
},
{
"name": "CVE-2023-53488",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53488"
},
{
"name": "CVE-2025-39986",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39986"
},
{
"name": "CVE-2022-43945",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43945"
},
{
"name": "CVE-2025-39955",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39955"
},
{
"name": "CVE-2023-53356",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53356"
},
{
"name": "CVE-2023-53553",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53553"
},
{
"name": "CVE-2023-53572",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53572"
},
{
"name": "CVE-2023-53599",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53599"
},
{
"name": "CVE-2023-53594",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53594"
},
{
"name": "CVE-2023-53510",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53510"
},
{
"name": "CVE-2023-53575",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53575"
},
{
"name": "CVE-2023-53151",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53151"
},
{
"name": "CVE-2025-38715",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38715"
},
{
"name": "CVE-2025-40078",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40078"
},
{
"name": "CVE-2022-50580",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50580"
},
{
"name": "CVE-2025-39710",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39710"
},
{
"name": "CVE-2023-53215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53215"
},
{
"name": "CVE-2025-39895",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39895"
},
{
"name": "CVE-2023-53288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53288"
},
{
"name": "CVE-2024-26584",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26584"
},
{
"name": "CVE-2025-39934",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39934"
},
{
"name": "CVE-2022-50530",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50530"
},
{
"name": "CVE-2023-53722",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53722"
},
{
"name": "CVE-2025-39978",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39978"
},
{
"name": "CVE-2025-39683",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39683"
},
{
"name": "CVE-2023-53352",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53352"
},
{
"name": "CVE-2023-53625",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53625"
},
{
"name": "CVE-2023-53644",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53644"
},
{
"name": "CVE-2025-39794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39794"
},
{
"name": "CVE-2023-53675",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53675"
},
{
"name": "CVE-2023-53291",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53291"
},
{
"name": "CVE-2025-39996",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39996"
},
{
"name": "CVE-2025-21971",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21971"
},
{
"name": "CVE-2025-38085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38085"
},
{
"name": "CVE-2023-53613",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53613"
},
{
"name": "CVE-2023-53564",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53564"
},
{
"name": "CVE-2023-53545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53545"
},
{
"name": "CVE-2023-53538",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53538"
},
{
"name": "CVE-2025-39697",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39697"
},
{
"name": "CVE-2023-53263",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53263"
},
{
"name": "CVE-2023-53527",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53527"
},
{
"name": "CVE-2025-38713",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38713"
},
{
"name": "CVE-2025-39938",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39938"
},
{
"name": "CVE-2025-39982",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39982"
},
{
"name": "CVE-2025-39965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39965"
},
{
"name": "CVE-2024-8805",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8805"
},
{
"name": "CVE-2023-53324",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53324"
},
{
"name": "CVE-2023-53465",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53465"
},
{
"name": "CVE-2025-39810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39810"
},
{
"name": "CVE-2025-37885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37885"
},
{
"name": "CVE-2023-53368",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53368"
},
{
"name": "CVE-2025-38697",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38697"
},
{
"name": "CVE-2025-38000",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38000"
},
{
"name": "CVE-2023-53728",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53728"
},
{
"name": "CVE-2023-53649",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53649"
},
{
"name": "CVE-2025-38691",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38691"
},
{
"name": "CVE-2025-39759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39759"
},
{
"name": "CVE-2025-38617",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38617"
},
{
"name": "CVE-2022-50575",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50575"
},
{
"name": "CVE-2023-53518",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53518"
},
{
"name": "CVE-2022-50581",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50581"
},
{
"name": "CVE-2025-38083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38083"
},
{
"name": "CVE-2022-50534",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50534"
},
{
"name": "CVE-2025-39860",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39860"
},
{
"name": "CVE-2023-53670",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53670"
},
{
"name": "CVE-2025-40091",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40091"
},
{
"name": "CVE-2025-39721",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39721"
},
{
"name": "CVE-2023-53604",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53604"
},
{
"name": "CVE-2025-39760",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39760"
},
{
"name": "CVE-2025-38718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38718"
},
{
"name": "CVE-2023-53608",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53608"
},
{
"name": "CVE-2025-39673",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39673"
},
{
"name": "CVE-2023-53596",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53596"
},
{
"name": "CVE-2022-50489",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50489"
},
{
"name": "CVE-2025-39839",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39839"
},
{
"name": "CVE-2023-53282",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53282"
},
{
"name": "CVE-2025-39993",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39993"
},
{
"name": "CVE-2023-53730",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53730"
},
{
"name": "CVE-2023-53717",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53717"
},
{
"name": "CVE-2025-39848",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39848"
},
{
"name": "CVE-2023-53583",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53583"
},
{
"name": "CVE-2023-53591",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53591"
},
{
"name": "CVE-2025-39800",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39800"
},
{
"name": "CVE-2025-40044",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40044"
},
{
"name": "CVE-2023-53391",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53391"
},
{
"name": "CVE-2023-53650",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53650"
},
{
"name": "CVE-2023-53487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53487"
},
{
"name": "CVE-2023-53547",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53547"
},
{
"name": "CVE-2023-53679",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53679"
},
{
"name": "CVE-2023-53338",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53338"
},
{
"name": "CVE-2023-53696",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53696"
},
{
"name": "CVE-2025-39971",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39971"
},
{
"name": "CVE-2023-53231",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53231"
},
{
"name": "CVE-2022-50544",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50544"
},
{
"name": "CVE-2023-53592",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53592"
},
{
"name": "CVE-2023-53206",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53206"
},
{
"name": "CVE-2023-53432",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53432"
},
{
"name": "CVE-2022-50497",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50497"
},
{
"name": "CVE-2023-53557",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53557"
},
{
"name": "CVE-2023-53554",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53554"
},
{
"name": "CVE-2023-53724",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53724"
},
{
"name": "CVE-2025-38552",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38552"
},
{
"name": "CVE-2023-53718",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53718"
},
{
"name": "CVE-2025-39882",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39882"
},
{
"name": "CVE-2025-39991",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39991"
},
{
"name": "CVE-2023-53542",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53542"
},
{
"name": "CVE-2025-39801",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39801"
},
{
"name": "CVE-2023-53709",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53709"
},
{
"name": "CVE-2023-53530",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53530"
},
{
"name": "CVE-2025-39724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39724"
},
{
"name": "CVE-2022-50471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50471"
},
{
"name": "CVE-2023-53666",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53666"
},
{
"name": "CVE-2025-39758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39758"
},
{
"name": "CVE-2025-39694",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39694"
},
{
"name": "CVE-2023-53401",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53401"
},
{
"name": "CVE-2025-39806",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39806"
},
{
"name": "CVE-2022-50553",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50553"
},
{
"name": "CVE-2023-53479",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53479"
},
{
"name": "CVE-2023-53658",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53658"
},
{
"name": "CVE-2025-39851",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39851"
},
{
"name": "CVE-2024-53214",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53214"
},
{
"name": "CVE-2023-53313",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53313"
},
{
"name": "CVE-2022-50574",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50574"
},
{
"name": "CVE-2025-39972",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39972"
},
{
"name": "CVE-2022-50487",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50487"
},
{
"name": "CVE-2023-53395",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53395"
},
{
"name": "CVE-2025-39684",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39684"
},
{
"name": "CVE-2023-53579",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53579"
},
{
"name": "CVE-2023-53485",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53485"
},
{
"name": "CVE-2023-53589",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53589"
},
{
"name": "CVE-2023-53558",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53558"
},
{
"name": "CVE-2025-39870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39870"
},
{
"name": "CVE-2025-38494",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38494"
},
{
"name": "CVE-2025-40018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40018"
},
{
"name": "CVE-2023-53646",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53646"
},
{
"name": "CVE-2022-49014",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49014"
},
{
"name": "CVE-2023-53548",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53548"
},
{
"name": "CVE-2024-53146",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53146"
},
{
"name": "CVE-2023-53365",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53365"
},
{
"name": "CVE-2025-39797",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39797"
},
{
"name": "CVE-2025-38725",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38725"
},
{
"name": "CVE-2023-53184",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53184"
},
{
"name": "CVE-2022-50556",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50556"
},
{
"name": "CVE-2023-53587",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53587"
},
{
"name": "CVE-2023-53680",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53680"
},
{
"name": "CVE-2025-40102",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40102"
},
{
"name": "CVE-2025-37752",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37752"
},
{
"name": "CVE-2022-50542",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50542"
},
{
"name": "CVE-2023-53196",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53196"
},
{
"name": "CVE-2023-53501",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53501"
},
{
"name": "CVE-2025-38477",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38477"
},
{
"name": "CVE-2023-53331",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53331"
},
{
"name": "CVE-2025-40071",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40071"
},
{
"name": "CVE-2025-38683",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38683"
},
{
"name": "CVE-2024-46818",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46818"
},
{
"name": "CVE-2025-38177",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38177"
},
{
"name": "CVE-2025-40080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40080"
},
{
"name": "CVE-2025-39846",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39846"
},
{
"name": "CVE-2025-21702",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21702"
},
{
"name": "CVE-2023-53534",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53534"
},
{
"name": "CVE-2022-50528",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50528"
},
{
"name": "CVE-2023-53711",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53711"
},
{
"name": "CVE-2023-53152",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53152"
},
{
"name": "CVE-2025-39850",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39850"
},
{
"name": "CVE-2024-49860",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49860"
},
{
"name": "CVE-2023-53442",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53442"
},
{
"name": "CVE-2023-53626",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53626"
},
{
"name": "CVE-2025-39844",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39844"
},
{
"name": "CVE-2022-50472",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50472"
},
{
"name": "CVE-2025-39742",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39742"
},
{
"name": "CVE-2023-53570",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53570"
},
{
"name": "CVE-2023-53286",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53286"
},
{
"name": "CVE-2023-53207",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53207"
},
{
"name": "CVE-2023-53687",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53687"
},
{
"name": "CVE-2023-53668",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53668"
},
{
"name": "CVE-2023-53560",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53560"
},
{
"name": "CVE-2023-53205",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53205"
},
{
"name": "CVE-2025-39863",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39863"
},
{
"name": "CVE-2023-53180",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53180"
},
{
"name": "CVE-2023-53551",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53551"
},
{
"name": "CVE-2023-53385",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53385"
},
{
"name": "CVE-2023-53226",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53226"
},
{
"name": "CVE-2022-50570",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50570"
},
{
"name": "CVE-2024-58240",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58240"
},
{
"name": "CVE-2025-39957",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39957"
},
{
"name": "CVE-2023-53571",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53571"
},
{
"name": "CVE-2023-53249",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53249"
},
{
"name": "CVE-2023-53540",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53540"
},
{
"name": "CVE-2023-53252",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53252"
},
{
"name": "CVE-2025-39726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39726"
},
{
"name": "CVE-2025-39931",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39931"
},
{
"name": "CVE-2024-53168",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53168"
},
{
"name": "CVE-2023-53364",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53364"
},
{
"name": "CVE-2022-50423",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50423"
},
{
"name": "CVE-2025-38618",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38618"
},
{
"name": "CVE-2025-39937",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39937"
},
{
"name": "CVE-2023-53508",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53508"
},
{
"name": "CVE-2023-53526",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53526"
},
{
"name": "CVE-2025-40060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40060"
},
{
"name": "CVE-2025-39891",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39891"
},
{
"name": "CVE-2025-39790",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39790"
},
{
"name": "CVE-2024-53104",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53104"
},
{
"name": "CVE-2023-53255",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53255"
},
{
"name": "CVE-2023-53618",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53618"
},
{
"name": "CVE-2025-38680",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38680"
},
{
"name": "CVE-2023-53379",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53379"
},
{
"name": "CVE-2025-39686",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39686"
},
{
"name": "CVE-2025-39798",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39798"
},
{
"name": "CVE-2025-39900",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39900"
},
{
"name": "CVE-2025-38495",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38495"
},
{
"name": "CVE-2022-49179",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49179"
},
{
"name": "CVE-2023-53343",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53343"
},
{
"name": "CVE-2023-53204",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53204"
},
{
"name": "CVE-2025-39714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39714"
},
{
"name": "CVE-2023-53704",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53704"
},
{
"name": "CVE-2023-53333",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53333"
},
{
"name": "CVE-2023-53456",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53456"
},
{
"name": "CVE-2023-53638",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53638"
},
{
"name": "CVE-2023-53446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53446"
},
{
"name": "CVE-2024-50301",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50301"
},
{
"name": "CVE-2023-53463",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53463"
},
{
"name": "CVE-2023-53170",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53170"
},
{
"name": "CVE-2023-53260",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53260"
},
{
"name": "CVE-2025-39854",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39854"
},
{
"name": "CVE-2023-53386",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53386"
},
{
"name": "CVE-2025-39984",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39984"
},
{
"name": "CVE-2025-39706",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39706"
},
{
"name": "CVE-2025-39869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39869"
},
{
"name": "CVE-2025-39985",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39985"
},
{
"name": "CVE-2023-53181",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53181"
},
{
"name": "CVE-2023-53581",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53581"
},
{
"name": "CVE-2024-53156",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53156"
},
{
"name": "CVE-2023-53174",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53174"
},
{
"name": "CVE-2025-39719",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39719"
},
{
"name": "CVE-2025-39952",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39952"
},
{
"name": "CVE-2023-53507",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53507"
},
{
"name": "CVE-2023-53314",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53314"
},
{
"name": "CVE-2022-50470",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50470"
},
{
"name": "CVE-2024-47674",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47674"
},
{
"name": "CVE-2022-50516",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50516"
},
{
"name": "CVE-2023-53647",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53647"
},
{
"name": "CVE-2022-50252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50252"
},
{
"name": "CVE-2025-39713",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39713"
},
{
"name": "CVE-2023-53541",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53541"
},
{
"name": "CVE-2023-53316",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53316"
},
{
"name": "CVE-2023-53727",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53727"
},
{
"name": "CVE-2022-50475",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50475"
},
{
"name": "CVE-2023-53208",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53208"
},
{
"name": "CVE-2025-39756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39756"
},
{
"name": "CVE-2025-38539",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38539"
},
{
"name": "CVE-2023-53580",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53580"
},
{
"name": "CVE-2022-50496",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50496"
},
{
"name": "CVE-2025-38736",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38736"
},
{
"name": "CVE-2025-38498",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38498"
},
{
"name": "CVE-2022-50567",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50567"
},
{
"name": "CVE-2023-53598",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53598"
},
{
"name": "CVE-2023-53167",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53167"
},
{
"name": "CVE-2023-53342",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53342"
},
{
"name": "CVE-2023-53663",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53663"
},
{
"name": "CVE-2025-39946",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39946"
},
{
"name": "CVE-2023-53632",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53632"
},
{
"name": "CVE-2025-39693",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39693"
},
{
"name": "CVE-2024-56605",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56605"
},
{
"name": "CVE-2023-53490",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53490"
},
{
"name": "CVE-2023-53444",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53444"
},
{
"name": "CVE-2023-53175",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53175"
},
{
"name": "CVE-2023-53622",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53622"
},
{
"name": "CVE-2023-53639",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53639"
},
{
"name": "CVE-2022-50537",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50537"
},
{
"name": "CVE-2023-53699",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53699"
},
{
"name": "CVE-2022-50327",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50327"
},
{
"name": "CVE-2023-53274",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53274"
},
{
"name": "CVE-2022-50480",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50480"
},
{
"name": "CVE-2023-39197",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39197"
},
{
"name": "CVE-2025-40036",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40036"
},
{
"name": "CVE-2025-39833",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39833"
},
{
"name": "CVE-2025-39676",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39676"
},
{
"name": "CVE-2025-39832",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39832"
},
{
"name": "CVE-2023-53495",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53495"
},
{
"name": "CVE-2025-40000",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40000"
},
{
"name": "CVE-2023-53436",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53436"
},
{
"name": "CVE-2025-39813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39813"
},
{
"name": "CVE-2024-50279",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50279"
},
{
"name": "CVE-2025-38084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38084"
},
{
"name": "CVE-2024-57893",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57893"
},
{
"name": "CVE-2023-53559",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53559"
},
{
"name": "CVE-2023-53695",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53695"
},
{
"name": "CVE-2023-53725",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53725"
},
{
"name": "CVE-2022-50514",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50514"
},
{
"name": "CVE-2023-53377",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53377"
},
{
"name": "CVE-2023-53500",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53500"
},
{
"name": "CVE-2025-39995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39995"
},
{
"name": "CVE-2025-39847",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39847"
},
{
"name": "CVE-2024-47706",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47706"
},
{
"name": "CVE-2025-39783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39783"
},
{
"name": "CVE-2025-40096",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40096"
},
{
"name": "CVE-2023-53243",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53243"
},
{
"name": "CVE-2025-38700",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38700"
},
{
"name": "CVE-2022-50513",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50513"
},
{
"name": "CVE-2023-53428",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53428"
},
{
"name": "CVE-2022-50545",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50545"
},
{
"name": "CVE-2025-39841",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39841"
},
{
"name": "CVE-2023-53651",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53651"
},
{
"name": "CVE-2022-49564",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49564"
},
{
"name": "CVE-2025-39907",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39907"
},
{
"name": "CVE-2023-53147",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53147"
},
{
"name": "CVE-2022-50543",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50543"
},
{
"name": "CVE-2023-53292",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53292"
},
{
"name": "CVE-2025-38476",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38476"
},
{
"name": "CVE-2023-53371",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53371"
},
{
"name": "CVE-2022-50559",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50559"
},
{
"name": "CVE-2023-53593",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53593"
},
{
"name": "CVE-2022-49545",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49545"
},
{
"name": "CVE-2025-40061",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40061"
},
{
"name": "CVE-2023-53187",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53187"
},
{
"name": "CVE-2023-53201",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53201"
},
{
"name": "CVE-2024-56650",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56650"
},
{
"name": "CVE-2025-39873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39873"
},
{
"name": "CVE-2023-53652",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53652"
},
{
"name": "CVE-2023-53597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53597"
},
{
"name": "CVE-2023-53192",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53192"
},
{
"name": "CVE-2023-53715",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53715"
},
{
"name": "CVE-2025-38714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38714"
},
{
"name": "CVE-2023-53251",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53251"
},
{
"name": "CVE-2023-53683",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53683"
},
{
"name": "CVE-2023-53380",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53380"
},
{
"name": "CVE-2025-38181",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38181"
},
{
"name": "CVE-2025-40051",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40051"
},
{
"name": "CVE-2022-50509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50509"
},
{
"name": "CVE-2025-40087",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40087"
},
{
"name": "CVE-2024-45016",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45016"
}
],
"initial_release_date": "2025-11-21T00:00:00",
"last_revision_date": "2025-11-21T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1032",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2025-11-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4128-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254128-1"
},
{
"published_at": "2025-11-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4123-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254123-1"
},
{
"published_at": "2025-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4140-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254140-1"
},
{
"published_at": "2025-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4141-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254141-1"
},
{
"published_at": "2025-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4139-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254139-1"
},
{
"published_at": "2025-11-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4135-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254135-1"
},
{
"published_at": "2025-11-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4111-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254111-1"
},
{
"published_at": "2025-11-20",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4149-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254149-1"
},
{
"published_at": "2025-11-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4132-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254132-1"
}
]
}
CVE-2025-39994 (GCVE-0-2025-39994)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: tuner: xc5000: Fix use-after-free in xc5000_release
The original code uses cancel_delayed_work() in xc5000_release(), which
does not guarantee that the delayed work item timer_sleep has fully
completed if it was already running. This leads to use-after-free scenarios
where xc5000_release() may free the xc5000_priv while timer_sleep is still
active and attempts to dereference the xc5000_priv.
A typical race condition is illustrated below:
CPU 0 (release thread) | CPU 1 (delayed work callback)
xc5000_release() | xc5000_do_timer_sleep()
cancel_delayed_work() |
hybrid_tuner_release_state(priv) |
kfree(priv) |
| priv = container_of() // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the timer_sleep is properly canceled before the xc5000_priv memory
is deallocated.
A deadlock concern was considered: xc5000_release() is called in a process
context and is not holding any locks that the timer_sleep work item might
also need. Therefore, the use of the _sync() variant is safe here.
This bug was initially identified through static analysis.
[hverkuil: fix typo in Subject: tunner -> tuner]
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/tuners/xc5000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc4ffd962ce16a154c44c68853b9d93f5b6fc4b8",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "e2f5eaafc0306a76fb1cb760aae804b065b8a341",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "3f876cd47ed8bca1e28d68435845949f51f90703",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "df0303b4839520b84d9367c2fad65b13650a4d42",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "71ed8b81a4906cb785966910f39cf7f5ad60a69e",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "effb1c19583bca7022fa641a70766de45c6d41ac",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "9a00de20ed8ba90888479749b87bc1532cded4ce",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "4266f012806fc18e46da4a04d130df59a4946f93",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "40b7a19f321e65789612ebaca966472055dab48c",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/tuners/xc5000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tuner: xc5000: Fix use-after-free in xc5000_release\n\nThe original code uses cancel_delayed_work() in xc5000_release(), which\ndoes not guarantee that the delayed work item timer_sleep has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere xc5000_release() may free the xc5000_priv while timer_sleep is still\nactive and attempts to dereference the xc5000_priv.\n\nA typical race condition is illustrated below:\n\nCPU 0 (release thread) | CPU 1 (delayed work callback)\nxc5000_release() | xc5000_do_timer_sleep()\n cancel_delayed_work() |\n hybrid_tuner_release_state(priv) |\n kfree(priv) |\n | priv = container_of() // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the timer_sleep is properly canceled before the xc5000_priv memory\nis deallocated.\n\nA deadlock concern was considered: xc5000_release() is called in a process\ncontext and is not holding any locks that the timer_sleep work item might\nalso need. Therefore, the use of the _sync() variant is safe here.\n\nThis bug was initially identified through static analysis.\n\n[hverkuil: fix typo in Subject: tunner -\u003e tuner]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:10.377Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc4ffd962ce16a154c44c68853b9d93f5b6fc4b8"
},
{
"url": "https://git.kernel.org/stable/c/e2f5eaafc0306a76fb1cb760aae804b065b8a341"
},
{
"url": "https://git.kernel.org/stable/c/3f876cd47ed8bca1e28d68435845949f51f90703"
},
{
"url": "https://git.kernel.org/stable/c/df0303b4839520b84d9367c2fad65b13650a4d42"
},
{
"url": "https://git.kernel.org/stable/c/71ed8b81a4906cb785966910f39cf7f5ad60a69e"
},
{
"url": "https://git.kernel.org/stable/c/effb1c19583bca7022fa641a70766de45c6d41ac"
},
{
"url": "https://git.kernel.org/stable/c/9a00de20ed8ba90888479749b87bc1532cded4ce"
},
{
"url": "https://git.kernel.org/stable/c/4266f012806fc18e46da4a04d130df59a4946f93"
},
{
"url": "https://git.kernel.org/stable/c/40b7a19f321e65789612ebaca966472055dab48c"
}
],
"title": "media: tuner: xc5000: Fix use-after-free in xc5000_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39994",
"datePublished": "2025-10-15T07:58:19.503Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-29T13:19:10.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53548 (GCVE-0-2023-53548)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
The syzbot fuzzer identified a problem in the usbnet driver:
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc9000463f568 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001
RBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003
R13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0
Call Trace:
<TASK>
usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453
__netdev_start_xmit include/linux/netdevice.h:4918 [inline]
netdev_start_xmit include/linux/netdevice.h:4932 [inline]
xmit_one net/core/dev.c:3578 [inline]
dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594
...
This bug is caused by the fact that usbnet trusts the bulk endpoint
addresses its probe routine receives in the driver_info structure, and
it does not check to see that these endpoints actually exist and have
the expected type and directions.
The fix is simply to add such a check.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a0715d04cf687a7e21f0d6ac8c1d479294a3f6f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "53c250ea57cf03af41339234b9855ae284f9db91",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a05ac5d00eb7fcb2fda806caa4f56e88df6bc6bb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ec0d0be41721aca683c5606354a58ee2c687e3f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "27d0f755d649d388fcd12f01436c9a33289e14e3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bebbd9b8037a9cc75984317cb495dec4824c399",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0dd3e0c31bf3e933fb85faf1443833aef90b8e46",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5e1627cb43ddf1b24b92eb26f8d958a3f5676ccb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb\n\nThe syzbot fuzzer identified a problem in the usbnet driver:\n\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\nModules linked in:\nCPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nWorkqueue: mld mld_ifc_work\nRIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\nCode: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb \u003c0f\u003e 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7\nRSP: 0018:ffffc9000463f568 EFLAGS: 00010086\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\nRDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001\nRBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003\nR13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0\nCall Trace:\n \u003cTASK\u003e\n usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453\n __netdev_start_xmit include/linux/netdevice.h:4918 [inline]\n netdev_start_xmit include/linux/netdevice.h:4932 [inline]\n xmit_one net/core/dev.c:3578 [inline]\n dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594\n...\n\nThis bug is caused by the fact that usbnet trusts the bulk endpoint\naddresses its probe routine receives in the driver_info structure, and\nit does not check to see that these endpoints actually exist and have\nthe expected type and directions.\n\nThe fix is simply to add such a check."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:55.612Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a0715d04cf687a7e21f0d6ac8c1d479294a3f6f8"
},
{
"url": "https://git.kernel.org/stable/c/53c250ea57cf03af41339234b9855ae284f9db91"
},
{
"url": "https://git.kernel.org/stable/c/a05ac5d00eb7fcb2fda806caa4f56e88df6bc6bb"
},
{
"url": "https://git.kernel.org/stable/c/ec0d0be41721aca683c5606354a58ee2c687e3f8"
},
{
"url": "https://git.kernel.org/stable/c/27d0f755d649d388fcd12f01436c9a33289e14e3"
},
{
"url": "https://git.kernel.org/stable/c/1bebbd9b8037a9cc75984317cb495dec4824c399"
},
{
"url": "https://git.kernel.org/stable/c/0dd3e0c31bf3e933fb85faf1443833aef90b8e46"
},
{
"url": "https://git.kernel.org/stable/c/5e1627cb43ddf1b24b92eb26f8d958a3f5676ccb"
}
],
"title": "net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53548",
"datePublished": "2025-10-04T15:16:55.612Z",
"dateReserved": "2025-10-04T15:14:15.921Z",
"dateUpdated": "2025-10-04T15:16:55.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53613 (GCVE-0-2023-53613)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dax: Fix dax_mapping_release() use after free
A CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region
provider (like modprobe -r dax_hmem) yields:
kobject: 'mapping0' (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000)
[..]
DEBUG_LOCKS_WARN_ON(1)
WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260
[..]
RIP: 0010:__lock_acquire+0x9fc/0x2260
[..]
Call Trace:
<TASK>
[..]
lock_acquire+0xd4/0x2c0
? ida_free+0x62/0x130
_raw_spin_lock_irqsave+0x47/0x70
? ida_free+0x62/0x130
ida_free+0x62/0x130
dax_mapping_release+0x1f/0x30
device_release+0x36/0x90
kobject_delayed_cleanup+0x46/0x150
Due to attempting ida_free() on an ida object that has already been
freed. Devices typically only hold a reference on their parent while
registered. If a child needs a parent object to complete its release it
needs to hold a reference that it drops from its release callback.
Arrange for a dax_mapping to pin its parent dev_dax instance until
dax_mapping_release().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca Version: 0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca Version: 0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca Version: 0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca Version: 0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca Version: 0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dax/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "94a85474f5e3e518bdbf8c9f51cb343d734a04f7",
"status": "affected",
"version": "0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca",
"versionType": "git"
},
{
"lessThan": "9c2f993b6ca903c030d58451b5bf9ea27d0d17fa",
"status": "affected",
"version": "0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca",
"versionType": "git"
},
{
"lessThan": "03859868ab82d57bfdd0cea1bf31f9319a5dded0",
"status": "affected",
"version": "0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca",
"versionType": "git"
},
{
"lessThan": "f76db6781d76d8464ec2faa9752cc3fb2e4f6923",
"status": "affected",
"version": "0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca",
"versionType": "git"
},
{
"lessThan": "7310b84821f043dcf77d5e6aa0ad55dc1e10a11d",
"status": "affected",
"version": "0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca",
"versionType": "git"
},
{
"lessThan": "6d24b170a9db0456f577b1ab01226a2254c016a8",
"status": "affected",
"version": "0b07ce872a9eca1ff88c0eb7f6e92dde127d21ca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dax/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndax: Fix dax_mapping_release() use after free\n\nA CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region\nprovider (like modprobe -r dax_hmem) yields:\n\n kobject: \u0027mapping0\u0027 (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000)\n [..]\n DEBUG_LOCKS_WARN_ON(1)\n WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260\n [..]\n RIP: 0010:__lock_acquire+0x9fc/0x2260\n [..]\n Call Trace:\n \u003cTASK\u003e\n [..]\n lock_acquire+0xd4/0x2c0\n ? ida_free+0x62/0x130\n _raw_spin_lock_irqsave+0x47/0x70\n ? ida_free+0x62/0x130\n ida_free+0x62/0x130\n dax_mapping_release+0x1f/0x30\n device_release+0x36/0x90\n kobject_delayed_cleanup+0x46/0x150\n\nDue to attempting ida_free() on an ida object that has already been\nfreed. Devices typically only hold a reference on their parent while\nregistered. If a child needs a parent object to complete its release it\nneeds to hold a reference that it drops from its release callback.\nArrange for a dax_mapping to pin its parent dev_dax instance until\ndax_mapping_release()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:20.998Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/94a85474f5e3e518bdbf8c9f51cb343d734a04f7"
},
{
"url": "https://git.kernel.org/stable/c/9c2f993b6ca903c030d58451b5bf9ea27d0d17fa"
},
{
"url": "https://git.kernel.org/stable/c/03859868ab82d57bfdd0cea1bf31f9319a5dded0"
},
{
"url": "https://git.kernel.org/stable/c/f76db6781d76d8464ec2faa9752cc3fb2e4f6923"
},
{
"url": "https://git.kernel.org/stable/c/7310b84821f043dcf77d5e6aa0ad55dc1e10a11d"
},
{
"url": "https://git.kernel.org/stable/c/6d24b170a9db0456f577b1ab01226a2254c016a8"
}
],
"title": "dax: Fix dax_mapping_release() use after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53613",
"datePublished": "2025-10-04T15:44:20.998Z",
"dateReserved": "2025-10-04T15:40:38.480Z",
"dateUpdated": "2025-10-04T15:44:20.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53304 (GCVE-0-2023-53304)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_rbtree: fix overlap expiration walk
The lazy gc on insert that should remove timed-out entries fails to release
the other half of the interval, if any.
Can be reproduced with tests/shell/testcases/sets/0044interval_overlap_0
in nftables.git and kmemleak enabled kernel.
Second bug is the use of rbe_prev vs. prev pointer.
If rbe_prev() returns NULL after at least one iteration, rbe_prev points
to element that is not an end interval, hence it should not be removed.
Lastly, check the genmask of the end interval if this is active in the
current generation.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7ab87a326f20c52ff4d9972052d085be951c704b Version: 181859bdfb9734aca449512fccaee4cacce64aed Version: 4aacf3d78424293e318c616016865380b37b9cc5 Version: 2bf1435fa19d2c58054391b3bba40d5510a5758c Version: 318cb24a4c3fce8140afaf84e4d45fcb76fb280b Version: c9e6978e2725a7d4b6cd23b2facd3f11422c0643 Version: c9e6978e2725a7d4b6cd23b2facd3f11422c0643 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8284a79136c384059e85e278da2210b809730287",
"status": "affected",
"version": "7ab87a326f20c52ff4d9972052d085be951c704b",
"versionType": "git"
},
{
"lessThan": "acaee227cf79c45a5d2d49c3e9a66333a462802c",
"status": "affected",
"version": "181859bdfb9734aca449512fccaee4cacce64aed",
"versionType": "git"
},
{
"lessThan": "893cb3c3513cf661a0ff45fe0cfa83fe27131f76",
"status": "affected",
"version": "4aacf3d78424293e318c616016865380b37b9cc5",
"versionType": "git"
},
{
"lessThan": "50cbb9d195c197af671869c8cadce3bd483735a0",
"status": "affected",
"version": "2bf1435fa19d2c58054391b3bba40d5510a5758c",
"versionType": "git"
},
{
"lessThan": "89a4d1a89751a0fbd520e64091873e19cc0979e8",
"status": "affected",
"version": "318cb24a4c3fce8140afaf84e4d45fcb76fb280b",
"versionType": "git"
},
{
"lessThan": "cd66733932399475fe933cb3ec03e687ed401462",
"status": "affected",
"version": "c9e6978e2725a7d4b6cd23b2facd3f11422c0643",
"versionType": "git"
},
{
"lessThan": "f718863aca469a109895cb855e6b81fff4827d71",
"status": "affected",
"version": "c9e6978e2725a7d4b6cd23b2facd3f11422c0643",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.10.166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "5.15.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: fix overlap expiration walk\n\nThe lazy gc on insert that should remove timed-out entries fails to release\nthe other half of the interval, if any.\n\nCan be reproduced with tests/shell/testcases/sets/0044interval_overlap_0\nin nftables.git and kmemleak enabled kernel.\n\nSecond bug is the use of rbe_prev vs. prev pointer.\nIf rbe_prev() returns NULL after at least one iteration, rbe_prev points\nto element that is not an end interval, hence it should not be removed.\n\nLastly, check the genmask of the end interval if this is active in the\ncurrent generation."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:44.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8284a79136c384059e85e278da2210b809730287"
},
{
"url": "https://git.kernel.org/stable/c/acaee227cf79c45a5d2d49c3e9a66333a462802c"
},
{
"url": "https://git.kernel.org/stable/c/893cb3c3513cf661a0ff45fe0cfa83fe27131f76"
},
{
"url": "https://git.kernel.org/stable/c/50cbb9d195c197af671869c8cadce3bd483735a0"
},
{
"url": "https://git.kernel.org/stable/c/89a4d1a89751a0fbd520e64091873e19cc0979e8"
},
{
"url": "https://git.kernel.org/stable/c/cd66733932399475fe933cb3ec03e687ed401462"
},
{
"url": "https://git.kernel.org/stable/c/f718863aca469a109895cb855e6b81fff4827d71"
}
],
"title": "netfilter: nft_set_rbtree: fix overlap expiration walk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53304",
"datePublished": "2025-09-16T16:11:44.147Z",
"dateReserved": "2025-09-16T08:09:37.994Z",
"dateUpdated": "2025-09-16T16:11:44.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39808 (GCVE-0-2025-39808)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()
in ntrig_report_version(), hdev parameter passed from hid_probe().
sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null
if hdev->dev.parent->parent is null, usb_dev has
invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned
when usb_rcvctrlpipe() use usb_dev,it trigger
page fault error for address(0xffffffffffffff58)
add null check logic to ntrig_report_version()
before calling hid_to_usb_dev()
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0277873c05158c5efc97c23d52e6aec6250bde0f Version: 0277873c05158c5efc97c23d52e6aec6250bde0f Version: 0277873c05158c5efc97c23d52e6aec6250bde0f Version: 0277873c05158c5efc97c23d52e6aec6250bde0f Version: 0277873c05158c5efc97c23d52e6aec6250bde0f Version: 0277873c05158c5efc97c23d52e6aec6250bde0f Version: 0277873c05158c5efc97c23d52e6aec6250bde0f Version: 0277873c05158c5efc97c23d52e6aec6250bde0f |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:34.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-ntrig.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22ddb5eca4af5e69dffe2b54551d2487424448f1",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "019c34ca11372de891c06644846eb41fca7c890c",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "4338b0f6544c3ff042bfbaf40bc9afe531fb08c7",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "6070123d5344d0950f10ef6a5fdc3f076abb7ad2",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "e422370e6ab28478872b914cee5d49a9bdfae0c6",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "98520a9a3d69a530dd1ee280cbe0abc232a35bff",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "183def8e4d786e50165e5d992df6a3083e45e16c",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
},
{
"lessThan": "185c926283da67a72df20a63a5046b3b4631b7d9",
"status": "affected",
"version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-ntrig.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()\n\nin ntrig_report_version(), hdev parameter passed from hid_probe().\nsending descriptor to /dev/uhid can make hdev-\u003edev.parent-\u003eparent to null\nif hdev-\u003edev.parent-\u003eparent is null, usb_dev has\ninvalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned\nwhen usb_rcvctrlpipe() use usb_dev,it trigger\npage fault error for address(0xffffffffffffff58)\n\nadd null check logic to ntrig_report_version()\nbefore calling hid_to_usb_dev()"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:46.005Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22ddb5eca4af5e69dffe2b54551d2487424448f1"
},
{
"url": "https://git.kernel.org/stable/c/019c34ca11372de891c06644846eb41fca7c890c"
},
{
"url": "https://git.kernel.org/stable/c/4338b0f6544c3ff042bfbaf40bc9afe531fb08c7"
},
{
"url": "https://git.kernel.org/stable/c/6070123d5344d0950f10ef6a5fdc3f076abb7ad2"
},
{
"url": "https://git.kernel.org/stable/c/e422370e6ab28478872b914cee5d49a9bdfae0c6"
},
{
"url": "https://git.kernel.org/stable/c/98520a9a3d69a530dd1ee280cbe0abc232a35bff"
},
{
"url": "https://git.kernel.org/stable/c/183def8e4d786e50165e5d992df6a3083e45e16c"
},
{
"url": "https://git.kernel.org/stable/c/185c926283da67a72df20a63a5046b3b4631b7d9"
}
],
"title": "HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39808",
"datePublished": "2025-09-16T13:00:11.242Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-11-03T17:43:34.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56664 (GCVE-0-2024-56664)
Vulnerability from cvelistv5
Published
2024-12-27 15:06
Modified
2025-11-03 20:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix race between element replace and close()
Element replace (with a socket different from the one stored) may race
with socket's close() link popping & unlinking. __sock_map_delete()
unconditionally unrefs the (wrong) element:
// set map[0] = s0
map_update_elem(map, 0, s0)
// drop fd of s0
close(s0)
sock_map_close()
lock_sock(sk) (s0!)
sock_map_remove_links(sk)
link = sk_psock_link_pop()
sock_map_unlink(sk, link)
sock_map_delete_from_link
// replace map[0] with s1
map_update_elem(map, 0, s1)
sock_map_update_elem
(s1!) lock_sock(sk)
sock_map_update_common
psock = sk_psock(sk)
spin_lock(&stab->lock)
osk = stab->sks[idx]
sock_map_add_link(..., &stab->sks[idx])
sock_map_unref(osk, &stab->sks[idx])
psock = sk_psock(osk)
sk_psock_put(sk, psock)
if (refcount_dec_and_test(&psock))
sk_psock_drop(sk, psock)
spin_unlock(&stab->lock)
unlock_sock(sk)
__sock_map_delete
spin_lock(&stab->lock)
sk = *psk // s1 replaced s0; sk == s1
if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch
sk = xchg(psk, NULL)
if (sk)
sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle
psock = sk_psock(sk)
sk_psock_put(sk, psock)
if (refcount_dec_and_test())
sk_psock_drop(sk, psock)
spin_unlock(&stab->lock)
release_sock(sk)
Then close(map) enqueues bpf_map_free_deferred, which finally calls
sock_map_free(). This results in some refcount_t warnings along with
a KASAN splat [1].
Fix __sock_map_delete(), do not allow sock_map_unref() on elements that
may have been replaced.
[1]:
BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330
Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063
CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
Workqueue: events_unbound bpf_map_free_deferred
Call Trace:
<TASK>
dump_stack_lvl+0x68/0x90
print_report+0x174/0x4f6
kasan_report+0xb9/0x190
kasan_check_range+0x10f/0x1e0
sock_map_free+0x10e/0x330
bpf_map_free_deferred+0x173/0x320
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 1202:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
__kasan_slab_alloc+0x85/0x90
kmem_cache_alloc_noprof+0x131/0x450
sk_prot_alloc+0x5b/0x220
sk_alloc+0x2c/0x870
unix_create1+0x88/0x8a0
unix_create+0xc5/0x180
__sock_create+0x241/0x650
__sys_socketpair+0x1ce/0x420
__x64_sys_socketpair+0x92/0x100
do_syscall_64+0x93/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 46:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kmem_cache_free+0x1a1/0x590
__sk_destruct+0x388/0x5a0
sk_psock_destroy+0x73e/0xa50
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
The bu
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:52:13.123Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/sock_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6deb9e85dc9a2ba4414b91c1b5b00b8415910890",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "fdb2cd8957ac51f84c9e742ba866087944bb834b",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "b79a0d1e9a374d1b376933a354c4fcd01fce0365",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "b015f19fedd2e12283a8450dd0aefce49ec57015",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "bf2318e288f636a882eea39f7e1015623629f168",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "ed1fc5d76b81a4d681211333c026202cad4d5649",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/sock_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.125",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.125",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.67",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.6",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix race between element replace and close()\n\nElement replace (with a socket different from the one stored) may race\nwith socket\u0027s close() link popping \u0026 unlinking. __sock_map_delete()\nunconditionally unrefs the (wrong) element:\n\n// set map[0] = s0\nmap_update_elem(map, 0, s0)\n\n// drop fd of s0\nclose(s0)\n sock_map_close()\n lock_sock(sk) (s0!)\n sock_map_remove_links(sk)\n link = sk_psock_link_pop()\n sock_map_unlink(sk, link)\n sock_map_delete_from_link\n // replace map[0] with s1\n map_update_elem(map, 0, s1)\n sock_map_update_elem\n (s1!) lock_sock(sk)\n sock_map_update_common\n psock = sk_psock(sk)\n spin_lock(\u0026stab-\u003elock)\n osk = stab-\u003esks[idx]\n sock_map_add_link(..., \u0026stab-\u003esks[idx])\n sock_map_unref(osk, \u0026stab-\u003esks[idx])\n psock = sk_psock(osk)\n sk_psock_put(sk, psock)\n if (refcount_dec_and_test(\u0026psock))\n sk_psock_drop(sk, psock)\n spin_unlock(\u0026stab-\u003elock)\n unlock_sock(sk)\n __sock_map_delete\n spin_lock(\u0026stab-\u003elock)\n sk = *psk // s1 replaced s0; sk == s1\n if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch\n sk = xchg(psk, NULL)\n if (sk)\n sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle\n psock = sk_psock(sk)\n sk_psock_put(sk, psock)\n if (refcount_dec_and_test())\n sk_psock_drop(sk, psock)\n spin_unlock(\u0026stab-\u003elock)\n release_sock(sk)\n\nThen close(map) enqueues bpf_map_free_deferred, which finally calls\nsock_map_free(). This results in some refcount_t warnings along with\na KASAN splat [1].\n\nFix __sock_map_delete(), do not allow sock_map_unref() on elements that\nmay have been replaced.\n\n[1]:\nBUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330\nWrite of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063\n\nCPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\nWorkqueue: events_unbound bpf_map_free_deferred\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x68/0x90\n print_report+0x174/0x4f6\n kasan_report+0xb9/0x190\n kasan_check_range+0x10f/0x1e0\n sock_map_free+0x10e/0x330\n bpf_map_free_deferred+0x173/0x320\n process_one_work+0x846/0x1420\n worker_thread+0x5b3/0xf80\n kthread+0x29e/0x360\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 1202:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x85/0x90\n kmem_cache_alloc_noprof+0x131/0x450\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x2c/0x870\n unix_create1+0x88/0x8a0\n unix_create+0xc5/0x180\n __sock_create+0x241/0x650\n __sys_socketpair+0x1ce/0x420\n __x64_sys_socketpair+0x92/0x100\n do_syscall_64+0x93/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 46:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kmem_cache_free+0x1a1/0x590\n __sk_destruct+0x388/0x5a0\n sk_psock_destroy+0x73e/0xa50\n process_one_work+0x846/0x1420\n worker_thread+0x5b3/0xf80\n kthread+0x29e/0x360\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x1a/0x30\n\nThe bu\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:01:29.913Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6deb9e85dc9a2ba4414b91c1b5b00b8415910890"
},
{
"url": "https://git.kernel.org/stable/c/fdb2cd8957ac51f84c9e742ba866087944bb834b"
},
{
"url": "https://git.kernel.org/stable/c/b79a0d1e9a374d1b376933a354c4fcd01fce0365"
},
{
"url": "https://git.kernel.org/stable/c/b015f19fedd2e12283a8450dd0aefce49ec57015"
},
{
"url": "https://git.kernel.org/stable/c/bf2318e288f636a882eea39f7e1015623629f168"
},
{
"url": "https://git.kernel.org/stable/c/ed1fc5d76b81a4d681211333c026202cad4d5649"
}
],
"title": "bpf, sockmap: Fix race between element replace and close()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56664",
"datePublished": "2024-12-27T15:06:26.276Z",
"dateReserved": "2024-12-27T15:00:39.844Z",
"dateUpdated": "2025-11-03T20:52:13.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53365 (GCVE-0-2023-53365)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6mr: Fix skb_under_panic in ip6mr_cache_report()
skbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4
head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:192!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b571a #236
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:skb_panic+0x152/0x1d0
Call Trace:
<TASK>
skb_push+0xc4/0xe0
ip6mr_cache_report+0xd69/0x19b0
reg_vif_xmit+0x406/0x690
dev_hard_start_xmit+0x17e/0x6e0
__dev_queue_xmit+0x2d6a/0x3d20
vlan_dev_hard_start_xmit+0x3ab/0x5c0
dev_hard_start_xmit+0x17e/0x6e0
__dev_queue_xmit+0x2d6a/0x3d20
neigh_connected_output+0x3ed/0x570
ip6_finish_output2+0x5b5/0x1950
ip6_finish_output+0x693/0x11c0
ip6_output+0x24b/0x880
NF_HOOK.constprop.0+0xfd/0x530
ndisc_send_skb+0x9db/0x1400
ndisc_send_rs+0x12a/0x6c0
addrconf_dad_completed+0x3c9/0xea0
addrconf_dad_work+0x849/0x1420
process_one_work+0xa22/0x16e0
worker_thread+0x679/0x10c0
ret_from_fork+0x28/0x60
ret_from_fork_asm+0x11/0x20
When setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit().
reg_vif_xmit()
ip6mr_cache_report()
skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4
And skb_push declared as:
void *skb_push(struct sk_buff *skb, unsigned int len);
skb->data -= len;
//0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850
skb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 14fb64e1f449ef6666f1c3a3fa4e13aec669b98d Version: 14fb64e1f449ef6666f1c3a3fa4e13aec669b98d Version: 14fb64e1f449ef6666f1c3a3fa4e13aec669b98d Version: 14fb64e1f449ef6666f1c3a3fa4e13aec669b98d Version: 14fb64e1f449ef6666f1c3a3fa4e13aec669b98d Version: 14fb64e1f449ef6666f1c3a3fa4e13aec669b98d Version: 14fb64e1f449ef6666f1c3a3fa4e13aec669b98d Version: 14fb64e1f449ef6666f1c3a3fa4e13aec669b98d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a96d74d1076c82a4cef02c150d9996b21354c78d",
"status": "affected",
"version": "14fb64e1f449ef6666f1c3a3fa4e13aec669b98d",
"versionType": "git"
},
{
"lessThan": "8382e7ed2d63e6c2daf6881fa091526dc6c879cd",
"status": "affected",
"version": "14fb64e1f449ef6666f1c3a3fa4e13aec669b98d",
"versionType": "git"
},
{
"lessThan": "0438e60a00d4e335b3c36397dbf26c74b5d13ef0",
"status": "affected",
"version": "14fb64e1f449ef6666f1c3a3fa4e13aec669b98d",
"versionType": "git"
},
{
"lessThan": "1683124129a4263dd5bce2475bab110e95fa0346",
"status": "affected",
"version": "14fb64e1f449ef6666f1c3a3fa4e13aec669b98d",
"versionType": "git"
},
{
"lessThan": "1bb54a21f4d9b88442f8c3307c780e2db64417e4",
"status": "affected",
"version": "14fb64e1f449ef6666f1c3a3fa4e13aec669b98d",
"versionType": "git"
},
{
"lessThan": "691a09eecad97e745b9aa0e3918db46d020bdacb",
"status": "affected",
"version": "14fb64e1f449ef6666f1c3a3fa4e13aec669b98d",
"versionType": "git"
},
{
"lessThan": "3326c711f18d18fe6e1f5d83d3a7eab07e5a1560",
"status": "affected",
"version": "14fb64e1f449ef6666f1c3a3fa4e13aec669b98d",
"versionType": "git"
},
{
"lessThan": "30e0191b16e8a58e4620fa3e2839ddc7b9d4281c",
"status": "affected",
"version": "14fb64e1f449ef6666f1c3a3fa4e13aec669b98d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6mr: Fix skb_under_panic in ip6mr_cache_report()\n\nskbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4\n head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg\n ------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:192!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b571a #236\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Workqueue: ipv6_addrconf addrconf_dad_work\n RIP: 0010:skb_panic+0x152/0x1d0\n Call Trace:\n \u003cTASK\u003e\n skb_push+0xc4/0xe0\n ip6mr_cache_report+0xd69/0x19b0\n reg_vif_xmit+0x406/0x690\n dev_hard_start_xmit+0x17e/0x6e0\n __dev_queue_xmit+0x2d6a/0x3d20\n vlan_dev_hard_start_xmit+0x3ab/0x5c0\n dev_hard_start_xmit+0x17e/0x6e0\n __dev_queue_xmit+0x2d6a/0x3d20\n neigh_connected_output+0x3ed/0x570\n ip6_finish_output2+0x5b5/0x1950\n ip6_finish_output+0x693/0x11c0\n ip6_output+0x24b/0x880\n NF_HOOK.constprop.0+0xfd/0x530\n ndisc_send_skb+0x9db/0x1400\n ndisc_send_rs+0x12a/0x6c0\n addrconf_dad_completed+0x3c9/0xea0\n addrconf_dad_work+0x849/0x1420\n process_one_work+0xa22/0x16e0\n worker_thread+0x679/0x10c0\n ret_from_fork+0x28/0x60\n ret_from_fork_asm+0x11/0x20\n\nWhen setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit().\nreg_vif_xmit()\n ip6mr_cache_report()\n skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4\nAnd skb_push declared as:\n\tvoid *skb_push(struct sk_buff *skb, unsigned int len);\n\t\tskb-\u003edata -= len;\n\t\t//0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850\nskb-\u003edata is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:53.781Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a96d74d1076c82a4cef02c150d9996b21354c78d"
},
{
"url": "https://git.kernel.org/stable/c/8382e7ed2d63e6c2daf6881fa091526dc6c879cd"
},
{
"url": "https://git.kernel.org/stable/c/0438e60a00d4e335b3c36397dbf26c74b5d13ef0"
},
{
"url": "https://git.kernel.org/stable/c/1683124129a4263dd5bce2475bab110e95fa0346"
},
{
"url": "https://git.kernel.org/stable/c/1bb54a21f4d9b88442f8c3307c780e2db64417e4"
},
{
"url": "https://git.kernel.org/stable/c/691a09eecad97e745b9aa0e3918db46d020bdacb"
},
{
"url": "https://git.kernel.org/stable/c/3326c711f18d18fe6e1f5d83d3a7eab07e5a1560"
},
{
"url": "https://git.kernel.org/stable/c/30e0191b16e8a58e4620fa3e2839ddc7b9d4281c"
}
],
"title": "ip6mr: Fix skb_under_panic in ip6mr_cache_report()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53365",
"datePublished": "2025-09-17T14:56:53.781Z",
"dateReserved": "2025-09-17T14:54:09.733Z",
"dateUpdated": "2025-09-17T14:56:53.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53707 (GCVE-0-2023-53707)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1
The type of size is unsigned int, if size is 0x40000000, there will
be an integer overflow, size will be zero after size *= sizeof(uint32_t),
will cause uninitialized memory to be referenced later.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f55d300541cb5b435984d269087810581580b00",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c3deb091398e9e469d08dd1599b6d76fd6b29df8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "87c2213e85bd81e4a9a4d0880c256568794ae388",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix integer overflow in amdgpu_cs_pass1\n\nThe type of size is unsigned int, if size is 0x40000000, there will\nbe an integer overflow, size will be zero after size *= sizeof(uint32_t),\nwill cause uninitialized memory to be referenced later."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:43.822Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f55d300541cb5b435984d269087810581580b00"
},
{
"url": "https://git.kernel.org/stable/c/c3deb091398e9e469d08dd1599b6d76fd6b29df8"
},
{
"url": "https://git.kernel.org/stable/c/87c2213e85bd81e4a9a4d0880c256568794ae388"
}
],
"title": "drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53707",
"datePublished": "2025-10-22T13:23:43.822Z",
"dateReserved": "2025-10-22T13:21:37.346Z",
"dateUpdated": "2025-10-22T13:23:43.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53485 (GCVE-0-2023-53485)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev
Syzkaller reported the following issue:
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6
index -84 is out of range for type 's8[341]' (aka 'signed char[341]')
CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348
dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965
dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809
dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350
dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874
dtSplitUp fs/jfs/jfs_dtree.c:974 [inline]
dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863
jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137
lookup_open fs/namei.c:3492 [inline]
open_last_lookups fs/namei.c:3560 [inline]
path_openat+0x13df/0x3170 fs/namei.c:3788
do_filp_open+0x234/0x490 fs/namei.c:3818
do_sys_openat2+0x13f/0x500 fs/open.c:1356
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x247/0x290 fs/open.c:1383
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1f4e33f7e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9
RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
The bug occurs when the dbAllocDmapLev()function attempts to access
dp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative.
To rectify this, the patch introduces a safeguard within the
dbAllocDmapLev() function. A check has been added to verify if leafidx is
negative. If it is, the function immediately returns an I/O error, preventing
any further execution that could potentially cause harm.
Tested via syzbot.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d9e678a82915633b99603f744e7735d1a673d72",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "53b0a362aca2583729e8ca2936ca657ff3247d88",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e7d9d76e5654bcdd3cdb7c9441a8113428ecebb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "911b48eec45152822bccf45cd3563b48256b1520",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39f6292d75959e8accac0b3e24090094ba0824e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bdf07ab1595b613b03f32dbb5cb379edfa1a7334",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2af019091f904ca08b3572ab0111238ad6d17b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4e302336d5ca1767a06beee7596a72d3bdc8d983",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev\n\nSyzkaller reported the following issue:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6\nindex -84 is out of range for type \u0027s8[341]\u0027 (aka \u0027signed char[341]\u0027)\nCPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965\n dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809\n dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350\n dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874\n dtSplitUp fs/jfs/jfs_dtree.c:974 [inline]\n dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863\n jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137\n lookup_open fs/namei.c:3492 [inline]\n open_last_lookups fs/namei.c:3560 [inline]\n path_openat+0x13df/0x3170 fs/namei.c:3788\n do_filp_open+0x234/0x490 fs/namei.c:3818\n do_sys_openat2+0x13f/0x500 fs/open.c:1356\n do_sys_open fs/open.c:1372 [inline]\n __do_sys_openat fs/open.c:1388 [inline]\n __se_sys_openat fs/open.c:1383 [inline]\n __x64_sys_openat+0x247/0x290 fs/open.c:1383\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f1f4e33f7e9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9\nRDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c\nRBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nThe bug occurs when the dbAllocDmapLev()function attempts to access\ndp-\u003etree.stree[leafidx + LEAFIND] while the leafidx value is negative.\n\nTo rectify this, the patch introduces a safeguard within the\ndbAllocDmapLev() function. A check has been added to verify if leafidx is\nnegative. If it is, the function immediately returns an I/O error, preventing\nany further execution that could potentially cause harm.\n\nTested via syzbot."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:53.337Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d9e678a82915633b99603f744e7735d1a673d72"
},
{
"url": "https://git.kernel.org/stable/c/53b0a362aca2583729e8ca2936ca657ff3247d88"
},
{
"url": "https://git.kernel.org/stable/c/6e7d9d76e5654bcdd3cdb7c9441a8113428ecebb"
},
{
"url": "https://git.kernel.org/stable/c/911b48eec45152822bccf45cd3563b48256b1520"
},
{
"url": "https://git.kernel.org/stable/c/39f6292d75959e8accac0b3e24090094ba0824e9"
},
{
"url": "https://git.kernel.org/stable/c/bdf07ab1595b613b03f32dbb5cb379edfa1a7334"
},
{
"url": "https://git.kernel.org/stable/c/f2af019091f904ca08b3572ab0111238ad6d17b3"
},
{
"url": "https://git.kernel.org/stable/c/4e302336d5ca1767a06beee7596a72d3bdc8d983"
}
],
"title": "fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53485",
"datePublished": "2025-10-01T11:42:53.337Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:42:53.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38477 (GCVE-0-2025-38477)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-11-03 17:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix race condition on qfq_aggregate
A race condition can occur when 'agg' is modified in qfq_change_agg
(called during qfq_enqueue) while other threads access it
concurrently. For example, qfq_dump_class may trigger a NULL
dereference, and qfq_delete_class may cause a use-after-free.
This patch addresses the issue by:
1. Moved qfq_destroy_class into the critical section.
2. Added sch_tree_lock protection to qfq_dump_class and
qfq_dump_class_stats.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:38:44.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa7a22c4d678bf649fd3a1d27debec583563414d",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "d841aa5518508ab195b6781ad0d73ee378d713dd",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "c6df794000147a3a02f79984aada4ce83f8d0a1e",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "466e10194ab81caa2ee6a332d33ba16bcceeeba6",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "fbe48f06e64134dfeafa89ad23387f66ebca3527",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "a6d735100f602c830c16d69fb6d780eebd8c9ae1",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "c000a3a330d97f6c073ace5aa5faf94b9adb4b79",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "5e28d5a3f774f118896aec17a3a20a9c5c9dfc64",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when \u0027agg\u0027 is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:15.237Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d"
},
{
"url": "https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd"
},
{
"url": "https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e"
},
{
"url": "https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6"
},
{
"url": "https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527"
},
{
"url": "https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1"
},
{
"url": "https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79"
},
{
"url": "https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64"
}
],
"title": "net/sched: sch_qfq: Fix race condition on qfq_aggregate",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38477",
"datePublished": "2025-07-28T11:21:38.319Z",
"dateReserved": "2025-04-16T04:51:24.021Z",
"dateUpdated": "2025-11-03T17:38:44.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50503 (GCVE-0-2022-50503)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: lpddr2_nvm: Fix possible null-ptr-deref
It will cause null-ptr-deref when resource_size(add_range) invoked,
if platform_get_resource() returns NULL.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25 Version: 96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25 Version: 96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25 Version: 96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25 Version: 96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25 Version: 96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25 Version: 96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25 Version: 96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25 Version: 96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/lpddr/lpddr2_nvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d10bd7416e8383340b5524b8d616b8ad01ef1e1",
"status": "affected",
"version": "96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25",
"versionType": "git"
},
{
"lessThan": "bb9ccb6121ec4140d366147aa866ceb5a21a8d3d",
"status": "affected",
"version": "96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25",
"versionType": "git"
},
{
"lessThan": "e6aafb57d90ff2c1e18554f3a3c36247a59825ce",
"status": "affected",
"version": "96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25",
"versionType": "git"
},
{
"lessThan": "8eb64dc5a790a529ef49ec94b3337af09dac15d3",
"status": "affected",
"version": "96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25",
"versionType": "git"
},
{
"lessThan": "0919982a1744346269320615615c7deb14106661",
"status": "affected",
"version": "96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25",
"versionType": "git"
},
{
"lessThan": "e0d3e46ac6669cdf1b99bc7b7d92f1221b9a1ff2",
"status": "affected",
"version": "96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25",
"versionType": "git"
},
{
"lessThan": "f82f63b3911f1b2da68a14d9c4babf3b55feca55",
"status": "affected",
"version": "96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25",
"versionType": "git"
},
{
"lessThan": "c4cc41e94d8357f5f02b8ef40257bb23931d8438",
"status": "affected",
"version": "96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25",
"versionType": "git"
},
{
"lessThan": "6bdd45d795adf9e73b38ced5e7f750cd199499ff",
"status": "affected",
"version": "96ba9dd65788a0bd2a7d1e57ec78b7642f0ccc25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/lpddr/lpddr2_nvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: lpddr2_nvm: Fix possible null-ptr-deref\n\nIt will cause null-ptr-deref when resource_size(add_range) invoked,\nif platform_get_resource() returns NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:52.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d10bd7416e8383340b5524b8d616b8ad01ef1e1"
},
{
"url": "https://git.kernel.org/stable/c/bb9ccb6121ec4140d366147aa866ceb5a21a8d3d"
},
{
"url": "https://git.kernel.org/stable/c/e6aafb57d90ff2c1e18554f3a3c36247a59825ce"
},
{
"url": "https://git.kernel.org/stable/c/8eb64dc5a790a529ef49ec94b3337af09dac15d3"
},
{
"url": "https://git.kernel.org/stable/c/0919982a1744346269320615615c7deb14106661"
},
{
"url": "https://git.kernel.org/stable/c/e0d3e46ac6669cdf1b99bc7b7d92f1221b9a1ff2"
},
{
"url": "https://git.kernel.org/stable/c/f82f63b3911f1b2da68a14d9c4babf3b55feca55"
},
{
"url": "https://git.kernel.org/stable/c/c4cc41e94d8357f5f02b8ef40257bb23931d8438"
},
{
"url": "https://git.kernel.org/stable/c/6bdd45d795adf9e73b38ced5e7f750cd199499ff"
}
],
"title": "mtd: lpddr2_nvm: Fix possible null-ptr-deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50503",
"datePublished": "2025-10-04T15:43:52.845Z",
"dateReserved": "2025-10-04T15:39:19.465Z",
"dateUpdated": "2025-10-04T15:43:52.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53490 (GCVE-0-2023-53490)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix disconnect vs accept race
Despite commit 0ad529d9fd2b ("mptcp: fix possible divide by zero in
recvmsg()"), the mptcp protocol is still prone to a race between
disconnect() (or shutdown) and accept.
The root cause is that the mentioned commit checks the msk-level
flag, but mptcp_stream_accept() does acquire the msk-level lock,
as it can rely directly on the first subflow lock.
As reported by Christoph than can lead to a race where an msk
socket is accepted after that mptcp_subflow_queue_clean() releases
the listener socket lock and just before it takes destructive
actions leading to the following splat:
BUG: kernel NULL pointer dereference, address: 0000000000000012
PGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330
Code: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 <0f> b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89
RSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300
RDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a
RBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020
R13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880
FS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
do_accept+0x1ae/0x260 net/socket.c:1872
__sys_accept4+0x9b/0x110 net/socket.c:1913
__do_sys_accept4 net/socket.c:1954 [inline]
__se_sys_accept4 net/socket.c:1951 [inline]
__x64_sys_accept4+0x20/0x30 net/socket.c:1951
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Address the issue by temporary removing the pending request socket
from the accept queue, so that racing accept() can't touch them.
After depleting the msk - the ssk still exists, as plain TCP sockets,
re-insert them into the accept queue, so that later inet_csk_listen_stop()
will complete the tcp socket disposal.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ded9f5551ce5cafa3c41c794428c27a0d0a00542",
"status": "affected",
"version": "b45d8f5375eda3ddc89fe529b58bb643917bd87b",
"versionType": "git"
},
{
"lessThan": "b2b4c84eb7149f34c0f25f17042d095ba5357d68",
"status": "affected",
"version": "2a6a870e44dd88f1a6a2893c65ef756a9edfb4c7",
"versionType": "git"
},
{
"lessThan": "511b90e39250135a7f900f1c3afbce25543018a2",
"status": "affected",
"version": "2a6a870e44dd88f1a6a2893c65ef756a9edfb4c7",
"versionType": "git"
},
{
"status": "affected",
"version": "64b66601308dae6105fbde964a339462a29c2a73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "6.1.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix disconnect vs accept race\n\nDespite commit 0ad529d9fd2b (\"mptcp: fix possible divide by zero in\nrecvmsg()\"), the mptcp protocol is still prone to a race between\ndisconnect() (or shutdown) and accept.\n\nThe root cause is that the mentioned commit checks the msk-level\nflag, but mptcp_stream_accept() does acquire the msk-level lock,\nas it can rely directly on the first subflow lock.\n\nAs reported by Christoph than can lead to a race where an msk\nsocket is accepted after that mptcp_subflow_queue_clean() releases\nthe listener socket lock and just before it takes destructive\nactions leading to the following splat:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000012\nPGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330\nCode: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 \u003c0f\u003e b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89\nRSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300\nRDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a\nRBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020\nR13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880\nFS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n do_accept+0x1ae/0x260 net/socket.c:1872\n __sys_accept4+0x9b/0x110 net/socket.c:1913\n __do_sys_accept4 net/socket.c:1954 [inline]\n __se_sys_accept4 net/socket.c:1951 [inline]\n __x64_sys_accept4+0x20/0x30 net/socket.c:1951\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nAddress the issue by temporary removing the pending request socket\nfrom the accept queue, so that racing accept() can\u0027t touch them.\n\nAfter depleting the msk - the ssk still exists, as plain TCP sockets,\nre-insert them into the accept queue, so that later inet_csk_listen_stop()\nwill complete the tcp socket disposal."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:42.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ded9f5551ce5cafa3c41c794428c27a0d0a00542"
},
{
"url": "https://git.kernel.org/stable/c/b2b4c84eb7149f34c0f25f17042d095ba5357d68"
},
{
"url": "https://git.kernel.org/stable/c/511b90e39250135a7f900f1c3afbce25543018a2"
}
],
"title": "mptcp: fix disconnect vs accept race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53490",
"datePublished": "2025-10-01T11:45:42.182Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:42.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50578 (GCVE-0-2022-50578)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
class: fix possible memory leak in __class_register()
If class_add_groups() returns error, the 'cp->subsys' need be
unregister, and the 'cp' need be freed.
We can not call kset_unregister() here, because the 'cls' will
be freed in callback function class_release() and it's also
freed in caller's error path, it will cause double free.
So fix this by calling kobject_del() and kfree_const(name) to
cleanup kobject. Besides, call kfree() to free the 'cp'.
Fault injection test can trigger this:
unreferenced object 0xffff888102fa8190 (size 8):
comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s)
hex dump (first 8 bytes):
70 6b 74 63 64 76 64 00 pktcdvd.
backtrace:
[<00000000e7c7703d>] __kmalloc_track_caller+0x1ae/0x320
[<000000005e4d70bc>] kstrdup+0x3a/0x70
[<00000000c2e5e85a>] kstrdup_const+0x68/0x80
[<000000000049a8c7>] kvasprintf_const+0x10b/0x190
[<0000000029123163>] kobject_set_name_vargs+0x56/0x150
[<00000000747219c9>] kobject_set_name+0xab/0xe0
[<0000000005f1ea4e>] __class_register+0x15c/0x49a
unreferenced object 0xffff888037274000 (size 1024):
comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s)
hex dump (first 32 bytes):
00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@'7.....@'7....
00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
backtrace:
[<00000000151f9600>] kmem_cache_alloc_trace+0x17c/0x2f0
[<00000000ecf3dd95>] __class_register+0x86/0x49a
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ced6473e7486702f530a49f886b73195e4977734 Version: ced6473e7486702f530a49f886b73195e4977734 Version: ced6473e7486702f530a49f886b73195e4977734 Version: ced6473e7486702f530a49f886b73195e4977734 Version: ced6473e7486702f530a49f886b73195e4977734 Version: ced6473e7486702f530a49f886b73195e4977734 Version: ced6473e7486702f530a49f886b73195e4977734 Version: ced6473e7486702f530a49f886b73195e4977734 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4efa5443817c1b6de22d401aeca5b2481e835f8c",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "3bb9c92c27624ad076419a70f2b1a30cd1f8bbbd",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "3e0efc3f3f5e5c73996782f8db69963e501bb878",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "18a7200646958cf8e1b8a933de08122fc50676cd",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "417ef049e3fd3b0d2593c1d5ffa3d0d5d0a018a7",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "e764ad5918a099ebeb909ccff83893a714e497e1",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "abaedb68a769e6bf36836b55a2f49b531c5f3f7b",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "8c3e8a6bdb5253b97ad532570f8b5db5f7a06407",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclass: fix possible memory leak in __class_register()\n\nIf class_add_groups() returns error, the \u0027cp-\u003esubsys\u0027 need be\nunregister, and the \u0027cp\u0027 need be freed.\n\nWe can not call kset_unregister() here, because the \u0027cls\u0027 will\nbe freed in callback function class_release() and it\u0027s also\nfreed in caller\u0027s error path, it will cause double free.\n\nSo fix this by calling kobject_del() and kfree_const(name) to\ncleanup kobject. Besides, call kfree() to free the \u0027cp\u0027.\n\nFault injection test can trigger this:\n\nunreferenced object 0xffff888102fa8190 (size 8):\n comm \"modprobe\", pid 502, jiffies 4294906074 (age 49.296s)\n hex dump (first 8 bytes):\n 70 6b 74 63 64 76 64 00 pktcdvd.\n backtrace:\n [\u003c00000000e7c7703d\u003e] __kmalloc_track_caller+0x1ae/0x320\n [\u003c000000005e4d70bc\u003e] kstrdup+0x3a/0x70\n [\u003c00000000c2e5e85a\u003e] kstrdup_const+0x68/0x80\n [\u003c000000000049a8c7\u003e] kvasprintf_const+0x10b/0x190\n [\u003c0000000029123163\u003e] kobject_set_name_vargs+0x56/0x150\n [\u003c00000000747219c9\u003e] kobject_set_name+0xab/0xe0\n [\u003c0000000005f1ea4e\u003e] __class_register+0x15c/0x49a\n\nunreferenced object 0xffff888037274000 (size 1024):\n comm \"modprobe\", pid 502, jiffies 4294906074 (age 49.296s)\n hex dump (first 32 bytes):\n 00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@\u00277.....@\u00277....\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n backtrace:\n [\u003c00000000151f9600\u003e] kmem_cache_alloc_trace+0x17c/0x2f0\n [\u003c00000000ecf3dd95\u003e] __class_register+0x86/0x49a"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:31.565Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4efa5443817c1b6de22d401aeca5b2481e835f8c"
},
{
"url": "https://git.kernel.org/stable/c/3bb9c92c27624ad076419a70f2b1a30cd1f8bbbd"
},
{
"url": "https://git.kernel.org/stable/c/3e0efc3f3f5e5c73996782f8db69963e501bb878"
},
{
"url": "https://git.kernel.org/stable/c/18a7200646958cf8e1b8a933de08122fc50676cd"
},
{
"url": "https://git.kernel.org/stable/c/417ef049e3fd3b0d2593c1d5ffa3d0d5d0a018a7"
},
{
"url": "https://git.kernel.org/stable/c/e764ad5918a099ebeb909ccff83893a714e497e1"
},
{
"url": "https://git.kernel.org/stable/c/abaedb68a769e6bf36836b55a2f49b531c5f3f7b"
},
{
"url": "https://git.kernel.org/stable/c/8c3e8a6bdb5253b97ad532570f8b5db5f7a06407"
}
],
"title": "class: fix possible memory leak in __class_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50578",
"datePublished": "2025-10-22T13:23:31.565Z",
"dateReserved": "2025-10-22T13:20:23.761Z",
"dateUpdated": "2025-10-22T13:23:31.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39676 (GCVE-0-2025-39676)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla4xxx: Prevent a potential error pointer dereference
The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error,
but qla4xxx_ep_connect() returns error pointers. Propagating the error
pointers will lead to an Oops in the caller, so change the error pointers
to NULL.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 13483730a13bef372894aefcf73760f5c6c297be Version: 13483730a13bef372894aefcf73760f5c6c297be Version: 13483730a13bef372894aefcf73760f5c6c297be Version: 13483730a13bef372894aefcf73760f5c6c297be Version: 13483730a13bef372894aefcf73760f5c6c297be Version: 13483730a13bef372894aefcf73760f5c6c297be Version: 13483730a13bef372894aefcf73760f5c6c297be Version: 13483730a13bef372894aefcf73760f5c6c297be |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:10.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla4xxx/ql4_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0225f41ee70611ca88ccb22c8542ecdfa7faea8",
"status": "affected",
"version": "13483730a13bef372894aefcf73760f5c6c297be",
"versionType": "git"
},
{
"lessThan": "ad8a9d38d30c691a77c456e72b78f7932d4f234d",
"status": "affected",
"version": "13483730a13bef372894aefcf73760f5c6c297be",
"versionType": "git"
},
{
"lessThan": "325bf7d57c4e2a341e381c5805e454fb69dd78c3",
"status": "affected",
"version": "13483730a13bef372894aefcf73760f5c6c297be",
"versionType": "git"
},
{
"lessThan": "46288d12d1c30d08fbeffd05abc079f57a43a2d4",
"status": "affected",
"version": "13483730a13bef372894aefcf73760f5c6c297be",
"versionType": "git"
},
{
"lessThan": "f5ad0819f902b4b33591791b92a0350fb3692a6b",
"status": "affected",
"version": "13483730a13bef372894aefcf73760f5c6c297be",
"versionType": "git"
},
{
"lessThan": "f1424c830d6ce840341aac33fe99c8ac45447ac1",
"status": "affected",
"version": "13483730a13bef372894aefcf73760f5c6c297be",
"versionType": "git"
},
{
"lessThan": "f4bc3cdfe95115191e24592bbfc15f1d4a705a75",
"status": "affected",
"version": "13483730a13bef372894aefcf73760f5c6c297be",
"versionType": "git"
},
{
"lessThan": "9dcf111dd3e7ed5fce82bb108e3a3fc001c07225",
"status": "affected",
"version": "13483730a13bef372894aefcf73760f5c6c297be",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla4xxx/ql4_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla4xxx: Prevent a potential error pointer dereference\n\nThe qla4xxx_get_ep_fwdb() function is supposed to return NULL on error,\nbut qla4xxx_ep_connect() returns error pointers. Propagating the error\npointers will lead to an Oops in the caller, so change the error pointers\nto NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:11.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0225f41ee70611ca88ccb22c8542ecdfa7faea8"
},
{
"url": "https://git.kernel.org/stable/c/ad8a9d38d30c691a77c456e72b78f7932d4f234d"
},
{
"url": "https://git.kernel.org/stable/c/325bf7d57c4e2a341e381c5805e454fb69dd78c3"
},
{
"url": "https://git.kernel.org/stable/c/46288d12d1c30d08fbeffd05abc079f57a43a2d4"
},
{
"url": "https://git.kernel.org/stable/c/f5ad0819f902b4b33591791b92a0350fb3692a6b"
},
{
"url": "https://git.kernel.org/stable/c/f1424c830d6ce840341aac33fe99c8ac45447ac1"
},
{
"url": "https://git.kernel.org/stable/c/f4bc3cdfe95115191e24592bbfc15f1d4a705a75"
},
{
"url": "https://git.kernel.org/stable/c/9dcf111dd3e7ed5fce82bb108e3a3fc001c07225"
}
],
"title": "scsi: qla4xxx: Prevent a potential error pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39676",
"datePublished": "2025-09-05T17:20:42.270Z",
"dateReserved": "2025-04-16T07:20:57.112Z",
"dateUpdated": "2025-11-03T17:42:10.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38735 (GCVE-0-2025-38735)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gve: prevent ethtool ops after shutdown
A crash can occur if an ethtool operation is invoked
after shutdown() is called.
shutdown() is invoked during system shutdown to stop DMA operations
without performing expensive deallocations. It is discouraged to
unregister the netdev in this path, so the device may still be visible
to userspace and kernel helpers.
In gve, shutdown() tears down most internal data structures. If an
ethtool operation is dispatched after shutdown(), it will dereference
freed or NULL pointers, leading to a kernel panic. While graceful
shutdown normally quiesces userspace before invoking the reboot
syscall, forced shutdowns (as observed on GCP VMs) can still trigger
this path.
Fix by calling netif_device_detach() in shutdown().
This marks the device as detached so the ethtool ioctl handler
will skip dispatching operations to the driver.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:05.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48a4e89d50e8ea52e800bc7865970b92fcf4647c",
"status": "affected",
"version": "974365e518617c9ce917f61aacbba07e4bedcca0",
"versionType": "git"
},
{
"lessThan": "ba51d73408edf815cbaeab148625576c2dd90192",
"status": "affected",
"version": "974365e518617c9ce917f61aacbba07e4bedcca0",
"versionType": "git"
},
{
"lessThan": "a7efffeecb881b4649fdc30de020ef910f35d646",
"status": "affected",
"version": "974365e518617c9ce917f61aacbba07e4bedcca0",
"versionType": "git"
},
{
"lessThan": "9d8a41e9a4ff83ff666de811e7f012167cdc00e9",
"status": "affected",
"version": "974365e518617c9ce917f61aacbba07e4bedcca0",
"versionType": "git"
},
{
"lessThan": "75a9a46d67f46d608205888f9b34e315c1786345",
"status": "affected",
"version": "974365e518617c9ce917f61aacbba07e4bedcca0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: prevent ethtool ops after shutdown\n\nA crash can occur if an ethtool operation is invoked\nafter shutdown() is called.\n\nshutdown() is invoked during system shutdown to stop DMA operations\nwithout performing expensive deallocations. It is discouraged to\nunregister the netdev in this path, so the device may still be visible\nto userspace and kernel helpers.\n\nIn gve, shutdown() tears down most internal data structures. If an\nethtool operation is dispatched after shutdown(), it will dereference\nfreed or NULL pointers, leading to a kernel panic. While graceful\nshutdown normally quiesces userspace before invoking the reboot\nsyscall, forced shutdowns (as observed on GCP VMs) can still trigger\nthis path.\n\nFix by calling netif_device_detach() in shutdown().\nThis marks the device as detached so the ethtool ioctl handler\nwill skip dispatching operations to the driver."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:04.320Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48a4e89d50e8ea52e800bc7865970b92fcf4647c"
},
{
"url": "https://git.kernel.org/stable/c/ba51d73408edf815cbaeab148625576c2dd90192"
},
{
"url": "https://git.kernel.org/stable/c/a7efffeecb881b4649fdc30de020ef910f35d646"
},
{
"url": "https://git.kernel.org/stable/c/9d8a41e9a4ff83ff666de811e7f012167cdc00e9"
},
{
"url": "https://git.kernel.org/stable/c/75a9a46d67f46d608205888f9b34e315c1786345"
}
],
"title": "gve: prevent ethtool ops after shutdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38735",
"datePublished": "2025-09-05T17:20:35.459Z",
"dateReserved": "2025-04-16T04:51:24.034Z",
"dateUpdated": "2025-11-03T17:42:05.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49563 (GCVE-0-2022-49563)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - add param check for RSA
Reject requests with a source buffer that is bigger than the size of the
key. This is to prevent a possible integer underflow that might happen
when copying the source scatterlist into a linear buffer.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:10.210375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:38.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_asym_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d6d2adce08788b7667a6e58002682ea1bbf6a79",
"status": "affected",
"version": "a990532023b903b10cf14736241cdd138e4bc92c",
"versionType": "git"
},
{
"lessThan": "f993321e50ba7a8ba4f5b19939e1772a921a1c42",
"status": "affected",
"version": "a990532023b903b10cf14736241cdd138e4bc92c",
"versionType": "git"
},
{
"lessThan": "9714061423b8b24b8afb31b8eb4df977c63f19c4",
"status": "affected",
"version": "a990532023b903b10cf14736241cdd138e4bc92c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_asym_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for RSA\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:44:08.766Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d6d2adce08788b7667a6e58002682ea1bbf6a79"
},
{
"url": "https://git.kernel.org/stable/c/f993321e50ba7a8ba4f5b19939e1772a921a1c42"
},
{
"url": "https://git.kernel.org/stable/c/9714061423b8b24b8afb31b8eb4df977c63f19c4"
}
],
"title": "crypto: qat - add param check for RSA",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49563",
"datePublished": "2025-02-26T02:23:10.252Z",
"dateReserved": "2025-02-26T02:08:31.591Z",
"dateUpdated": "2025-10-01T19:46:38.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53566 (GCVE-0-2023-53566)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_rbtree: fix null deref on element insertion
There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem():
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
nft_add_set_elem+0x14b0/0x2990
nf_tables_newsetelem+0x528/0xb30
Furthermore, there is a possible use-after-free while iterating,
'node' can be free'd so we need to cache the next value to use.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7ab87a326f20c52ff4d9972052d085be951c704b Version: 181859bdfb9734aca449512fccaee4cacce64aed Version: 4aacf3d78424293e318c616016865380b37b9cc5 Version: 2bf1435fa19d2c58054391b3bba40d5510a5758c Version: 318cb24a4c3fce8140afaf84e4d45fcb76fb280b Version: c9e6978e2725a7d4b6cd23b2facd3f11422c0643 Version: c9e6978e2725a7d4b6cd23b2facd3f11422c0643 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b76db53ee8802ee5683f8cb401d7e2ec6f9b3d56",
"status": "affected",
"version": "7ab87a326f20c52ff4d9972052d085be951c704b",
"versionType": "git"
},
{
"lessThan": "899aa5638568abf5d69de7a7bb95e4615157375b",
"status": "affected",
"version": "181859bdfb9734aca449512fccaee4cacce64aed",
"versionType": "git"
},
{
"lessThan": "3fa13203b6d90cc3a33af47b058739f92ab82eef",
"status": "affected",
"version": "4aacf3d78424293e318c616016865380b37b9cc5",
"versionType": "git"
},
{
"lessThan": "ec5caa765f7f6960011c919c9aeb1467940421f6",
"status": "affected",
"version": "2bf1435fa19d2c58054391b3bba40d5510a5758c",
"versionType": "git"
},
{
"lessThan": "a836be60a3aabcedcd9c79f545d409ace1f20ba6",
"status": "affected",
"version": "318cb24a4c3fce8140afaf84e4d45fcb76fb280b",
"versionType": "git"
},
{
"lessThan": "a337706c1fb35aac3f26b48aca80421bdbe1d33a",
"status": "affected",
"version": "c9e6978e2725a7d4b6cd23b2facd3f11422c0643",
"versionType": "git"
},
{
"lessThan": "61ae320a29b0540c16931816299eb86bf2b66c08",
"status": "affected",
"version": "c9e6978e2725a7d4b6cd23b2facd3f11422c0643",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.10.166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.15.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: fix null deref on element insertion\n\nThere is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem():\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n nft_add_set_elem+0x14b0/0x2990\n nf_tables_newsetelem+0x528/0xb30\n\nFurthermore, there is a possible use-after-free while iterating,\n\u0027node\u0027 can be free\u0027d so we need to cache the next value to use."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:08.598Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b76db53ee8802ee5683f8cb401d7e2ec6f9b3d56"
},
{
"url": "https://git.kernel.org/stable/c/899aa5638568abf5d69de7a7bb95e4615157375b"
},
{
"url": "https://git.kernel.org/stable/c/3fa13203b6d90cc3a33af47b058739f92ab82eef"
},
{
"url": "https://git.kernel.org/stable/c/ec5caa765f7f6960011c919c9aeb1467940421f6"
},
{
"url": "https://git.kernel.org/stable/c/a836be60a3aabcedcd9c79f545d409ace1f20ba6"
},
{
"url": "https://git.kernel.org/stable/c/a337706c1fb35aac3f26b48aca80421bdbe1d33a"
},
{
"url": "https://git.kernel.org/stable/c/61ae320a29b0540c16931816299eb86bf2b66c08"
}
],
"title": "netfilter: nft_set_rbtree: fix null deref on element insertion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53566",
"datePublished": "2025-10-04T15:17:08.598Z",
"dateReserved": "2025-10-04T15:14:15.924Z",
"dateUpdated": "2025-10-04T15:17:08.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53541 (GCVE-0-2023-53541)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
When the oob buffer length is not in multiple of words, the oob write
function does out-of-bounds read on the oob source buffer at the last
iteration. Fix that by always checking length limit on the oob buffer
read and fill with 0xff when reaching the end of the buffer to the oob
registers.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 27c5b17cd1b10564fa36f8f51e4b4b41436ecc32 Version: 27c5b17cd1b10564fa36f8f51e4b4b41436ecc32 Version: 27c5b17cd1b10564fa36f8f51e4b4b41436ecc32 Version: 27c5b17cd1b10564fa36f8f51e4b4b41436ecc32 Version: 27c5b17cd1b10564fa36f8f51e4b4b41436ecc32 Version: 27c5b17cd1b10564fa36f8f51e4b4b41436ecc32 Version: 27c5b17cd1b10564fa36f8f51e4b4b41436ecc32 Version: 27c5b17cd1b10564fa36f8f51e4b4b41436ecc32 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/brcmnand/brcmnand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bc3d6ac704ea7263175ea3da663fdbbb7f3dd8b",
"status": "affected",
"version": "27c5b17cd1b10564fa36f8f51e4b4b41436ecc32",
"versionType": "git"
},
{
"lessThan": "14b1d00520b4d6a4818364334ce472b79cfc8976",
"status": "affected",
"version": "27c5b17cd1b10564fa36f8f51e4b4b41436ecc32",
"versionType": "git"
},
{
"lessThan": "aae45746f4aee9818296e0500e0703e9d8caa5b8",
"status": "affected",
"version": "27c5b17cd1b10564fa36f8f51e4b4b41436ecc32",
"versionType": "git"
},
{
"lessThan": "d00b031266514a9395124704630b056a5185ec17",
"status": "affected",
"version": "27c5b17cd1b10564fa36f8f51e4b4b41436ecc32",
"versionType": "git"
},
{
"lessThan": "2353b7bb61e45e7cfd21505d0c6747ac8c9496a1",
"status": "affected",
"version": "27c5b17cd1b10564fa36f8f51e4b4b41436ecc32",
"versionType": "git"
},
{
"lessThan": "45fe4ad7f439799ee1b7b5f80bf82e8b34a98d25",
"status": "affected",
"version": "27c5b17cd1b10564fa36f8f51e4b4b41436ecc32",
"versionType": "git"
},
{
"lessThan": "648d1150a688698e37f7aaf302860180901cb30e",
"status": "affected",
"version": "27c5b17cd1b10564fa36f8f51e4b4b41436ecc32",
"versionType": "git"
},
{
"lessThan": "5d53244186c9ac58cb88d76a0958ca55b83a15cd",
"status": "affected",
"version": "27c5b17cd1b10564fa36f8f51e4b4b41436ecc32",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/brcmnand/brcmnand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write\n\nWhen the oob buffer length is not in multiple of words, the oob write\nfunction does out-of-bounds read on the oob source buffer at the last\niteration. Fix that by always checking length limit on the oob buffer\nread and fill with 0xff when reaching the end of the buffer to the oob\nregisters."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:50.765Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bc3d6ac704ea7263175ea3da663fdbbb7f3dd8b"
},
{
"url": "https://git.kernel.org/stable/c/14b1d00520b4d6a4818364334ce472b79cfc8976"
},
{
"url": "https://git.kernel.org/stable/c/aae45746f4aee9818296e0500e0703e9d8caa5b8"
},
{
"url": "https://git.kernel.org/stable/c/d00b031266514a9395124704630b056a5185ec17"
},
{
"url": "https://git.kernel.org/stable/c/2353b7bb61e45e7cfd21505d0c6747ac8c9496a1"
},
{
"url": "https://git.kernel.org/stable/c/45fe4ad7f439799ee1b7b5f80bf82e8b34a98d25"
},
{
"url": "https://git.kernel.org/stable/c/648d1150a688698e37f7aaf302860180901cb30e"
},
{
"url": "https://git.kernel.org/stable/c/5d53244186c9ac58cb88d76a0958ca55b83a15cd"
}
],
"title": "mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53541",
"datePublished": "2025-10-04T15:16:50.765Z",
"dateReserved": "2025-10-04T15:14:15.920Z",
"dateUpdated": "2025-10-04T15:16:50.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40080 (GCVE-0-2025-40080)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: restrict sockets to TCP and UDP
Recently, syzbot started to abuse NBD with all kinds of sockets.
Commit cf1b2326b734 ("nbd: verify socket is supported during setup")
made sure the socket supported a shutdown() method.
Explicitely accept TCP and UNIX stream sockets.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cf1b2326b734896734c6e167e41766f9cee7686a Version: cf1b2326b734896734c6e167e41766f9cee7686a Version: cf1b2326b734896734c6e167e41766f9cee7686a Version: cf1b2326b734896734c6e167e41766f9cee7686a Version: cf1b2326b734896734c6e167e41766f9cee7686a Version: 4df728651b8a99693c69962d8e5a5b9e5a3bbcc7 Version: 083322455c67d278c56a66b73f1221f004ee600a Version: 4fa1cbd587ef967812f9d9f6ce46ec1dead7502c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c365e8f20f4201d873a70385bd919f0fb531e960",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "37ad11f20e164c23ce827dd455b42c0fdd29685c",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "808e2335bc1cf2293b9e36ccc94c267c81509c71",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "9f7c02e031570e8291a63162c6c046dc15ff85b0",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"status": "affected",
"version": "4df728651b8a99693c69962d8e5a5b9e5a3bbcc7",
"versionType": "git"
},
{
"status": "affected",
"version": "083322455c67d278c56a66b73f1221f004ee600a",
"versionType": "git"
},
{
"status": "affected",
"version": "4fa1cbd587ef967812f9d9f6ce46ec1dead7502c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: restrict sockets to TCP and UDP\n\nRecently, syzbot started to abuse NBD with all kinds of sockets.\n\nCommit cf1b2326b734 (\"nbd: verify socket is supported during setup\")\nmade sure the socket supported a shutdown() method.\n\nExplicitely accept TCP and UNIX stream sockets."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:44.796Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c365e8f20f4201d873a70385bd919f0fb531e960"
},
{
"url": "https://git.kernel.org/stable/c/4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7"
},
{
"url": "https://git.kernel.org/stable/c/37ad11f20e164c23ce827dd455b42c0fdd29685c"
},
{
"url": "https://git.kernel.org/stable/c/808e2335bc1cf2293b9e36ccc94c267c81509c71"
},
{
"url": "https://git.kernel.org/stable/c/9f7c02e031570e8291a63162c6c046dc15ff85b0"
}
],
"title": "nbd: restrict sockets to TCP and UDP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40080",
"datePublished": "2025-10-28T11:48:44.796Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-10-28T11:48:44.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53152 (GCVE-0-2023-53152)
Vulnerability from cvelistv5
Published
2025-09-15 14:03
Modified
2025-09-16 08:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix calltrace warning in amddrm_buddy_fini
The following call trace is observed when removing the amdgpu driver, which
is caused by that BOs allocated for psp are not freed until removing.
[61811.450562] RIP: 0010:amddrm_buddy_fini.cold+0x29/0x47 [amddrm_buddy]
[61811.450577] Call Trace:
[61811.450577] <TASK>
[61811.450579] amdgpu_vram_mgr_fini+0x135/0x1c0 [amdgpu]
[61811.450728] amdgpu_ttm_fini+0x207/0x290 [amdgpu]
[61811.450870] amdgpu_bo_fini+0x27/0xa0 [amdgpu]
[61811.451012] gmc_v9_0_sw_fini+0x4a/0x60 [amdgpu]
[61811.451166] amdgpu_device_fini_sw+0x117/0x520 [amdgpu]
[61811.451306] amdgpu_driver_release_kms+0x16/0x30 [amdgpu]
[61811.451447] devm_drm_dev_init_release+0x4d/0x80 [drm]
[61811.451466] devm_action_release+0x15/0x20
[61811.451469] release_nodes+0x40/0xb0
[61811.451471] devres_release_all+0x9b/0xd0
[61811.451473] __device_release_driver+0x1bb/0x2a0
[61811.451476] driver_detach+0xf3/0x140
[61811.451479] bus_remove_driver+0x6c/0xf0
[61811.451481] driver_unregister+0x31/0x60
[61811.451483] pci_unregister_driver+0x40/0x90
[61811.451486] amdgpu_exit+0x15/0x447 [amdgpu]
For smu v13_0_2, if the GPU supports xgmi, refer to
commit f5c7e7797060 ("drm/amdgpu: Adjust removal control flow for smu v13_0_2"),
it will run gpu recover in AMDGPU_RESET_FOR_DEVICE_REMOVE mode when removing,
which makes all devices in hive list have hw reset but no resume except the
basic ip blocks, then other ip blocks will not call .hw_fini according to
ip_block.status.hw.
Since psp_free_shared_bufs just includes some software operations, so move
it to psp_sw_fini.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab6f446c220db0c131f2071846afd835799be0fb",
"status": "affected",
"version": "0e5ca0d1ac07ef8b3a52d3b0404482207cb4da5a",
"versionType": "git"
},
{
"lessThan": "756d674117f5c451f415d1c4046b927052a90c14",
"status": "affected",
"version": "0e5ca0d1ac07ef8b3a52d3b0404482207cb4da5a",
"versionType": "git"
},
{
"lessThan": "01382501509871d0799bab6bd412c228486af5bf",
"status": "affected",
"version": "0e5ca0d1ac07ef8b3a52d3b0404482207cb4da5a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix calltrace warning in amddrm_buddy_fini\n\nThe following call trace is observed when removing the amdgpu driver, which\nis caused by that BOs allocated for psp are not freed until removing.\n\n[61811.450562] RIP: 0010:amddrm_buddy_fini.cold+0x29/0x47 [amddrm_buddy]\n[61811.450577] Call Trace:\n[61811.450577] \u003cTASK\u003e\n[61811.450579] amdgpu_vram_mgr_fini+0x135/0x1c0 [amdgpu]\n[61811.450728] amdgpu_ttm_fini+0x207/0x290 [amdgpu]\n[61811.450870] amdgpu_bo_fini+0x27/0xa0 [amdgpu]\n[61811.451012] gmc_v9_0_sw_fini+0x4a/0x60 [amdgpu]\n[61811.451166] amdgpu_device_fini_sw+0x117/0x520 [amdgpu]\n[61811.451306] amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\n[61811.451447] devm_drm_dev_init_release+0x4d/0x80 [drm]\n[61811.451466] devm_action_release+0x15/0x20\n[61811.451469] release_nodes+0x40/0xb0\n[61811.451471] devres_release_all+0x9b/0xd0\n[61811.451473] __device_release_driver+0x1bb/0x2a0\n[61811.451476] driver_detach+0xf3/0x140\n[61811.451479] bus_remove_driver+0x6c/0xf0\n[61811.451481] driver_unregister+0x31/0x60\n[61811.451483] pci_unregister_driver+0x40/0x90\n[61811.451486] amdgpu_exit+0x15/0x447 [amdgpu]\n\nFor smu v13_0_2, if the GPU supports xgmi, refer to\n\ncommit f5c7e7797060 (\"drm/amdgpu: Adjust removal control flow for smu v13_0_2\"),\n\nit will run gpu recover in AMDGPU_RESET_FOR_DEVICE_REMOVE mode when removing,\nwhich makes all devices in hive list have hw reset but no resume except the\nbasic ip blocks, then other ip blocks will not call .hw_fini according to\nip_block.status.hw.\n\nSince psp_free_shared_bufs just includes some software operations, so move\nit to psp_sw_fini."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:19.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab6f446c220db0c131f2071846afd835799be0fb"
},
{
"url": "https://git.kernel.org/stable/c/756d674117f5c451f415d1c4046b927052a90c14"
},
{
"url": "https://git.kernel.org/stable/c/01382501509871d0799bab6bd412c228486af5bf"
}
],
"title": "drm/amdgpu: fix calltrace warning in amddrm_buddy_fini",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53152",
"datePublished": "2025-09-15T14:03:20.482Z",
"dateReserved": "2025-05-02T15:51:43.565Z",
"dateUpdated": "2025-09-16T08:02:19.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53531 (GCVE-0-2023-53531)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
null_blk: fix poll request timeout handling
When doing io_uring benchmark on /dev/nullb0, it's easy to crash the
kernel if poll requests timeout triggered, as reported by David. [1]
BUG: kernel NULL pointer dereference, address: 0000000000000008
Workqueue: kblockd blk_mq_timeout_work
RIP: 0010:null_timeout_rq+0x4e/0x91
Call Trace:
? null_timeout_rq+0x4e/0x91
blk_mq_handle_expired+0x31/0x4b
bt_iter+0x68/0x84
? bt_tags_iter+0x81/0x81
__sbitmap_for_each_set.constprop.0+0xb0/0xf2
? __blk_mq_complete_request_remote+0xf/0xf
bt_for_each+0x46/0x64
? __blk_mq_complete_request_remote+0xf/0xf
? percpu_ref_get_many+0xc/0x2a
blk_mq_queue_tag_busy_iter+0x14d/0x18e
blk_mq_timeout_work+0x95/0x127
process_one_work+0x185/0x263
worker_thread+0x1b5/0x227
This is indeed a race problem between null_timeout_rq() and null_poll().
null_poll() null_timeout_rq()
spin_lock(&nq->poll_lock)
list_splice_init(&nq->poll_list, &list)
spin_unlock(&nq->poll_lock)
while (!list_empty(&list))
req = list_first_entry()
list_del_init()
...
blk_mq_add_to_batch()
// req->rq_next = NULL
spin_lock(&nq->poll_lock)
// rq->queuelist->next == NULL
list_del_init(&rq->queuelist)
spin_unlock(&nq->poll_lock)
Fix these problems by setting requests state to MQ_RQ_COMPLETE under
nq->poll_lock protection, in which null_timeout_rq() can safely detect
this race and early return.
Note this patch just fix the kernel panic when request timeout happen.
[1] https://lore.kernel.org/all/3893581.1691785261@warthog.procyon.org.uk/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a0b4a0666beacfe8add9c71d8922475541dbae73",
"status": "affected",
"version": "0a593fbbc245a85940ed34caa3aa1e4cb060c54b",
"versionType": "git"
},
{
"lessThan": "a7cb2e709f2927cc3c76781df3e45de2381b3b9d",
"status": "affected",
"version": "0a593fbbc245a85940ed34caa3aa1e4cb060c54b",
"versionType": "git"
},
{
"lessThan": "5a26e45edb4690d58406178b5a9ea4c6dcf2c105",
"status": "affected",
"version": "0a593fbbc245a85940ed34caa3aa1e4cb060c54b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix poll request timeout handling\n\nWhen doing io_uring benchmark on /dev/nullb0, it\u0027s easy to crash the\nkernel if poll requests timeout triggered, as reported by David. [1]\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nWorkqueue: kblockd blk_mq_timeout_work\nRIP: 0010:null_timeout_rq+0x4e/0x91\nCall Trace:\n ? null_timeout_rq+0x4e/0x91\n blk_mq_handle_expired+0x31/0x4b\n bt_iter+0x68/0x84\n ? bt_tags_iter+0x81/0x81\n __sbitmap_for_each_set.constprop.0+0xb0/0xf2\n ? __blk_mq_complete_request_remote+0xf/0xf\n bt_for_each+0x46/0x64\n ? __blk_mq_complete_request_remote+0xf/0xf\n ? percpu_ref_get_many+0xc/0x2a\n blk_mq_queue_tag_busy_iter+0x14d/0x18e\n blk_mq_timeout_work+0x95/0x127\n process_one_work+0x185/0x263\n worker_thread+0x1b5/0x227\n\nThis is indeed a race problem between null_timeout_rq() and null_poll().\n\nnull_poll()\t\t\t\tnull_timeout_rq()\n spin_lock(\u0026nq-\u003epoll_lock)\n list_splice_init(\u0026nq-\u003epoll_list, \u0026list)\n spin_unlock(\u0026nq-\u003epoll_lock)\n\n while (!list_empty(\u0026list))\n req = list_first_entry()\n list_del_init()\n ...\n blk_mq_add_to_batch()\n // req-\u003erq_next = NULL\n\t\t\t\t\tspin_lock(\u0026nq-\u003epoll_lock)\n\n\t\t\t\t\t// rq-\u003equeuelist-\u003enext == NULL\n\t\t\t\t\tlist_del_init(\u0026rq-\u003equeuelist)\n\n\t\t\t\t\tspin_unlock(\u0026nq-\u003epoll_lock)\n\nFix these problems by setting requests state to MQ_RQ_COMPLETE under\nnq-\u003epoll_lock protection, in which null_timeout_rq() can safely detect\nthis race and early return.\n\nNote this patch just fix the kernel panic when request timeout happen.\n\n[1] https://lore.kernel.org/all/3893581.1691785261@warthog.procyon.org.uk/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:15.949Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a0b4a0666beacfe8add9c71d8922475541dbae73"
},
{
"url": "https://git.kernel.org/stable/c/a7cb2e709f2927cc3c76781df3e45de2381b3b9d"
},
{
"url": "https://git.kernel.org/stable/c/5a26e45edb4690d58406178b5a9ea4c6dcf2c105"
}
],
"title": "null_blk: fix poll request timeout handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53531",
"datePublished": "2025-10-01T11:46:15.949Z",
"dateReserved": "2025-10-01T11:39:39.408Z",
"dateUpdated": "2025-10-01T11:46:15.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50301 (GCVE-0-2024-50301)
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2025-11-03 22:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
security/keys: fix slab-out-of-bounds in key_task_permission
KASAN reports an out of bounds read:
BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36
BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]
BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410
security/keys/permission.c:54
Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362
CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0x107/0x167 lib/dump_stack.c:123
print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
__kuid_val include/linux/uidgid.h:36 [inline]
uid_eq include/linux/uidgid.h:63 [inline]
key_task_permission+0x394/0x410 security/keys/permission.c:54
search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793
This issue was also reported by syzbot.
It can be reproduced by following these steps(more details [1]):
1. Obtain more than 32 inputs that have similar hashes, which ends with the
pattern '0xxxxxxxe6'.
2. Reboot and add the keys obtained in step 1.
The reproducer demonstrates how this issue happened:
1. In the search_nested_keyrings function, when it iterates through the
slots in a node(below tag ascend_to_node), if the slot pointer is meta
and node->back_pointer != NULL(it means a root), it will proceed to
descend_to_node. However, there is an exception. If node is the root,
and one of the slots points to a shortcut, it will be treated as a
keyring.
2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.
However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as
ASSOC_ARRAY_PTR_SUBTYPE_MASK.
3. When 32 keys with the similar hashes are added to the tree, the ROOT
has keys with hashes that are not similar (e.g. slot 0) and it splits
NODE A without using a shortcut. When NODE A is filled with keys that
all hashes are xxe6, the keys are similar, NODE A will split with a
shortcut. Finally, it forms the tree as shown below, where slot 6 points
to a shortcut.
NODE A
+------>+---+
ROOT | | 0 | xxe6
+---+ | +---+
xxxx | 0 | shortcut : : xxe6
+---+ | +---+
xxe6 : : | | | xxe6
+---+ | +---+
| 6 |---+ : : xxe6
+---+ +---+
xxe6 : : | f | xxe6
+---+ +---+
xxe6 | f |
+---+
4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,
it may be mistakenly transferred to a key*, leading to a read
out-of-bounds read.
To fix this issue, one should jump to descend_to_node if the ptr is a
shortcut, regardless of whether the node is root or not.
[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/
[jarkko: tweaked the commit message a bit to have an appropriate closes
tag.]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:13:51.070925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:19.840Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:28:18.152Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/keys/keyring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c3ce634ad953ce48c75c39bdfd8b711dd95f346f",
"status": "affected",
"version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69",
"versionType": "git"
},
{
"lessThan": "4efb69a0e294ef201bcdf7ce3d6202cd0a545a5d",
"status": "affected",
"version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69",
"versionType": "git"
},
{
"lessThan": "1e4332581cd4eed75aea77af6f66cdcdda8b49b9",
"status": "affected",
"version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69",
"versionType": "git"
},
{
"lessThan": "199c20fb7499c79557a075dc24e9a7dae7d9f1ce",
"status": "affected",
"version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69",
"versionType": "git"
},
{
"lessThan": "bbad2d5b6c99db468d8f88b6ba6a56ed409b4881",
"status": "affected",
"version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69",
"versionType": "git"
},
{
"lessThan": "3e79ad156bedf2da0ab909a118d2cec6c9c22b79",
"status": "affected",
"version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69",
"versionType": "git"
},
{
"lessThan": "e0a317ad68e4ea48a0158187238c5407e4fdec8b",
"status": "affected",
"version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69",
"versionType": "git"
},
{
"lessThan": "4a74da044ec9ec8679e6beccc4306b936b62873f",
"status": "affected",
"version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/keys/keyring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.324",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.286",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.230",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.172",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.117",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.61",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.8",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsecurity/keys: fix slab-out-of-bounds in key_task_permission\n\nKASAN reports an out of bounds read:\nBUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36\nBUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]\nBUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410\nsecurity/keys/permission.c:54\nRead of size 4 at addr ffff88813c3ab618 by task stress-ng/4362\n\nCPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15\nCall Trace:\n __dump_stack lib/dump_stack.c:82 [inline]\n dump_stack+0x107/0x167 lib/dump_stack.c:123\n print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400\n __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\n kasan_report+0x3a/0x50 mm/kasan/report.c:585\n __kuid_val include/linux/uidgid.h:36 [inline]\n uid_eq include/linux/uidgid.h:63 [inline]\n key_task_permission+0x394/0x410 security/keys/permission.c:54\n search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793\n\nThis issue was also reported by syzbot.\n\nIt can be reproduced by following these steps(more details [1]):\n1. Obtain more than 32 inputs that have similar hashes, which ends with the\n pattern \u00270xxxxxxxe6\u0027.\n2. Reboot and add the keys obtained in step 1.\n\nThe reproducer demonstrates how this issue happened:\n1. In the search_nested_keyrings function, when it iterates through the\n slots in a node(below tag ascend_to_node), if the slot pointer is meta\n and node-\u003eback_pointer != NULL(it means a root), it will proceed to\n descend_to_node. However, there is an exception. If node is the root,\n and one of the slots points to a shortcut, it will be treated as a\n keyring.\n2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.\n However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as\n ASSOC_ARRAY_PTR_SUBTYPE_MASK.\n3. When 32 keys with the similar hashes are added to the tree, the ROOT\n has keys with hashes that are not similar (e.g. slot 0) and it splits\n NODE A without using a shortcut. When NODE A is filled with keys that\n all hashes are xxe6, the keys are similar, NODE A will split with a\n shortcut. Finally, it forms the tree as shown below, where slot 6 points\n to a shortcut.\n\n NODE A\n +------\u003e+---+\n ROOT | | 0 | xxe6\n +---+ | +---+\n xxxx | 0 | shortcut : : xxe6\n +---+ | +---+\n xxe6 : : | | | xxe6\n +---+ | +---+\n | 6 |---+ : : xxe6\n +---+ +---+\n xxe6 : : | f | xxe6\n +---+ +---+\n xxe6 | f |\n +---+\n\n4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,\n it may be mistakenly transferred to a key*, leading to a read\n out-of-bounds read.\n\nTo fix this issue, one should jump to descend_to_node if the ptr is a\nshortcut, regardless of whether the node is root or not.\n\n[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/\n\n[jarkko: tweaked the commit message a bit to have an appropriate closes\n tag.]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:51:13.203Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c3ce634ad953ce48c75c39bdfd8b711dd95f346f"
},
{
"url": "https://git.kernel.org/stable/c/4efb69a0e294ef201bcdf7ce3d6202cd0a545a5d"
},
{
"url": "https://git.kernel.org/stable/c/1e4332581cd4eed75aea77af6f66cdcdda8b49b9"
},
{
"url": "https://git.kernel.org/stable/c/199c20fb7499c79557a075dc24e9a7dae7d9f1ce"
},
{
"url": "https://git.kernel.org/stable/c/bbad2d5b6c99db468d8f88b6ba6a56ed409b4881"
},
{
"url": "https://git.kernel.org/stable/c/3e79ad156bedf2da0ab909a118d2cec6c9c22b79"
},
{
"url": "https://git.kernel.org/stable/c/e0a317ad68e4ea48a0158187238c5407e4fdec8b"
},
{
"url": "https://git.kernel.org/stable/c/4a74da044ec9ec8679e6beccc4306b936b62873f"
}
],
"title": "security/keys: fix slab-out-of-bounds in key_task_permission",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50301",
"datePublished": "2024-11-19T01:30:49.982Z",
"dateReserved": "2024-10-21T19:36:19.987Z",
"dateUpdated": "2025-11-03T22:28:18.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39967 (GCVE-0-2025-39967)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: fix integer overflow in fbcon_do_set_font
Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.
The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
overflows during font data copying.
Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 96e41fc29e8af5c5085fb8a79cab8d0d00bab86c Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: ae021a904ac82d9fc81c25329d3c465c5a7d5686 Version: 451bffa366f2cc0e5314807cb847f31c0226efed Version: 2c455e9c5865861f5ce09c5f596909495ed7657c Version: 72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e Version: 34cf1aff169dc6dedad8d79da7bf1b4de2773dbc |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994bdc2d23c79087fbf7dcd9544454e8ebcef877",
"status": "affected",
"version": "96e41fc29e8af5c5085fb8a79cab8d0d00bab86c",
"versionType": "git"
},
{
"lessThan": "9c8ec14075c5317edd6b242f1be8167aa1e4e333",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "b8a6e85328aeb9881531dbe89bcd2637a06c3c95",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "a6eb9f423b3db000aaedf83367b8539f6b72dcfc",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "adac90bb1aaf45ca66f9db8ac100be16750ace78",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "4a4bac869560f943edbe3c2b032062f6673b13d3",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"status": "affected",
"version": "ae021a904ac82d9fc81c25329d3c465c5a7d5686",
"versionType": "git"
},
{
"status": "affected",
"version": "451bffa366f2cc0e5314807cb847f31c0226efed",
"versionType": "git"
},
{
"status": "affected",
"version": "2c455e9c5865861f5ce09c5f596909495ed7657c",
"versionType": "git"
},
{
"status": "affected",
"version": "72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e",
"versionType": "git"
},
{
"status": "affected",
"version": "34cf1aff169dc6dedad8d79da7bf1b4de2773dbc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: fix integer overflow in fbcon_do_set_font\n\nFix integer overflow vulnerabilities in fbcon_do_set_font() where font\nsize calculations could overflow when handling user-controlled font\nparameters.\n\nThe vulnerabilities occur when:\n1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount\n multiplication with user-controlled values that can overflow.\n2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow\n3. This results in smaller allocations than expected, leading to buffer\n overflows during font data copying.\n\nAdd explicit overflow checking using check_mul_overflow() and\ncheck_add_overflow() kernel helpers to safety validate all size\ncalculations before allocation."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:51.554Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994bdc2d23c79087fbf7dcd9544454e8ebcef877"
},
{
"url": "https://git.kernel.org/stable/c/9c8ec14075c5317edd6b242f1be8167aa1e4e333"
},
{
"url": "https://git.kernel.org/stable/c/b8a6e85328aeb9881531dbe89bcd2637a06c3c95"
},
{
"url": "https://git.kernel.org/stable/c/a6eb9f423b3db000aaedf83367b8539f6b72dcfc"
},
{
"url": "https://git.kernel.org/stable/c/adac90bb1aaf45ca66f9db8ac100be16750ace78"
},
{
"url": "https://git.kernel.org/stable/c/4a4bac869560f943edbe3c2b032062f6673b13d3"
},
{
"url": "https://git.kernel.org/stable/c/c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7"
},
{
"url": "https://git.kernel.org/stable/c/1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe"
}
],
"title": "fbcon: fix integer overflow in fbcon_do_set_font",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39967",
"datePublished": "2025-10-15T07:55:51.554Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:51.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53165 (GCVE-0-2023-53165)
Vulnerability from cvelistv5
Published
2025-09-15 14:03
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: Fix uninitialized array access for some pathnames
For filenames that begin with . and are between 2 and 5 characters long,
UDF charset conversion code would read uninitialized memory in the
output buffer. The only practical impact is that the name may be prepended a
"unification hash" when it is not actually needed but still it is good
to fix this.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 484a10f49387e4386bf2708532e75bf78ffea2cb Version: 484a10f49387e4386bf2708532e75bf78ffea2cb Version: 484a10f49387e4386bf2708532e75bf78ffea2cb Version: 484a10f49387e4386bf2708532e75bf78ffea2cb Version: 484a10f49387e4386bf2708532e75bf78ffea2cb Version: 484a10f49387e4386bf2708532e75bf78ffea2cb Version: 484a10f49387e4386bf2708532e75bf78ffea2cb Version: 484a10f49387e4386bf2708532e75bf78ffea2cb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "008ae78d1e12efa904dc819b1ec83e2bca6b2c56",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "b37f998d357102e8eb0f8eeb33f03fff22e49cbf",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "3f1368af47acf4d0b2a5fb0d2c0d6919d2234b6d",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "4503f6fc95d6dee85fb2c54785848799e192c51c",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "985f9666698960dfc87a106d6314203fa90fda75",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "a6824149809395dfbb5bc36bc7057cc3cb84e56d",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "4d50988da0db167aed6f38685145cb5cd526c4f8",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
},
{
"lessThan": "028f6055c912588e6f72722d89c30b401bbcf013",
"status": "affected",
"version": "484a10f49387e4386bf2708532e75bf78ffea2cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix uninitialized array access for some pathnames\n\nFor filenames that begin with . and are between 2 and 5 characters long,\nUDF charset conversion code would read uninitialized memory in the\noutput buffer. The only practical impact is that the name may be prepended a\n\"unification hash\" when it is not actually needed but still it is good\nto fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:22.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/008ae78d1e12efa904dc819b1ec83e2bca6b2c56"
},
{
"url": "https://git.kernel.org/stable/c/b37f998d357102e8eb0f8eeb33f03fff22e49cbf"
},
{
"url": "https://git.kernel.org/stable/c/3f1368af47acf4d0b2a5fb0d2c0d6919d2234b6d"
},
{
"url": "https://git.kernel.org/stable/c/4503f6fc95d6dee85fb2c54785848799e192c51c"
},
{
"url": "https://git.kernel.org/stable/c/985f9666698960dfc87a106d6314203fa90fda75"
},
{
"url": "https://git.kernel.org/stable/c/a6824149809395dfbb5bc36bc7057cc3cb84e56d"
},
{
"url": "https://git.kernel.org/stable/c/4d50988da0db167aed6f38685145cb5cd526c4f8"
},
{
"url": "https://git.kernel.org/stable/c/028f6055c912588e6f72722d89c30b401bbcf013"
}
],
"title": "udf: Fix uninitialized array access for some pathnames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53165",
"datePublished": "2025-09-15T14:03:53.987Z",
"dateReserved": "2025-09-15T13:59:19.063Z",
"dateUpdated": "2025-10-29T10:50:22.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53385 (GCVE-0-2023-53385)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-29 10:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mdp3: Fix resource leaks in of_find_device_by_node
Use put_device to release the object get through of_find_device_by_node,
avoiding resource leaks.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ba9d91c8f21f070af2049f114c206a8f2d5c71e",
"status": "affected",
"version": "61890ccaefaff89f5babd2c8412fd222c3f5fe38",
"versionType": "git"
},
{
"lessThan": "fa481125bc4ca8edc1a4c62fe53486ac9a817593",
"status": "affected",
"version": "61890ccaefaff89f5babd2c8412fd222c3f5fe38",
"versionType": "git"
},
{
"lessThan": "35ca8ce495366909b4c2e701d1356570dd40c4e2",
"status": "affected",
"version": "61890ccaefaff89f5babd2c8412fd222c3f5fe38",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mdp3: Fix resource leaks in of_find_device_by_node\n\nUse put_device to release the object get through of_find_device_by_node,\navoiding resource leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T10:47:37.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ba9d91c8f21f070af2049f114c206a8f2d5c71e"
},
{
"url": "https://git.kernel.org/stable/c/fa481125bc4ca8edc1a4c62fe53486ac9a817593"
},
{
"url": "https://git.kernel.org/stable/c/35ca8ce495366909b4c2e701d1356570dd40c4e2"
}
],
"title": "media: mdp3: Fix resource leaks in of_find_device_by_node",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53385",
"datePublished": "2025-09-18T13:33:29.175Z",
"dateReserved": "2025-09-17T14:54:09.737Z",
"dateUpdated": "2025-09-29T10:47:37.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50537 (GCVE-0-2022-50537)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()
In rpi_firmware_probe(), if mbox_request_channel() fails, the 'fw' will
not be freed through rpi_firmware_delete(), fix this leak by calling
kfree() in the error path.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d537afa08e156a0a72562e625506825c2776fcfa Version: 60831f5ae6c713afceb6d29f40899ed112f36059 Version: 1e7c57355a3bc617fc220234889e49fe722a6305 Version: 1e7c57355a3bc617fc220234889e49fe722a6305 Version: 1e7c57355a3bc617fc220234889e49fe722a6305 Version: 1e7c57355a3bc617fc220234889e49fe722a6305 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/raspberrypi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62ac943eb2a9d655e431b9bc98ff6d7bd51a0e49",
"status": "affected",
"version": "d537afa08e156a0a72562e625506825c2776fcfa",
"versionType": "git"
},
{
"lessThan": "d34742245e4366579f9a80f8cfe4a63248e838e0",
"status": "affected",
"version": "60831f5ae6c713afceb6d29f40899ed112f36059",
"versionType": "git"
},
{
"lessThan": "b308fdedef095aac14569f810d46edf773ea7d1e",
"status": "affected",
"version": "1e7c57355a3bc617fc220234889e49fe722a6305",
"versionType": "git"
},
{
"lessThan": "6757dd2193fe18c5c5fe3050e7f2ff9dcbd1ff34",
"status": "affected",
"version": "1e7c57355a3bc617fc220234889e49fe722a6305",
"versionType": "git"
},
{
"lessThan": "71d2abab374f707ab8ac8dcef191fd2b3b67b8bd",
"status": "affected",
"version": "1e7c57355a3bc617fc220234889e49fe722a6305",
"versionType": "git"
},
{
"lessThan": "7b51161696e803fd5f9ad55b20a64c2df313f95c",
"status": "affected",
"version": "1e7c57355a3bc617fc220234889e49fe722a6305",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/raspberrypi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()\n\nIn rpi_firmware_probe(), if mbox_request_channel() fails, the \u0027fw\u0027 will\nnot be freed through rpi_firmware_delete(), fix this leak by calling\nkfree() in the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:03.749Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62ac943eb2a9d655e431b9bc98ff6d7bd51a0e49"
},
{
"url": "https://git.kernel.org/stable/c/d34742245e4366579f9a80f8cfe4a63248e838e0"
},
{
"url": "https://git.kernel.org/stable/c/b308fdedef095aac14569f810d46edf773ea7d1e"
},
{
"url": "https://git.kernel.org/stable/c/6757dd2193fe18c5c5fe3050e7f2ff9dcbd1ff34"
},
{
"url": "https://git.kernel.org/stable/c/71d2abab374f707ab8ac8dcef191fd2b3b67b8bd"
},
{
"url": "https://git.kernel.org/stable/c/7b51161696e803fd5f9ad55b20a64c2df313f95c"
}
],
"title": "firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50537",
"datePublished": "2025-10-07T15:21:03.749Z",
"dateReserved": "2025-10-07T15:15:38.666Z",
"dateUpdated": "2025-10-07T15:21:03.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53662 (GCVE-0-2023-53662)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}
If the filename casefolding fails, we'll be leaking memory from the
fscrypt_name struct, namely from the 'crypto_buf.name' member.
Make sure we free it in the error path on both ext4_fname_setup_filename()
and ext4_fname_prepare_lookup() functions.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1fb3f1bbfdb511034b0360dbeb0f6a8424ed2a5c",
"status": "affected",
"version": "1ae98e295fa2577fb5e492200c58d10230e00e99",
"versionType": "git"
},
{
"lessThan": "36daf050be3f6f067631dc52054de2d3b7cc849f",
"status": "affected",
"version": "1ae98e295fa2577fb5e492200c58d10230e00e99",
"versionType": "git"
},
{
"lessThan": "7ca4b085f430f3774c3838b3da569ceccd6a0177",
"status": "affected",
"version": "1ae98e295fa2577fb5e492200c58d10230e00e99",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}\n\nIf the filename casefolding fails, we\u0027ll be leaking memory from the\nfscrypt_name struct, namely from the \u0027crypto_buf.name\u0027 member.\n\nMake sure we free it in the error path on both ext4_fname_setup_filename()\nand ext4_fname_prepare_lookup() functions."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:21.703Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1fb3f1bbfdb511034b0360dbeb0f6a8424ed2a5c"
},
{
"url": "https://git.kernel.org/stable/c/36daf050be3f6f067631dc52054de2d3b7cc849f"
},
{
"url": "https://git.kernel.org/stable/c/7ca4b085f430f3774c3838b3da569ceccd6a0177"
}
],
"title": "ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53662",
"datePublished": "2025-10-07T15:21:21.703Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:21.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53625 (GCVE-0-2023-53625)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gvt: fix vgpu debugfs clean in remove
Check carefully on root debugfs available when destroying vgpu,
e.g in remove case drm minor's debugfs root might already be destroyed,
which led to kernel oops like below.
Console: switching to colour dummy device 80x25
i915 0000:00:02.0: MDEV: Unregistering
intel_vgpu_mdev b1338b2d-a709-4c23-b766-cc436c36cdf0: Removing from iommu group 14
BUG: kernel NULL pointer dereference, address: 0000000000000150
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 3 PID: 1046 Comm: driverctl Not tainted 6.1.0-rc2+ #6
Hardware name: HP HP ProDesk 600 G3 MT/829D, BIOS P02 Ver. 02.44 09/13/2022
RIP: 0010:__lock_acquire+0x5e2/0x1f90
Code: 87 ad 09 00 00 39 05 e1 1e cc 02 0f 82 f1 09 00 00 ba 01 00 00 00 48 83 c4 48 89 d0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 ff <48> 81 3f 60 9e c2 b6 45 0f 45 f8 83 fe 01 0f 87 55 fa ff ff 89 f0
RSP: 0018:ffff9f770274f948 EFLAGS: 00010046
RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000150
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8895d1173300 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000150 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fc9b2ba0740(0000) GS:ffff889cdfcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000150 CR3: 000000010fd93005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0xbf/0x2b0
? simple_recursive_removal+0xa5/0x2b0
? lock_release+0x13d/0x2d0
down_write+0x2a/0xd0
? simple_recursive_removal+0xa5/0x2b0
simple_recursive_removal+0xa5/0x2b0
? start_creating.part.0+0x110/0x110
? _raw_spin_unlock+0x29/0x40
debugfs_remove+0x40/0x60
intel_gvt_debugfs_remove_vgpu+0x15/0x30 [kvmgt]
intel_gvt_destroy_vgpu+0x60/0x100 [kvmgt]
intel_vgpu_release_dev+0xe/0x20 [kvmgt]
device_release+0x30/0x80
kobject_put+0x79/0x1b0
device_release_driver_internal+0x1b8/0x230
bus_remove_device+0xec/0x160
device_del+0x189/0x400
? up_write+0x9c/0x1b0
? mdev_device_remove_common+0x60/0x60 [mdev]
mdev_device_remove_common+0x22/0x60 [mdev]
mdev_device_remove_cb+0x17/0x20 [mdev]
device_for_each_child+0x56/0x80
mdev_unregister_parent+0x5a/0x81 [mdev]
intel_gvt_clean_device+0x2d/0xe0 [kvmgt]
intel_gvt_driver_remove+0x2e/0xb0 [i915]
i915_driver_remove+0xac/0x100 [i915]
i915_pci_remove+0x1a/0x30 [i915]
pci_device_remove+0x31/0xa0
device_release_driver_internal+0x1b8/0x230
unbind_store+0xd8/0x100
kernfs_fop_write_iter+0x156/0x210
vfs_write+0x236/0x4a0
ksys_write+0x61/0xd0
do_syscall_64+0x55/0x80
? find_held_lock+0x2b/0x80
? lock_release+0x13d/0x2d0
? up_read+0x17/0x20
? lock_is_held_type+0xe3/0x140
? asm_exc_page_fault+0x22/0x30
? lockdep_hardirqs_on+0x7d/0x100
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fc9b2c9e0c4
Code: 15 71 7d 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 80 3d 3d 05 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 48 89 54 24 18 48
RSP: 002b:00007ffec29c81c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc9b2c9e0c4
RDX: 000000000000000d RSI: 0000559f8b5f48a0 RDI: 0000000000000001
RBP: 0000559f8b5f48a0 R08: 0000559f8b5f3540 R09: 00007fc9b2d76d30
R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000d
R13: 00007fc9b2d77780 R14: 000000000000000d R15: 00007fc9b2d72a00
</TASK>
Modules linked in: sunrpc intel_rapl_msr intel_rapl_common intel_pmc_core_pltdrv intel_pmc_core intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ee1004 igbvf rapl vfat fat intel_cstate intel_uncore pktcdvd i2c_i801 pcspkr wmi_bmof i2c_smbus acpi_pad vfio_pci vfio_pci_core vfio_virqfd zram fuse dm
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gvt/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af90f8b36d78544433a48a3eda6a5faeafacd0a1",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "f5a9bbf962e2c4b1d9addbfaf16d7ffcc2f63bde",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "ffa83fba2a2ce8010eb106c779378cb3013362c7",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "44c0e07e3972e3f2609d69ad873d4f342f8a68ec",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "704f3384f322b40ba24d958473edfb1c9750c8fd",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gvt/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gvt: fix vgpu debugfs clean in remove\n\nCheck carefully on root debugfs available when destroying vgpu,\ne.g in remove case drm minor\u0027s debugfs root might already be destroyed,\nwhich led to kernel oops like below.\n\nConsole: switching to colour dummy device 80x25\ni915 0000:00:02.0: MDEV: Unregistering\nintel_vgpu_mdev b1338b2d-a709-4c23-b766-cc436c36cdf0: Removing from iommu group 14\nBUG: kernel NULL pointer dereference, address: 0000000000000150\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 3 PID: 1046 Comm: driverctl Not tainted 6.1.0-rc2+ #6\nHardware name: HP HP ProDesk 600 G3 MT/829D, BIOS P02 Ver. 02.44 09/13/2022\nRIP: 0010:__lock_acquire+0x5e2/0x1f90\nCode: 87 ad 09 00 00 39 05 e1 1e cc 02 0f 82 f1 09 00 00 ba 01 00 00 00 48 83 c4 48 89 d0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 ff \u003c48\u003e 81 3f 60 9e c2 b6 45 0f 45 f8 83 fe 01 0f 87 55 fa ff ff 89 f0\nRSP: 0018:ffff9f770274f948 EFLAGS: 00010046\nRAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000150\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8895d1173300 R11: 0000000000000001 R12: 0000000000000000\nR13: 0000000000000150 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007fc9b2ba0740(0000) GS:ffff889cdfcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000150 CR3: 000000010fd93005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n lock_acquire+0xbf/0x2b0\n ? simple_recursive_removal+0xa5/0x2b0\n ? lock_release+0x13d/0x2d0\n down_write+0x2a/0xd0\n ? simple_recursive_removal+0xa5/0x2b0\n simple_recursive_removal+0xa5/0x2b0\n ? start_creating.part.0+0x110/0x110\n ? _raw_spin_unlock+0x29/0x40\n debugfs_remove+0x40/0x60\n intel_gvt_debugfs_remove_vgpu+0x15/0x30 [kvmgt]\n intel_gvt_destroy_vgpu+0x60/0x100 [kvmgt]\n intel_vgpu_release_dev+0xe/0x20 [kvmgt]\n device_release+0x30/0x80\n kobject_put+0x79/0x1b0\n device_release_driver_internal+0x1b8/0x230\n bus_remove_device+0xec/0x160\n device_del+0x189/0x400\n ? up_write+0x9c/0x1b0\n ? mdev_device_remove_common+0x60/0x60 [mdev]\n mdev_device_remove_common+0x22/0x60 [mdev]\n mdev_device_remove_cb+0x17/0x20 [mdev]\n device_for_each_child+0x56/0x80\n mdev_unregister_parent+0x5a/0x81 [mdev]\n intel_gvt_clean_device+0x2d/0xe0 [kvmgt]\n intel_gvt_driver_remove+0x2e/0xb0 [i915]\n i915_driver_remove+0xac/0x100 [i915]\n i915_pci_remove+0x1a/0x30 [i915]\n pci_device_remove+0x31/0xa0\n device_release_driver_internal+0x1b8/0x230\n unbind_store+0xd8/0x100\n kernfs_fop_write_iter+0x156/0x210\n vfs_write+0x236/0x4a0\n ksys_write+0x61/0xd0\n do_syscall_64+0x55/0x80\n ? find_held_lock+0x2b/0x80\n ? lock_release+0x13d/0x2d0\n ? up_read+0x17/0x20\n ? lock_is_held_type+0xe3/0x140\n ? asm_exc_page_fault+0x22/0x30\n ? lockdep_hardirqs_on+0x7d/0x100\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7fc9b2c9e0c4\nCode: 15 71 7d 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 80 3d 3d 05 0e 00 00 74 13 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 48 89 54 24 18 48\nRSP: 002b:00007ffec29c81c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc9b2c9e0c4\nRDX: 000000000000000d RSI: 0000559f8b5f48a0 RDI: 0000000000000001\nRBP: 0000559f8b5f48a0 R08: 0000559f8b5f3540 R09: 00007fc9b2d76d30\nR10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000d\nR13: 00007fc9b2d77780 R14: 000000000000000d R15: 00007fc9b2d72a00\n \u003c/TASK\u003e\nModules linked in: sunrpc intel_rapl_msr intel_rapl_common intel_pmc_core_pltdrv intel_pmc_core intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ee1004 igbvf rapl vfat fat intel_cstate intel_uncore pktcdvd i2c_i801 pcspkr wmi_bmof i2c_smbus acpi_pad vfio_pci vfio_pci_core vfio_virqfd zram fuse dm\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:30.213Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af90f8b36d78544433a48a3eda6a5faeafacd0a1"
},
{
"url": "https://git.kernel.org/stable/c/f5a9bbf962e2c4b1d9addbfaf16d7ffcc2f63bde"
},
{
"url": "https://git.kernel.org/stable/c/ffa83fba2a2ce8010eb106c779378cb3013362c7"
},
{
"url": "https://git.kernel.org/stable/c/44c0e07e3972e3f2609d69ad873d4f342f8a68ec"
},
{
"url": "https://git.kernel.org/stable/c/704f3384f322b40ba24d958473edfb1c9750c8fd"
}
],
"title": "drm/i915/gvt: fix vgpu debugfs clean in remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53625",
"datePublished": "2025-10-07T15:19:30.213Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:30.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53493 (GCVE-0-2023-53493)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: tighten bounds checking in decode_message()
Copy the bounds checking from encode_message() to decode_message().
This patch addresses the following concerns. Ensure that there is
enough space for at least one header so that we don't have a negative
size later.
if (msg_hdr_len < sizeof(*trans_hdr))
Ensure that we have enough space to read the next header from the
msg->data.
if (msg_len > msg_hdr_len - sizeof(*trans_hdr))
return -EINVAL;
Check that the trans_hdr->len is not below the minimum size:
if (hdr_len < sizeof(*trans_hdr))
This minimum check ensures that we don't corrupt memory in
decode_passthrough() when we do.
memcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr));
And finally, use size_add() to prevent an integer overflow:
if (size_add(msg_len, hdr_len) > msg_hdr_len)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "57d14cb3bae4619ce2fb5235cb318c3d5d8f53fd",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
},
{
"lessThan": "51b56382ed2a2b03347372272362b3baa623ed1e",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: tighten bounds checking in decode_message()\n\nCopy the bounds checking from encode_message() to decode_message().\n\nThis patch addresses the following concerns. Ensure that there is\nenough space for at least one header so that we don\u0027t have a negative\nsize later.\n\n\tif (msg_hdr_len \u003c sizeof(*trans_hdr))\n\nEnsure that we have enough space to read the next header from the\nmsg-\u003edata.\n\n\tif (msg_len \u003e msg_hdr_len - sizeof(*trans_hdr))\n\t\treturn -EINVAL;\n\nCheck that the trans_hdr-\u003elen is not below the minimum size:\n\n\tif (hdr_len \u003c sizeof(*trans_hdr))\n\nThis minimum check ensures that we don\u0027t corrupt memory in\ndecode_passthrough() when we do.\n\n\tmemcpy(out_trans-\u003edata, in_trans-\u003edata, len - sizeof(in_trans-\u003ehdr));\n\nAnd finally, use size_add() to prevent an integer overflow:\n\n\tif (size_add(msg_len, hdr_len) \u003e msg_hdr_len)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:44.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/57d14cb3bae4619ce2fb5235cb318c3d5d8f53fd"
},
{
"url": "https://git.kernel.org/stable/c/51b56382ed2a2b03347372272362b3baa623ed1e"
}
],
"title": "accel/qaic: tighten bounds checking in decode_message()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53493",
"datePublished": "2025-10-01T11:45:44.939Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:44.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53438 (GCVE-0-2023-53438)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/MCE: Always save CS register on AMD Zen IF Poison errors
The Instruction Fetch (IF) units on current AMD Zen-based systems do not
guarantee a synchronous #MC is delivered for poison consumption errors.
Therefore, MCG_STATUS[EIPV|RIPV] will not be set. However, the
microarchitecture does guarantee that the exception is delivered within
the same context. In other words, the exact rIP is not known, but the
context is known to not have changed.
There is no architecturally-defined method to determine this behavior.
The Code Segment (CS) register is always valid on such IF unit poison
errors regardless of the value of MCG_STATUS[EIPV|RIPV].
Add a quirk to save the CS register for poison consumption from the IF
unit banks.
This is needed to properly determine the context of the error.
Otherwise, the severity grading function will assume the context is
IN_KERNEL due to the m->cs value being 0 (the initialized value). This
leads to unnecessary kernel panics on data poison errors due to the
kernel believing the poison consumption occurred in kernel context.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/mce/core.c",
"arch/x86/kernel/cpu/mce/internal.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6e6a5f50f58fadec397b23064b7e4830292863d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6eac3965901489ae114a664a78cd2d1415d1af5c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e01bdf7203c383e9d8489d9f963c52d6c81e4db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4240e2ebe67941ce2c4f5c866c3af4b5ac7a0c67",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/mce/core.c",
"arch/x86/kernel/cpu/mce/internal.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/MCE: Always save CS register on AMD Zen IF Poison errors\n\nThe Instruction Fetch (IF) units on current AMD Zen-based systems do not\nguarantee a synchronous #MC is delivered for poison consumption errors.\nTherefore, MCG_STATUS[EIPV|RIPV] will not be set. However, the\nmicroarchitecture does guarantee that the exception is delivered within\nthe same context. In other words, the exact rIP is not known, but the\ncontext is known to not have changed.\n\nThere is no architecturally-defined method to determine this behavior.\n\nThe Code Segment (CS) register is always valid on such IF unit poison\nerrors regardless of the value of MCG_STATUS[EIPV|RIPV].\n\nAdd a quirk to save the CS register for poison consumption from the IF\nunit banks.\n\nThis is needed to properly determine the context of the error.\nOtherwise, the severity grading function will assume the context is\nIN_KERNEL due to the m-\u003ecs value being 0 (the initialized value). This\nleads to unnecessary kernel panics on data poison errors due to the\nkernel believing the poison consumption occurred in kernel context."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:16.501Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6e6a5f50f58fadec397b23064b7e4830292863d"
},
{
"url": "https://git.kernel.org/stable/c/6eac3965901489ae114a664a78cd2d1415d1af5c"
},
{
"url": "https://git.kernel.org/stable/c/2e01bdf7203c383e9d8489d9f963c52d6c81e4db"
},
{
"url": "https://git.kernel.org/stable/c/4240e2ebe67941ce2c4f5c866c3af4b5ac7a0c67"
}
],
"title": "x86/MCE: Always save CS register on AMD Zen IF Poison errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53438",
"datePublished": "2025-09-18T16:04:16.501Z",
"dateReserved": "2025-09-17T14:54:09.751Z",
"dateUpdated": "2025-09-18T16:04:16.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53616 (GCVE-0-2023-53616)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
syzbot found an invalid-free in diUnmount:
BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]
BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674
Free of addr ffff88806f410000 by task syz-executor131/3632
CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460
____kasan_slab_free+0xfb/0x120
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x71/0x110 mm/slub.c:3674
diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195
jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63
jfs_put_super+0x86/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x310 fs/super.c:492
kill_block_super+0x79/0xd0 fs/super.c:1428
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1186
task_work_run+0x243/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x664/0x2070 kernel/exit.c:820
do_group_exit+0x1fd/0x2b0 kernel/exit.c:950
__do_sys_exit_group kernel/exit.c:961 [inline]
__se_sys_exit_group kernel/exit.c:959 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount.
If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount().
JFS_IP(ipimap)->i_imap will be freed once again.
Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_imap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c3c0f0ddd851b3fa3e9d3450bbcd561f4f850469",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "114ea3cb13ab25f7178cb60283adb93d2f96dad7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5873df0195124be2f357de11bfd473ead4f90ed8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "756747d4b439e3e1159282ae89f17eefebbe9b25",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef7311101ca43dd73b45bca7a30ac72d9535ff87",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4de3a603010e0ca334487de24c6aab0777b7f808",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "88484bde6f12126616b38e43b6c00edcd941f615",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e2bda2c192d0244b5a78b787ef20aa10cb319b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_imap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix invalid free of JFS_IP(ipimap)-\u003ei_imap in diUnmount\n\nsyzbot found an invalid-free in diUnmount:\n\nBUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]\nBUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674\nFree of addr ffff88806f410000 by task syz-executor131/3632\n\n CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:284\n print_report+0x107/0x1f0 mm/kasan/report.c:395\n kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460\n ____kasan_slab_free+0xfb/0x120\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1724 [inline]\n slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750\n slab_free mm/slub.c:3661 [inline]\n __kmem_cache_free+0x71/0x110 mm/slub.c:3674\n diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195\n jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63\n jfs_put_super+0x86/0x190 fs/jfs/super.c:194\n generic_shutdown_super+0x130/0x310 fs/super.c:492\n kill_block_super+0x79/0xd0 fs/super.c:1428\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n cleanup_mnt+0x494/0x520 fs/namespace.c:1186\n task_work_run+0x243/0x300 kernel/task_work.c:179\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x664/0x2070 kernel/exit.c:820\n do_group_exit+0x1fd/0x2b0 kernel/exit.c:950\n __do_sys_exit_group kernel/exit.c:961 [inline]\n __se_sys_exit_group kernel/exit.c:959 [inline]\n __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n\nJFS_IP(ipimap)-\u003ei_imap is not setting to NULL after free in diUnmount.\nIf jfs_remount() free JFS_IP(ipimap)-\u003ei_imap but then failed at diMount().\nJFS_IP(ipimap)-\u003ei_imap will be freed once again.\nFix this problem by setting JFS_IP(ipimap)-\u003ei_imap to NULL after free."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:23.056Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c3c0f0ddd851b3fa3e9d3450bbcd561f4f850469"
},
{
"url": "https://git.kernel.org/stable/c/114ea3cb13ab25f7178cb60283adb93d2f96dad7"
},
{
"url": "https://git.kernel.org/stable/c/5873df0195124be2f357de11bfd473ead4f90ed8"
},
{
"url": "https://git.kernel.org/stable/c/756747d4b439e3e1159282ae89f17eefebbe9b25"
},
{
"url": "https://git.kernel.org/stable/c/ef7311101ca43dd73b45bca7a30ac72d9535ff87"
},
{
"url": "https://git.kernel.org/stable/c/4de3a603010e0ca334487de24c6aab0777b7f808"
},
{
"url": "https://git.kernel.org/stable/c/88484bde6f12126616b38e43b6c00edcd941f615"
},
{
"url": "https://git.kernel.org/stable/c/6e2bda2c192d0244b5a78b787ef20aa10cb319b7"
}
],
"title": "jfs: fix invalid free of JFS_IP(ipimap)-\u003ei_imap in diUnmount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53616",
"datePublished": "2025-10-04T15:44:23.056Z",
"dateReserved": "2025-10-04T15:40:38.481Z",
"dateUpdated": "2025-10-04T15:44:23.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53571 (GCVE-0-2023-53571)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Make intel_get_crtc_new_encoder() less oopsy
The point of the WARN was to print something, not oops
straight up. Currently that is precisely what happens
if we can't find the connector for the crtc in the atomic
state. Get the dev pointer from the atomic state instead
of the potentially NULL encoder to avoid that.
(cherry picked from commit 3b6692357f70498f617ea1b31a0378070a0acf1c)
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3a47ae201e074945bbde0b088e4c1215c07f4d75 Version: 3a47ae201e074945bbde0b088e4c1215c07f4d75 Version: 3a47ae201e074945bbde0b088e4c1215c07f4d75 Version: 3a47ae201e074945bbde0b088e4c1215c07f4d75 Version: 3a47ae201e074945bbde0b088e4c1215c07f4d75 Version: 3a47ae201e074945bbde0b088e4c1215c07f4d75 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "780f303233c35eeb5132e3ee1cbc8f4cebe86dd2",
"status": "affected",
"version": "3a47ae201e074945bbde0b088e4c1215c07f4d75",
"versionType": "git"
},
{
"lessThan": "54202488c835dab8c648acd107f0bb8eaa699894",
"status": "affected",
"version": "3a47ae201e074945bbde0b088e4c1215c07f4d75",
"versionType": "git"
},
{
"lessThan": "0fe6ef82e4f4764e8f556632e4cd93d78d448e99",
"status": "affected",
"version": "3a47ae201e074945bbde0b088e4c1215c07f4d75",
"versionType": "git"
},
{
"lessThan": "8cd725315c559a8a4d18ac1d7fce1d6b9a667529",
"status": "affected",
"version": "3a47ae201e074945bbde0b088e4c1215c07f4d75",
"versionType": "git"
},
{
"lessThan": "fd8b0abecdf66379e9d25d7448b942b5be379cb2",
"status": "affected",
"version": "3a47ae201e074945bbde0b088e4c1215c07f4d75",
"versionType": "git"
},
{
"lessThan": "631420b06597a33c72b6dcef78d1c2dea17f452d",
"status": "affected",
"version": "3a47ae201e074945bbde0b088e4c1215c07f4d75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Make intel_get_crtc_new_encoder() less oopsy\n\nThe point of the WARN was to print something, not oops\nstraight up. Currently that is precisely what happens\nif we can\u0027t find the connector for the crtc in the atomic\nstate. Get the dev pointer from the atomic state instead\nof the potentially NULL encoder to avoid that.\n\n(cherry picked from commit 3b6692357f70498f617ea1b31a0378070a0acf1c)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:12.304Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/780f303233c35eeb5132e3ee1cbc8f4cebe86dd2"
},
{
"url": "https://git.kernel.org/stable/c/54202488c835dab8c648acd107f0bb8eaa699894"
},
{
"url": "https://git.kernel.org/stable/c/0fe6ef82e4f4764e8f556632e4cd93d78d448e99"
},
{
"url": "https://git.kernel.org/stable/c/8cd725315c559a8a4d18ac1d7fce1d6b9a667529"
},
{
"url": "https://git.kernel.org/stable/c/fd8b0abecdf66379e9d25d7448b942b5be379cb2"
},
{
"url": "https://git.kernel.org/stable/c/631420b06597a33c72b6dcef78d1c2dea17f452d"
}
],
"title": "drm/i915: Make intel_get_crtc_new_encoder() less oopsy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53571",
"datePublished": "2025-10-04T15:17:12.304Z",
"dateReserved": "2025-10-04T15:14:15.925Z",
"dateUpdated": "2025-10-04T15:17:12.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50488 (GCVE-0-2022-50488)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix possible uaf for 'bfqq->bic'
Our test report a uaf for 'bfqq->bic' in 5.10:
==================================================================
BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30
CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014
Call Trace:
bfq_select_queue+0x378/0xa30
bfq_dispatch_request+0xe8/0x130
blk_mq_do_dispatch_sched+0x62/0xb0
__blk_mq_sched_dispatch_requests+0x215/0x2a0
blk_mq_sched_dispatch_requests+0x8f/0xd0
__blk_mq_run_hw_queue+0x98/0x180
__blk_mq_delay_run_hw_queue+0x22b/0x240
blk_mq_run_hw_queue+0xe3/0x190
blk_mq_sched_insert_requests+0x107/0x200
blk_mq_flush_plug_list+0x26e/0x3c0
blk_finish_plug+0x63/0x90
__iomap_dio_rw+0x7b5/0x910
iomap_dio_rw+0x36/0x80
ext4_dio_read_iter+0x146/0x190 [ext4]
ext4_file_read_iter+0x1e2/0x230 [ext4]
new_sync_read+0x29f/0x400
vfs_read+0x24e/0x2d0
ksys_read+0xd5/0x1b0
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x61/0xc6
Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups")
changes that move process to a new cgroup will allocate a new bfqq to
use, however, the old bfqq and new bfqq can point to the same bic:
1) Initial state, two process with io in the same cgroup.
Process 1 Process 2
(BIC1) (BIC2)
| Λ | Λ
| | | |
V | V |
bfqq1 bfqq2
2) bfqq1 is merged to bfqq2.
Process 1 Process 2
(BIC1) (BIC2)
| |
\-------------\|
V
bfqq1 bfqq2(coop)
3) Process 1 exit, then issue new io(denoce IOA) from Process 2.
(BIC2)
| Λ
| |
V |
bfqq2(coop)
4) Before IOA is completed, move Process 2 to another cgroup and issue io.
Process 2
(BIC2)
Λ
|\--------------\
| V
bfqq2 bfqq3
Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.
If all the requests are completed, and Process 2 exit, BIC2 will be
freed while there is no guarantee that bfqq2 will be freed before BIC2.
Fix the problem by clearing bfqq->bic while bfqq is detached from bic.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4dfc12f8c94c8052e975060f595938f75e8b7165 Version: 81b7d0c717a487ec50e2924a773ff501ee40f0d5 Version: 3bc5e683c67d94bd839a1da2e796c15847b51b69 Version: 3bc5e683c67d94bd839a1da2e796c15847b51b69 Version: 3bc5e683c67d94bd839a1da2e796c15847b51b69 Version: 31326bf551269fb9bafa84ca99172b8340e5d8f8 Version: 43c51b86dbe551cff5d39b88aa2f41d29479f9c4 Version: 8615f6c0c9e7cf0ca90b6b5408784d797cbe5621 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a",
"status": "affected",
"version": "4dfc12f8c94c8052e975060f595938f75e8b7165",
"versionType": "git"
},
{
"lessThan": "094f3d9314d67691cb21ba091c1b528f6e3c4893",
"status": "affected",
"version": "81b7d0c717a487ec50e2924a773ff501ee40f0d5",
"versionType": "git"
},
{
"lessThan": "b22fd72bfebda3956efc4431b60ddfc0a51e03e0",
"status": "affected",
"version": "3bc5e683c67d94bd839a1da2e796c15847b51b69",
"versionType": "git"
},
{
"lessThan": "761564d93c8265f65543acf0a576b32d66bfa26a",
"status": "affected",
"version": "3bc5e683c67d94bd839a1da2e796c15847b51b69",
"versionType": "git"
},
{
"lessThan": "64dc8c732f5c2b406cc752e6aaa1bd5471159cab",
"status": "affected",
"version": "3bc5e683c67d94bd839a1da2e796c15847b51b69",
"versionType": "git"
},
{
"status": "affected",
"version": "31326bf551269fb9bafa84ca99172b8340e5d8f8",
"versionType": "git"
},
{
"status": "affected",
"version": "43c51b86dbe551cff5d39b88aa2f41d29479f9c4",
"versionType": "git"
},
{
"status": "affected",
"version": "8615f6c0c9e7cf0ca90b6b5408784d797cbe5621",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.175",
"versionStartIncluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027\n\nOur test report a uaf for \u0027bfqq-\u003ebic\u0027 in 5.10:\n\n==================================================================\nBUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30\n\nCPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014\nCall Trace:\n bfq_select_queue+0x378/0xa30\n bfq_dispatch_request+0xe8/0x130\n blk_mq_do_dispatch_sched+0x62/0xb0\n __blk_mq_sched_dispatch_requests+0x215/0x2a0\n blk_mq_sched_dispatch_requests+0x8f/0xd0\n __blk_mq_run_hw_queue+0x98/0x180\n __blk_mq_delay_run_hw_queue+0x22b/0x240\n blk_mq_run_hw_queue+0xe3/0x190\n blk_mq_sched_insert_requests+0x107/0x200\n blk_mq_flush_plug_list+0x26e/0x3c0\n blk_finish_plug+0x63/0x90\n __iomap_dio_rw+0x7b5/0x910\n iomap_dio_rw+0x36/0x80\n ext4_dio_read_iter+0x146/0x190 [ext4]\n ext4_file_read_iter+0x1e2/0x230 [ext4]\n new_sync_read+0x29f/0x400\n vfs_read+0x24e/0x2d0\n ksys_read+0xd5/0x1b0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nCommit 3bc5e683c67d (\"bfq: Split shared queues on move between cgroups\")\nchanges that move process to a new cgroup will allocate a new bfqq to\nuse, however, the old bfqq and new bfqq can point to the same bic:\n\n1) Initial state, two process with io in the same cgroup.\n\nProcess 1 Process 2\n (BIC1) (BIC2)\n | \u039b | \u039b\n | | | |\n V | V |\n bfqq1 bfqq2\n\n2) bfqq1 is merged to bfqq2.\n\nProcess 1 Process 2\n (BIC1) (BIC2)\n | |\n \\-------------\\|\n V\n bfqq1 bfqq2(coop)\n\n3) Process 1 exit, then issue new io(denoce IOA) from Process 2.\n\n (BIC2)\n | \u039b\n | |\n V |\n bfqq2(coop)\n\n4) Before IOA is completed, move Process 2 to another cgroup and issue io.\n\nProcess 2\n (BIC2)\n \u039b\n |\\--------------\\\n | V\n bfqq2 bfqq3\n\nNow that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.\nIf all the requests are completed, and Process 2 exit, BIC2 will be\nfreed while there is no guarantee that bfqq2 will be freed before BIC2.\n\nFix the problem by clearing bfqq-\u003ebic while bfqq is detached from bic."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:42.352Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a"
},
{
"url": "https://git.kernel.org/stable/c/094f3d9314d67691cb21ba091c1b528f6e3c4893"
},
{
"url": "https://git.kernel.org/stable/c/b22fd72bfebda3956efc4431b60ddfc0a51e03e0"
},
{
"url": "https://git.kernel.org/stable/c/761564d93c8265f65543acf0a576b32d66bfa26a"
},
{
"url": "https://git.kernel.org/stable/c/64dc8c732f5c2b406cc752e6aaa1bd5471159cab"
}
],
"title": "block, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50488",
"datePublished": "2025-10-04T15:43:42.352Z",
"dateReserved": "2025-10-04T15:13:33.468Z",
"dateUpdated": "2025-10-04T15:43:42.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49080 (GCVE-0-2022-49080)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/mempolicy: fix mpol_new leak in shared_policy_replace
If mpol_new is allocated but not used in restart loop, mpol_new will be
freed via mpol_put before returning to the caller. But refcnt is not
initialized yet, so mpol_put could not do the right things and might
leak the unused mpol_new. This would happen if mempolicy was updated on
the shared shmem file while the sp->lock has been dropped during the
memory allocation.
This issue could be triggered easily with the below code snippet if
there are many processes doing the below work at the same time:
shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT);
shm = shmat(shmid, 0, 0);
loop many times {
mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0);
mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask,
maxnode, 0);
}
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/mempolicy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8510c2346d9e47a72b7f018a36ef0c39483e53d6",
"status": "affected",
"version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
"versionType": "git"
},
{
"lessThan": "5e16dc5378abd749a836daa9ee4ab2c8d2668999",
"status": "affected",
"version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
"versionType": "git"
},
{
"lessThan": "39a32f3c06f6d68a530bf9612afa19f50f12e93d",
"status": "affected",
"version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
"versionType": "git"
},
{
"lessThan": "25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b",
"status": "affected",
"version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
"versionType": "git"
},
{
"lessThan": "f7e183b0a7136b6dc9c7b9b2a85a608a8feba894",
"status": "affected",
"version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
"versionType": "git"
},
{
"lessThan": "198932a14aeb19a15cf19e51e151d023bc4cd648",
"status": "affected",
"version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
"versionType": "git"
},
{
"lessThan": "6e00309ac716fa8225f0cbde2cd9c24f0e74ee21",
"status": "affected",
"version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
"versionType": "git"
},
{
"lessThan": "fe39ac59dbbf893b73b24e3184161d0bd06d6651",
"status": "affected",
"version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
"versionType": "git"
},
{
"lessThan": "4ad099559b00ac01c3726e5c95dc3108ef47d03e",
"status": "affected",
"version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/mempolicy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix mpol_new leak in shared_policy_replace\n\nIf mpol_new is allocated but not used in restart loop, mpol_new will be\nfreed via mpol_put before returning to the caller. But refcnt is not\ninitialized yet, so mpol_put could not do the right things and might\nleak the unused mpol_new. This would happen if mempolicy was updated on\nthe shared shmem file while the sp-\u003elock has been dropped during the\nmemory allocation.\n\nThis issue could be triggered easily with the below code snippet if\nthere are many processes doing the below work at the same time:\n\n shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT);\n shm = shmat(shmid, 0, 0);\n loop many times {\n mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0);\n mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask,\n maxnode, 0);\n }"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:17.556Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8510c2346d9e47a72b7f018a36ef0c39483e53d6"
},
{
"url": "https://git.kernel.org/stable/c/5e16dc5378abd749a836daa9ee4ab2c8d2668999"
},
{
"url": "https://git.kernel.org/stable/c/39a32f3c06f6d68a530bf9612afa19f50f12e93d"
},
{
"url": "https://git.kernel.org/stable/c/25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b"
},
{
"url": "https://git.kernel.org/stable/c/f7e183b0a7136b6dc9c7b9b2a85a608a8feba894"
},
{
"url": "https://git.kernel.org/stable/c/198932a14aeb19a15cf19e51e151d023bc4cd648"
},
{
"url": "https://git.kernel.org/stable/c/6e00309ac716fa8225f0cbde2cd9c24f0e74ee21"
},
{
"url": "https://git.kernel.org/stable/c/fe39ac59dbbf893b73b24e3184161d0bd06d6651"
},
{
"url": "https://git.kernel.org/stable/c/4ad099559b00ac01c3726e5c95dc3108ef47d03e"
}
],
"title": "mm/mempolicy: fix mpol_new leak in shared_policy_replace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49080",
"datePublished": "2025-02-26T01:54:41.176Z",
"dateReserved": "2025-02-26T01:49:39.247Z",
"dateUpdated": "2025-05-04T08:29:17.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53653 (GCVE-0-2023-53653)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: amphion: fix REVERSE_INULL issues reported by coverity
null-checking of a pointor is suggested before dereferencing it
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/amphion/venc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bddd678fd2864b435d00d51a4d3808a0d89c79de",
"status": "affected",
"version": "9f599f351e86acf0fc13e42771f97b7fb4dbbea4",
"versionType": "git"
},
{
"lessThan": "e59d0cd8f414592187ead97b5832600ff7a0dd61",
"status": "affected",
"version": "9f599f351e86acf0fc13e42771f97b7fb4dbbea4",
"versionType": "git"
},
{
"lessThan": "ef56b2db216f130c4240aed907d1c5272c2d298d",
"status": "affected",
"version": "9f599f351e86acf0fc13e42771f97b7fb4dbbea4",
"versionType": "git"
},
{
"lessThan": "79d3bafaecc13bccab1ebbd28a15e669c5a4cdaf",
"status": "affected",
"version": "9f599f351e86acf0fc13e42771f97b7fb4dbbea4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/amphion/venc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: amphion: fix REVERSE_INULL issues reported by coverity\n\nnull-checking of a pointor is suggested before dereferencing it"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:49.303Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bddd678fd2864b435d00d51a4d3808a0d89c79de"
},
{
"url": "https://git.kernel.org/stable/c/e59d0cd8f414592187ead97b5832600ff7a0dd61"
},
{
"url": "https://git.kernel.org/stable/c/ef56b2db216f130c4240aed907d1c5272c2d298d"
},
{
"url": "https://git.kernel.org/stable/c/79d3bafaecc13bccab1ebbd28a15e669c5a4cdaf"
}
],
"title": "media: amphion: fix REVERSE_INULL issues reported by coverity",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53653",
"datePublished": "2025-10-07T15:19:49.303Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:19:49.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39849 (GCVE-0-2025-39849)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would
lead to memory corruption so add some bounds checking.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: dd43f8f90206054e7da7593de0a334fb2cd0ea88 Version: c38c701851011c94ce3be1ccb3593678d2933fd8 Version: c38c701851011c94ce3be1ccb3593678d2933fd8 Version: c38c701851011c94ce3be1ccb3593678d2933fd8 Version: c38c701851011c94ce3be1ccb3593678d2933fd8 Version: bf3c348c5fdcf00a7eeed04a1b83e454d2dca2e5 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:07.905Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/sme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e751d46336205abc259ed3990e850a9843fb649",
"status": "affected",
"version": "dd43f8f90206054e7da7593de0a334fb2cd0ea88",
"versionType": "git"
},
{
"lessThan": "e472f59d02c82b511bc43a3f96d62ed08bf4537f",
"status": "affected",
"version": "c38c701851011c94ce3be1ccb3593678d2933fd8",
"versionType": "git"
},
{
"lessThan": "31229145e6ba5ace3e9391113376fa05b7831ede",
"status": "affected",
"version": "c38c701851011c94ce3be1ccb3593678d2933fd8",
"versionType": "git"
},
{
"lessThan": "5cb7cab7adf9b1e6a99e2081b0e30e9e59d07523",
"status": "affected",
"version": "c38c701851011c94ce3be1ccb3593678d2933fd8",
"versionType": "git"
},
{
"lessThan": "62b635dcd69c4fde7ce1de4992d71420a37e51e3",
"status": "affected",
"version": "c38c701851011c94ce3be1ccb3593678d2933fd8",
"versionType": "git"
},
{
"status": "affected",
"version": "bf3c348c5fdcf00a7eeed04a1b83e454d2dca2e5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/sme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()\n\nIf the ssid-\u003edatalen is more than IEEE80211_MAX_SSID_LEN (32) it would\nlead to memory corruption so add some bounds checking."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:59.902Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e751d46336205abc259ed3990e850a9843fb649"
},
{
"url": "https://git.kernel.org/stable/c/e472f59d02c82b511bc43a3f96d62ed08bf4537f"
},
{
"url": "https://git.kernel.org/stable/c/31229145e6ba5ace3e9391113376fa05b7831ede"
},
{
"url": "https://git.kernel.org/stable/c/5cb7cab7adf9b1e6a99e2081b0e30e9e59d07523"
},
{
"url": "https://git.kernel.org/stable/c/62b635dcd69c4fde7ce1de4992d71420a37e51e3"
}
],
"title": "wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39849",
"datePublished": "2025-09-19T15:26:22.073Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-11-03T17:44:07.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50511 (GCVE-0-2022-50511)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib/fonts: fix undefined behavior in bit shift for get_default_font
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20
left shift of 1 by 31 places cannot be represented in type 'int'
<TASK>
dump_stack_lvl+0x7d/0xa5
dump_stack+0x15/0x1b
ubsan_epilogue+0xe/0x4e
__ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
get_default_font+0x1c7/0x1f0
fbcon_startup+0x347/0x3a0
do_take_over_console+0xce/0x270
do_fbcon_takeover+0xa1/0x170
do_fb_registered+0x2a8/0x340
fbcon_fb_registered+0x47/0xe0
register_framebuffer+0x294/0x4a0
__drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]
drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]
drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]
drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]
bochs_pci_probe+0x6ca/0x772 [bochs]
local_pci_probe+0x4d/0xb0
pci_device_probe+0x119/0x320
really_probe+0x181/0x550
__driver_probe_device+0xc6/0x220
driver_probe_device+0x32/0x100
__driver_attach+0x195/0x200
bus_for_each_dev+0xbb/0x120
driver_attach+0x27/0x30
bus_add_driver+0x22e/0x2f0
driver_register+0xa9/0x190
__pci_register_driver+0x90/0xa0
bochs_pci_driver_init+0x52/0x1000 [bochs]
do_one_initcall+0x76/0x430
do_init_module+0x61/0x28a
load_module+0x1f82/0x2e50
__do_sys_finit_module+0xf8/0x190
__x64_sys_finit_module+0x23/0x30
do_syscall_64+0x58/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 Version: c81f717cb9e0bd91dc4b98753cb2705ab0fe2801 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/fonts/fonts.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e039929e36818507e90901edae87f6fa8bc81093",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
},
{
"lessThan": "c9a9aa02f0fa3318e0ae5774f404419a1b4759ca",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
},
{
"lessThan": "e83b47580a0738361772d6f24286adfdaba57e36",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
},
{
"lessThan": "9c14a85e18a58c102ec223144b7edb5b345c1bea",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
},
{
"lessThan": "890d91b31f4874361e0df047f57d268a7021cb12",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
},
{
"lessThan": "6fe888c4d2fb174408e4540bb2d5602b9f507f90",
"status": "affected",
"version": "c81f717cb9e0bd91dc4b98753cb2705ab0fe2801",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/fonts/fonts.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.23"
},
{
"lessThan": "2.6.23",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/fonts: fix undefined behavior in bit shift for get_default_font\n\nShifting signed 32-bit value by 31 bits is undefined, so changing\nsignificant bit to unsigned. The UBSAN warning calltrace like below:\n\nUBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20\nleft shift of 1 by 31 places cannot be represented in type \u0027int\u0027\n \u003cTASK\u003e\n dump_stack_lvl+0x7d/0xa5\n dump_stack+0x15/0x1b\n ubsan_epilogue+0xe/0x4e\n __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c\n get_default_font+0x1c7/0x1f0\n fbcon_startup+0x347/0x3a0\n do_take_over_console+0xce/0x270\n do_fbcon_takeover+0xa1/0x170\n do_fb_registered+0x2a8/0x340\n fbcon_fb_registered+0x47/0xe0\n register_framebuffer+0x294/0x4a0\n __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]\n drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]\n drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]\n drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]\n bochs_pci_probe+0x6ca/0x772 [bochs]\n local_pci_probe+0x4d/0xb0\n pci_device_probe+0x119/0x320\n really_probe+0x181/0x550\n __driver_probe_device+0xc6/0x220\n driver_probe_device+0x32/0x100\n __driver_attach+0x195/0x200\n bus_for_each_dev+0xbb/0x120\n driver_attach+0x27/0x30\n bus_add_driver+0x22e/0x2f0\n driver_register+0xa9/0x190\n __pci_register_driver+0x90/0xa0\n bochs_pci_driver_init+0x52/0x1000 [bochs]\n do_one_initcall+0x76/0x430\n do_init_module+0x61/0x28a\n load_module+0x1f82/0x2e50\n __do_sys_finit_module+0xf8/0x190\n __x64_sys_finit_module+0x23/0x30\n do_syscall_64+0x58/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:08.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e039929e36818507e90901edae87f6fa8bc81093"
},
{
"url": "https://git.kernel.org/stable/c/c9a9aa02f0fa3318e0ae5774f404419a1b4759ca"
},
{
"url": "https://git.kernel.org/stable/c/e83b47580a0738361772d6f24286adfdaba57e36"
},
{
"url": "https://git.kernel.org/stable/c/9c14a85e18a58c102ec223144b7edb5b345c1bea"
},
{
"url": "https://git.kernel.org/stable/c/890d91b31f4874361e0df047f57d268a7021cb12"
},
{
"url": "https://git.kernel.org/stable/c/6fe888c4d2fb174408e4540bb2d5602b9f507f90"
}
],
"title": "lib/fonts: fix undefined behavior in bit shift for get_default_font",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50511",
"datePublished": "2025-10-07T15:19:08.159Z",
"dateReserved": "2025-10-07T15:11:44.887Z",
"dateUpdated": "2025-10-07T15:19:08.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50485 (GCVE-0-2022-50485)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode
There are many places that will get unhappy (and crash) when ext4_iget()
returns a bad inode. However, if iget the boot loader inode, allows a bad
inode to be returned, because the inode may not be initialized. This
mechanism can be used to bypass some checks and cause panic. To solve this
problem, we add a special iget flag EXT4_IGET_BAD. Only with this flag
we'd be returning bad inode from ext4_iget(), otherwise we always return
the error code if the inode is bad inode.(suggested by Jan Kara)
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/ext4.h",
"fs/ext4/inode.c",
"fs/ext4/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2142dfa1de61e25b83198af0308ec7689cca25d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c0a738875c2e9c8c3366d792f8bf7fe508d5e5a5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f7e6b5548f915d7aa435d0764d41eacfb49c6e09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f725b290ed79ad61e4f721fee95a287892d8b1ad",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "488a5c2bf7543c3cd3f07a025f2e62be91599430",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "63b1e9bccb71fe7d7e3ddc9877dbdc85e5d2d023",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/ext4.h",
"fs/ext4/inode.c",
"fs/ext4/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add EXT4_IGET_BAD flag to prevent unexpected bad inode\n\nThere are many places that will get unhappy (and crash) when ext4_iget()\nreturns a bad inode. However, if iget the boot loader inode, allows a bad\ninode to be returned, because the inode may not be initialized. This\nmechanism can be used to bypass some checks and cause panic. To solve this\nproblem, we add a special iget flag EXT4_IGET_BAD. Only with this flag\nwe\u0027d be returning bad inode from ext4_iget(), otherwise we always return\nthe error code if the inode is bad inode.(suggested by Jan Kara)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:43.093Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2142dfa1de61e25b83198af0308ec7689cca25d3"
},
{
"url": "https://git.kernel.org/stable/c/c0a738875c2e9c8c3366d792f8bf7fe508d5e5a5"
},
{
"url": "https://git.kernel.org/stable/c/f7e6b5548f915d7aa435d0764d41eacfb49c6e09"
},
{
"url": "https://git.kernel.org/stable/c/f725b290ed79ad61e4f721fee95a287892d8b1ad"
},
{
"url": "https://git.kernel.org/stable/c/488a5c2bf7543c3cd3f07a025f2e62be91599430"
},
{
"url": "https://git.kernel.org/stable/c/63b1e9bccb71fe7d7e3ddc9877dbdc85e5d2d023"
}
],
"title": "ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50485",
"datePublished": "2025-10-04T15:16:43.093Z",
"dateReserved": "2025-10-04T15:13:33.468Z",
"dateUpdated": "2025-10-04T15:16:43.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53527 (GCVE-0-2023-53527)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Fix memory leak in tb_handle_dp_bandwidth_request()
The memory allocated in tb_queue_dp_bandwidth_request() needs to be
released once the request is handled to avoid leaking it.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/tb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0752bb32aed2c5dd85821195a507a1079c4835f7",
"status": "affected",
"version": "6ce3563520be90a155706bafc186fc264a13850e",
"versionType": "git"
},
{
"lessThan": "596a5123cc782d458b057eb3837e66535cd0befa",
"status": "affected",
"version": "6ce3563520be90a155706bafc186fc264a13850e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/tb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Fix memory leak in tb_handle_dp_bandwidth_request()\n\nThe memory allocated in tb_queue_dp_bandwidth_request() needs to be\nreleased once the request is handled to avoid leaking it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:12.696Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0752bb32aed2c5dd85821195a507a1079c4835f7"
},
{
"url": "https://git.kernel.org/stable/c/596a5123cc782d458b057eb3837e66535cd0befa"
}
],
"title": "thunderbolt: Fix memory leak in tb_handle_dp_bandwidth_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53527",
"datePublished": "2025-10-01T11:46:12.696Z",
"dateReserved": "2025-10-01T11:39:39.408Z",
"dateUpdated": "2025-10-01T11:46:12.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53580 (GCVE-0-2023-53580)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: Gadget: core: Help prevent panic during UVC unconfigure
Avichal Rakesh reported a kernel panic that occurred when the UVC
gadget driver was removed from a gadget's configuration. The panic
involves a somewhat complicated interaction between the kernel driver
and a userspace component (as described in the Link tag below), but
the analysis did make one thing clear: The Gadget core should
accomodate gadget drivers calling usb_gadget_deactivate() as part of
their unbind procedure.
Currently this doesn't work. gadget_unbind_driver() calls
driver->unbind() while holding the udc->connect_lock mutex, and
usb_gadget_deactivate() attempts to acquire that mutex, which will
result in a deadlock.
The simple fix is for gadget_unbind_driver() to release the mutex when
invoking the ->unbind() callback. There is no particular reason for
it to be holding the mutex at that time, and the mutex isn't held
while the ->bind() callback is invoked. So we'll drop the mutex
before performing the unbind callback and reacquire it afterward.
We'll also add a couple of comments to usb_gadget_activate() and
usb_gadget_deactivate(). Because they run in process context they
must not be called from a gadget driver's ->disconnect() callback,
which (according to the kerneldoc for struct usb_gadget_driver in
include/linux/usb/gadget.h) may run in interrupt context. This may
help prevent similar bugs from arising in the future.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bed19d95fcb9c98dfaa9585922b39a2dfba7898d",
"status": "affected",
"version": "d8195536ce2624e2947d9f56b1a61e7a27874bd3",
"versionType": "git"
},
{
"lessThan": "8c1edc00db65f6d4408b3d1cd845e8da3b9e0ca4",
"status": "affected",
"version": "286d9975a838d0a54da049765fa1d1fb96b89682",
"versionType": "git"
},
{
"lessThan": "65dadb2beeb7360232b09ebc4585b54475dfee06",
"status": "affected",
"version": "286d9975a838d0a54da049765fa1d1fb96b89682",
"versionType": "git"
},
{
"status": "affected",
"version": "85102a45c7390caf124a3a5796574446f1e037b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "6.1.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: Gadget: core: Help prevent panic during UVC unconfigure\n\nAvichal Rakesh reported a kernel panic that occurred when the UVC\ngadget driver was removed from a gadget\u0027s configuration. The panic\ninvolves a somewhat complicated interaction between the kernel driver\nand a userspace component (as described in the Link tag below), but\nthe analysis did make one thing clear: The Gadget core should\naccomodate gadget drivers calling usb_gadget_deactivate() as part of\ntheir unbind procedure.\n\nCurrently this doesn\u0027t work. gadget_unbind_driver() calls\ndriver-\u003eunbind() while holding the udc-\u003econnect_lock mutex, and\nusb_gadget_deactivate() attempts to acquire that mutex, which will\nresult in a deadlock.\n\nThe simple fix is for gadget_unbind_driver() to release the mutex when\ninvoking the -\u003eunbind() callback. There is no particular reason for\nit to be holding the mutex at that time, and the mutex isn\u0027t held\nwhile the -\u003ebind() callback is invoked. So we\u0027ll drop the mutex\nbefore performing the unbind callback and reacquire it afterward.\n\nWe\u0027ll also add a couple of comments to usb_gadget_activate() and\nusb_gadget_deactivate(). Because they run in process context they\nmust not be called from a gadget driver\u0027s -\u003edisconnect() callback,\nwhich (according to the kerneldoc for struct usb_gadget_driver in\ninclude/linux/usb/gadget.h) may run in interrupt context. This may\nhelp prevent similar bugs from arising in the future."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:57.064Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bed19d95fcb9c98dfaa9585922b39a2dfba7898d"
},
{
"url": "https://git.kernel.org/stable/c/8c1edc00db65f6d4408b3d1cd845e8da3b9e0ca4"
},
{
"url": "https://git.kernel.org/stable/c/65dadb2beeb7360232b09ebc4585b54475dfee06"
}
],
"title": "USB: Gadget: core: Help prevent panic during UVC unconfigure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53580",
"datePublished": "2025-10-04T15:43:57.064Z",
"dateReserved": "2025-10-04T15:14:15.926Z",
"dateUpdated": "2025-10-04T15:43:57.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53551 (GCVE-0-2023-53551)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: u_serial: Add null pointer check in gserial_resume
Consider a case where gserial_disconnect has already cleared
gser->ioport. And if a wakeup interrupt triggers afterwards,
gserial_resume gets called, which will lead to accessing of
gser->ioport and thus causing null pointer dereference.Add
a null pointer check to prevent this.
Added a static spinlock to prevent gser->ioport from becoming
null after the newly added check.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/u_serial.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5360eec648bd506afa304ae4a71f82e13d41897",
"status": "affected",
"version": "aba3a8d01d623a5efef48ab8e78752d58d4c90c3",
"versionType": "git"
},
{
"lessThan": "3b24c980dc07be4550a9d1450ed7057f882530e5",
"status": "affected",
"version": "aba3a8d01d623a5efef48ab8e78752d58d4c90c3",
"versionType": "git"
},
{
"lessThan": "ec357cd3e8af614855d286dd378725cdc7264df6",
"status": "affected",
"version": "aba3a8d01d623a5efef48ab8e78752d58d4c90c3",
"versionType": "git"
},
{
"lessThan": "44e004f757a7ae13dfebaadbcfdb1a6f98c10377",
"status": "affected",
"version": "aba3a8d01d623a5efef48ab8e78752d58d4c90c3",
"versionType": "git"
},
{
"lessThan": "5ec63fdbca604568890c577753c6f66c5b3ef0b5",
"status": "affected",
"version": "aba3a8d01d623a5efef48ab8e78752d58d4c90c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/u_serial.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.171",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.171",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.97",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.15",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Add null pointer check in gserial_resume\n\nConsider a case where gserial_disconnect has already cleared\ngser-\u003eioport. And if a wakeup interrupt triggers afterwards,\ngserial_resume gets called, which will lead to accessing of\ngser-\u003eioport and thus causing null pointer dereference.Add\na null pointer check to prevent this.\n\nAdded a static spinlock to prevent gser-\u003eioport from becoming\nnull after the newly added check."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:57.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5360eec648bd506afa304ae4a71f82e13d41897"
},
{
"url": "https://git.kernel.org/stable/c/3b24c980dc07be4550a9d1450ed7057f882530e5"
},
{
"url": "https://git.kernel.org/stable/c/ec357cd3e8af614855d286dd378725cdc7264df6"
},
{
"url": "https://git.kernel.org/stable/c/44e004f757a7ae13dfebaadbcfdb1a6f98c10377"
},
{
"url": "https://git.kernel.org/stable/c/5ec63fdbca604568890c577753c6f66c5b3ef0b5"
}
],
"title": "usb: gadget: u_serial: Add null pointer check in gserial_resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53551",
"datePublished": "2025-10-04T15:16:57.736Z",
"dateReserved": "2025-10-04T15:14:15.922Z",
"dateUpdated": "2025-10-04T15:16:57.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3772 (GCVE-0-2023-3772)
Vulnerability from cvelistv5
Published
2023-07-25 15:47
Modified
2025-11-07 13:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - NULL Pointer Dereference
Summary
A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected: 0:4.18.0-513.5.1.rt7.307.el8_9 < * cpe:/a:redhat:enterprise_linux:8::realtime cpe:/a:redhat:enterprise_linux:8::nfv |
||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:49.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/10/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/10/3"
},
{
"name": "RHSA-2023:6583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"name": "RHSA-2023:6901",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6901"
},
{
"name": "RHSA-2023:7077",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7077"
},
{
"name": "RHSA-2024:0412",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0412"
},
{
"name": "RHSA-2024:0575",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0575"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3772"
},
{
"name": "RHBZ#2218943",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218943"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5492"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime",
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-513.5.1.rt7.307.el8_9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos",
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-513.5.1.el8_9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:8.6::baseos",
"cpe:/a:redhat:rhel_eus:8.6::crb",
"cpe:/o:redhat:rhev_hypervisor:4.4::el8"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-372.87.1.el8_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:8.8::crb",
"cpe:/o:redhat:rhel_eus:8.8::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-477.43.1.el8_8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.8.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.8.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:8.6::baseos",
"cpe:/a:redhat:rhel_eus:8.6::crb",
"cpe:/o:redhat:rhev_hypervisor:4.4::el8"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-372.87.1.el8_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Lin Ma (ZJU \u0026 Ant Security Light-Year Lab) for reporting this issue."
}
],
"datePublic": "2023-07-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T13:03:42.167Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:6583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"name": "RHSA-2023:6901",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6901"
},
{
"name": "RHSA-2023:7077",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7077"
},
{
"name": "RHSA-2024:0412",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0412"
},
{
"name": "RHSA-2024:0575",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0575"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3772"
},
{
"name": "RHBZ#2218943",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218943"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-29T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-07-21T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Kernel: xfrm: null pointer dereference in xfrm_update_ae_params()",
"x_redhatCweChain": "CWE-476: NULL Pointer Dereference"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-3772",
"datePublished": "2023-07-25T15:47:40.183Z",
"dateReserved": "2023-07-19T13:55:07.799Z",
"dateUpdated": "2025-11-07T13:03:42.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39841 (GCVE-0-2025-39841)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix buffer free/clear order in deferred receive path
Fix a use-after-free window by correcting the buffer release sequence in
the deferred receive path. The code freed the RQ buffer first and only
then cleared the context pointer under the lock. Concurrent paths (e.g.,
ABTS and the repost path) also inspect and release the same pointer under
the lock, so the old order could lead to double-free/UAF.
Note that the repost path already uses the correct pattern: detach the
pointer under the lock, then free it after dropping the lock. The
deferred path should do the same.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 472e146d1cf3410a898b49834500fa9e33ac41a2 Version: 472e146d1cf3410a898b49834500fa9e33ac41a2 Version: 472e146d1cf3410a898b49834500fa9e33ac41a2 Version: 472e146d1cf3410a898b49834500fa9e33ac41a2 Version: 472e146d1cf3410a898b49834500fa9e33ac41a2 Version: 472e146d1cf3410a898b49834500fa9e33ac41a2 Version: 472e146d1cf3410a898b49834500fa9e33ac41a2 Version: 472e146d1cf3410a898b49834500fa9e33ac41a2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:56.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_nvmet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab34084f42ee06a9028d67c78feafb911d33d111",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "baa39f6ad79d372a6ce0aa639fbb2f1578479f57",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "95b63d15fce5c54a73bbf195e1aacb5a75b128e2",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "55658c7501467ca9ef3bd4453dd920010db8bc13",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "d96cc9a1b57725930c60b607423759d563b4d900",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "897f64b01c1249ac730329b83f4f40bab71e86c7",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
},
{
"lessThan": "9dba9a45c348e8460da97c450cddf70b2056deb3",
"status": "affected",
"version": "472e146d1cf3410a898b49834500fa9e33ac41a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_nvmet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix buffer free/clear order in deferred receive path\n\nFix a use-after-free window by correcting the buffer release sequence in\nthe deferred receive path. The code freed the RQ buffer first and only\nthen cleared the context pointer under the lock. Concurrent paths (e.g.,\nABTS and the repost path) also inspect and release the same pointer under\nthe lock, so the old order could lead to double-free/UAF.\n\nNote that the repost path already uses the correct pattern: detach the\npointer under the lock, then free it after dropping the lock. The\ndeferred path should do the same."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:48.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab34084f42ee06a9028d67c78feafb911d33d111"
},
{
"url": "https://git.kernel.org/stable/c/baa39f6ad79d372a6ce0aa639fbb2f1578479f57"
},
{
"url": "https://git.kernel.org/stable/c/95b63d15fce5c54a73bbf195e1aacb5a75b128e2"
},
{
"url": "https://git.kernel.org/stable/c/55658c7501467ca9ef3bd4453dd920010db8bc13"
},
{
"url": "https://git.kernel.org/stable/c/d96cc9a1b57725930c60b607423759d563b4d900"
},
{
"url": "https://git.kernel.org/stable/c/367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11"
},
{
"url": "https://git.kernel.org/stable/c/897f64b01c1249ac730329b83f4f40bab71e86c7"
},
{
"url": "https://git.kernel.org/stable/c/9dba9a45c348e8460da97c450cddf70b2056deb3"
}
],
"title": "scsi: lpfc: Fix buffer free/clear order in deferred receive path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39841",
"datePublished": "2025-09-19T15:26:16.349Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:56.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39902 (GCVE-0-2025-39902)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: avoid accessing metadata when pointer is invalid in object_err()
object_err() reports details of an object for further debugging, such as
the freelist pointer, redzone, etc. However, if the pointer is invalid,
attempting to access object metadata can lead to a crash since it does
not point to a valid object.
One known path to the crash is when alloc_consistency_checks()
determines the pointer to the allocated object is invalid because of a
freelist corruption, and calls object_err() to report it. The debug code
should report and handle the corruption gracefully and not crash in the
process.
In case the pointer is NULL or check_valid_pointer() returns false for
the pointer, only print the pointer value and skip accessing metadata.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:33.198Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "872f2c34ff232af1e65ad2df86d61163c8ffad42",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "f66012909e7bf383fcdc5850709ed5716073fdc4",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "7e287256904ee796c9477e3ec92b07f236481ef3",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "1f0797f17927b5cad0fb7eced422f9a7c30a3191",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "0ef7058b4dc6fcef622ac23b45225db57f17b83f",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "dda6ec365ab04067adae40ef17015db447e90736",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "3baa1da473e6e50281324ff1d332d1a07a3bb02e",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "b4efccec8d06ceb10a7d34d7b1c449c569d53770",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: avoid accessing metadata when pointer is invalid in object_err()\n\nobject_err() reports details of an object for further debugging, such as\nthe freelist pointer, redzone, etc. However, if the pointer is invalid,\nattempting to access object metadata can lead to a crash since it does\nnot point to a valid object.\n\nOne known path to the crash is when alloc_consistency_checks()\ndetermines the pointer to the allocated object is invalid because of a\nfreelist corruption, and calls object_err() to report it. The debug code\nshould report and handle the corruption gracefully and not crash in the\nprocess.\n\nIn case the pointer is NULL or check_valid_pointer() returns false for\nthe pointer, only print the pointer value and skip accessing metadata."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:49.415Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/872f2c34ff232af1e65ad2df86d61163c8ffad42"
},
{
"url": "https://git.kernel.org/stable/c/f66012909e7bf383fcdc5850709ed5716073fdc4"
},
{
"url": "https://git.kernel.org/stable/c/7e287256904ee796c9477e3ec92b07f236481ef3"
},
{
"url": "https://git.kernel.org/stable/c/1f0797f17927b5cad0fb7eced422f9a7c30a3191"
},
{
"url": "https://git.kernel.org/stable/c/0ef7058b4dc6fcef622ac23b45225db57f17b83f"
},
{
"url": "https://git.kernel.org/stable/c/dda6ec365ab04067adae40ef17015db447e90736"
},
{
"url": "https://git.kernel.org/stable/c/3baa1da473e6e50281324ff1d332d1a07a3bb02e"
},
{
"url": "https://git.kernel.org/stable/c/b4efccec8d06ceb10a7d34d7b1c449c569d53770"
}
],
"title": "mm/slub: avoid accessing metadata when pointer is invalid in object_err()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39902",
"datePublished": "2025-10-01T07:42:49.415Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-11-03T17:44:33.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50496 (GCVE-0-2022-50496)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm cache: Fix UAF in destroy()
Dm_cache also has the same UAF problem when dm_resume()
and dm_destroy() are concurrent.
Therefore, cancelling timer again in destroy().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c6b4fcbad044e6fffcc75bba160e720eb8d67d17 Version: c6b4fcbad044e6fffcc75bba160e720eb8d67d17 Version: c6b4fcbad044e6fffcc75bba160e720eb8d67d17 Version: c6b4fcbad044e6fffcc75bba160e720eb8d67d17 Version: c6b4fcbad044e6fffcc75bba160e720eb8d67d17 Version: c6b4fcbad044e6fffcc75bba160e720eb8d67d17 Version: c6b4fcbad044e6fffcc75bba160e720eb8d67d17 Version: c6b4fcbad044e6fffcc75bba160e720eb8d67d17 Version: c6b4fcbad044e6fffcc75bba160e720eb8d67d17 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "034cbc8d3b47a56acd89453c29632a9c117de09d",
"status": "affected",
"version": "c6b4fcbad044e6fffcc75bba160e720eb8d67d17",
"versionType": "git"
},
{
"lessThan": "993406104d2b28fe470126a062ad37a1e21e792e",
"status": "affected",
"version": "c6b4fcbad044e6fffcc75bba160e720eb8d67d17",
"versionType": "git"
},
{
"lessThan": "4d20032dd90664de09f2902a7ea49ae2f7771746",
"status": "affected",
"version": "c6b4fcbad044e6fffcc75bba160e720eb8d67d17",
"versionType": "git"
},
{
"lessThan": "2f097dfac7579fd84ff98eb1d3acd41d53a485f3",
"status": "affected",
"version": "c6b4fcbad044e6fffcc75bba160e720eb8d67d17",
"versionType": "git"
},
{
"lessThan": "2b17026685a270b2beaf1cdd9857fcedd3505c7e",
"status": "affected",
"version": "c6b4fcbad044e6fffcc75bba160e720eb8d67d17",
"versionType": "git"
},
{
"lessThan": "d2a0b298ebf83ab6236f66788a3541e91ce75a70",
"status": "affected",
"version": "c6b4fcbad044e6fffcc75bba160e720eb8d67d17",
"versionType": "git"
},
{
"lessThan": "6ac4f36910764cb510bafc4c3768544f86ca48ca",
"status": "affected",
"version": "c6b4fcbad044e6fffcc75bba160e720eb8d67d17",
"versionType": "git"
},
{
"lessThan": "6a3e412c2ab131c54945327a7676b006f000a209",
"status": "affected",
"version": "c6b4fcbad044e6fffcc75bba160e720eb8d67d17",
"versionType": "git"
},
{
"lessThan": "6a459d8edbdbe7b24db42a5a9f21e6aa9e00c2aa",
"status": "affected",
"version": "c6b4fcbad044e6fffcc75bba160e720eb8d67d17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: Fix UAF in destroy()\n\nDm_cache also has the same UAF problem when dm_resume()\nand dm_destroy() are concurrent.\n\nTherefore, cancelling timer again in destroy()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:47.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/034cbc8d3b47a56acd89453c29632a9c117de09d"
},
{
"url": "https://git.kernel.org/stable/c/993406104d2b28fe470126a062ad37a1e21e792e"
},
{
"url": "https://git.kernel.org/stable/c/4d20032dd90664de09f2902a7ea49ae2f7771746"
},
{
"url": "https://git.kernel.org/stable/c/2f097dfac7579fd84ff98eb1d3acd41d53a485f3"
},
{
"url": "https://git.kernel.org/stable/c/2b17026685a270b2beaf1cdd9857fcedd3505c7e"
},
{
"url": "https://git.kernel.org/stable/c/d2a0b298ebf83ab6236f66788a3541e91ce75a70"
},
{
"url": "https://git.kernel.org/stable/c/6ac4f36910764cb510bafc4c3768544f86ca48ca"
},
{
"url": "https://git.kernel.org/stable/c/6a3e412c2ab131c54945327a7676b006f000a209"
},
{
"url": "https://git.kernel.org/stable/c/6a459d8edbdbe7b24db42a5a9f21e6aa9e00c2aa"
}
],
"title": "dm cache: Fix UAF in destroy()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50496",
"datePublished": "2025-10-04T15:43:47.948Z",
"dateReserved": "2025-10-04T15:39:19.464Z",
"dateUpdated": "2025-10-04T15:43:47.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53456 (GCVE-0-2023-53456)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla4xxx: Add length check when parsing nlattrs
There are three places that qla4xxx parses nlattrs:
- qla4xxx_set_chap_entry()
- qla4xxx_iface_set_param()
- qla4xxx_sysfs_ddb_set_param()
and each of them directly converts the nlattr to specific pointer of
structure without length checking. This could be dangerous as those
attributes are not validated and a malformed nlattr (e.g., length 0) could
result in an OOB read that leaks heap dirty data.
Add the nla_len check before accessing the nlattr data and return EINVAL if
the length check fails.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 Version: 00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla4xxx/ql4_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cfa6a1a79ed6d336fac7a5d87eb5471e4401829f",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "5925e224cc6edfef57b20447f18323208461309b",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "47f3be62eab50b8cd7e1ae5fc2c4dae687497c34",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "6d65079c69dc1feb817ed71f5bd15e83a7d6832d",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "f61fc650c47849637fa1771a31a11674c824138a",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "25feffb3fbd51ae81d92c65cebc0e932663828b3",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "4ed21975311247bb84e82298eeb359ec0a0fa84d",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "b018c0440b871d8b001c996e95fa4538bd292de6",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
},
{
"lessThan": "47cd3770e31df942e2bb925a9a855c79ed0662eb",
"status": "affected",
"version": "00c31889f7513e9ffa6b2b4de8ad6d7f59a61c80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla4xxx/ql4_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla4xxx: Add length check when parsing nlattrs\n\nThere are three places that qla4xxx parses nlattrs:\n\n - qla4xxx_set_chap_entry()\n\n - qla4xxx_iface_set_param()\n\n - qla4xxx_sysfs_ddb_set_param()\n\nand each of them directly converts the nlattr to specific pointer of\nstructure without length checking. This could be dangerous as those\nattributes are not validated and a malformed nlattr (e.g., length 0) could\nresult in an OOB read that leaks heap dirty data.\n\nAdd the nla_len check before accessing the nlattr data and return EINVAL if\nthe length check fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:27.821Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cfa6a1a79ed6d336fac7a5d87eb5471e4401829f"
},
{
"url": "https://git.kernel.org/stable/c/5925e224cc6edfef57b20447f18323208461309b"
},
{
"url": "https://git.kernel.org/stable/c/47f3be62eab50b8cd7e1ae5fc2c4dae687497c34"
},
{
"url": "https://git.kernel.org/stable/c/6d65079c69dc1feb817ed71f5bd15e83a7d6832d"
},
{
"url": "https://git.kernel.org/stable/c/f61fc650c47849637fa1771a31a11674c824138a"
},
{
"url": "https://git.kernel.org/stable/c/25feffb3fbd51ae81d92c65cebc0e932663828b3"
},
{
"url": "https://git.kernel.org/stable/c/4ed21975311247bb84e82298eeb359ec0a0fa84d"
},
{
"url": "https://git.kernel.org/stable/c/b018c0440b871d8b001c996e95fa4538bd292de6"
},
{
"url": "https://git.kernel.org/stable/c/47cd3770e31df942e2bb925a9a855c79ed0662eb"
}
],
"title": "scsi: qla4xxx: Add length check when parsing nlattrs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53456",
"datePublished": "2025-10-01T11:42:27.821Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:27.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53716 (GCVE-0-2023-53716)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix skb leak in __skb_tstamp_tx()
Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with
TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with
zerocopy skbs. But it ended up adding a leak of its own. When
skb_orphan_frags_rx() fails, the function just returns, leaking the skb
it just cloned. Free it before returning.
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 281072fb2a7294cde7acbf5375b879f40a8001b7 Version: 1f69c086b20e27763af28145981435423f088268 Version: 602fa8af44fd55a58f9e94eb673e8adad2c6cc46 Version: 230a5ed7d813fb516de81d23f09d7506753e41e9 Version: 43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a Version: cb52e7f24c1d01a536a847dff0d1d95889cc3b5c Version: 426384dd4980040651536fef5feac4dcc4d7ee4e Version: 50749f2dd6854a41830996ad302aef2ffaf011d8 Version: 30290f210ba7426ff7592fe2eb4114b1b5bad219 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82501f1ead557cbee1c2467654ec109a80334d22",
"status": "affected",
"version": "281072fb2a7294cde7acbf5375b879f40a8001b7",
"versionType": "git"
},
{
"lessThan": "779332447108545ef04682ea29af5f85c0202aee",
"status": "affected",
"version": "1f69c086b20e27763af28145981435423f088268",
"versionType": "git"
},
{
"lessThan": "58766252f6b2c0487cda6976a53d2bb03ae28e2a",
"status": "affected",
"version": "602fa8af44fd55a58f9e94eb673e8adad2c6cc46",
"versionType": "git"
},
{
"lessThan": "a594382ec6d0cc8cff5a8bc7e61b54e3858fb243",
"status": "affected",
"version": "230a5ed7d813fb516de81d23f09d7506753e41e9",
"versionType": "git"
},
{
"lessThan": "e06841a2abf9c82735cee39e88b1d79464088840",
"status": "affected",
"version": "43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a",
"versionType": "git"
},
{
"lessThan": "cc18b4685910d5d9de8314bae9c55790701b1811",
"status": "affected",
"version": "cb52e7f24c1d01a536a847dff0d1d95889cc3b5c",
"versionType": "git"
},
{
"lessThan": "f4d928c00254cfc9dd0ee7076f4a59bceec675f4",
"status": "affected",
"version": "426384dd4980040651536fef5feac4dcc4d7ee4e",
"versionType": "git"
},
{
"lessThan": "8a02fb71d7192ff1a9a47c9d937624966c6e09af",
"status": "affected",
"version": "50749f2dd6854a41830996ad302aef2ffaf011d8",
"versionType": "git"
},
{
"status": "affected",
"version": "30290f210ba7426ff7592fe2eb4114b1b5bad219",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4.14.316",
"status": "affected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThan": "4.19.284",
"status": "affected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThan": "5.4.244",
"status": "affected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThan": "5.10.181",
"status": "affected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThan": "5.15.114",
"status": "affected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThan": "6.1.31",
"status": "affected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThan": "6.3.5",
"status": "affected",
"version": "6.3.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "4.14.315",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.19.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.4.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.10.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "5.15.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "6.1.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "6.3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix skb leak in __skb_tstamp_tx()\n\nCommit 50749f2dd685 (\"tcp/udp: Fix memleaks of sk and zerocopy skbs with\nTX timestamp.\") added a call to skb_orphan_frags_rx() to fix leaks with\nzerocopy skbs. But it ended up adding a leak of its own. When\nskb_orphan_frags_rx() fails, the function just returns, leaking the skb\nit just cloned. Free it before returning.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:49.536Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82501f1ead557cbee1c2467654ec109a80334d22"
},
{
"url": "https://git.kernel.org/stable/c/779332447108545ef04682ea29af5f85c0202aee"
},
{
"url": "https://git.kernel.org/stable/c/58766252f6b2c0487cda6976a53d2bb03ae28e2a"
},
{
"url": "https://git.kernel.org/stable/c/a594382ec6d0cc8cff5a8bc7e61b54e3858fb243"
},
{
"url": "https://git.kernel.org/stable/c/e06841a2abf9c82735cee39e88b1d79464088840"
},
{
"url": "https://git.kernel.org/stable/c/cc18b4685910d5d9de8314bae9c55790701b1811"
},
{
"url": "https://git.kernel.org/stable/c/f4d928c00254cfc9dd0ee7076f4a59bceec675f4"
},
{
"url": "https://git.kernel.org/stable/c/8a02fb71d7192ff1a9a47c9d937624966c6e09af"
}
],
"title": "net: fix skb leak in __skb_tstamp_tx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53716",
"datePublished": "2025-10-22T13:23:49.536Z",
"dateReserved": "2025-10-22T13:21:37.347Z",
"dateUpdated": "2025-10-22T13:23:49.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53533 (GCVE-0-2023-53533)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe
rpi_firmware_get() take reference, we need to release it in error paths
as well. Use devm_rpi_firmware_get() helper to handling the resources.
Also remove the existing rpi_firmware_put().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0b9f28fed3f70ff9a0380fe308739dd72a30a6f6 Version: 0b9f28fed3f70ff9a0380fe308739dd72a30a6f6 Version: 0b9f28fed3f70ff9a0380fe308739dd72a30a6f6 Version: 0b9f28fed3f70ff9a0380fe308739dd72a30a6f6 Version: 0b9f28fed3f70ff9a0380fe308739dd72a30a6f6 Version: 0b9f28fed3f70ff9a0380fe308739dd72a30a6f6 Version: 0b9f28fed3f70ff9a0380fe308739dd72a30a6f6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/raspberrypi-ts.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1dfa3c9dd27bdc347733d06e980395768520bc3e",
"status": "affected",
"version": "0b9f28fed3f70ff9a0380fe308739dd72a30a6f6",
"versionType": "git"
},
{
"lessThan": "0d6a5c9489c8a3d434e685066119c4333476dccd",
"status": "affected",
"version": "0b9f28fed3f70ff9a0380fe308739dd72a30a6f6",
"versionType": "git"
},
{
"lessThan": "7acad58049acc6ac148e8b613a6eceeca4bcb4a7",
"status": "affected",
"version": "0b9f28fed3f70ff9a0380fe308739dd72a30a6f6",
"versionType": "git"
},
{
"lessThan": "36d087e49dabd28d2c13a7532dac72d625ce69fb",
"status": "affected",
"version": "0b9f28fed3f70ff9a0380fe308739dd72a30a6f6",
"versionType": "git"
},
{
"lessThan": "9dbbe9db224c23a60dc7b1e00c701be93328c873",
"status": "affected",
"version": "0b9f28fed3f70ff9a0380fe308739dd72a30a6f6",
"versionType": "git"
},
{
"lessThan": "9216aa5cfd86809a2681be3683cd9ac30432de0c",
"status": "affected",
"version": "0b9f28fed3f70ff9a0380fe308739dd72a30a6f6",
"versionType": "git"
},
{
"lessThan": "5bca3688bdbc3b58a2894b8671a8e2378efe28bd",
"status": "affected",
"version": "0b9f28fed3f70ff9a0380fe308739dd72a30a6f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/raspberrypi-ts.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: raspberrypi-ts - fix refcount leak in rpi_ts_probe\n\nrpi_firmware_get() take reference, we need to release it in error paths\nas well. Use devm_rpi_firmware_get() helper to handling the resources.\nAlso remove the existing rpi_firmware_put()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:45.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1dfa3c9dd27bdc347733d06e980395768520bc3e"
},
{
"url": "https://git.kernel.org/stable/c/0d6a5c9489c8a3d434e685066119c4333476dccd"
},
{
"url": "https://git.kernel.org/stable/c/7acad58049acc6ac148e8b613a6eceeca4bcb4a7"
},
{
"url": "https://git.kernel.org/stable/c/36d087e49dabd28d2c13a7532dac72d625ce69fb"
},
{
"url": "https://git.kernel.org/stable/c/9dbbe9db224c23a60dc7b1e00c701be93328c873"
},
{
"url": "https://git.kernel.org/stable/c/9216aa5cfd86809a2681be3683cd9ac30432de0c"
},
{
"url": "https://git.kernel.org/stable/c/5bca3688bdbc3b58a2894b8671a8e2378efe28bd"
}
],
"title": "Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53533",
"datePublished": "2025-10-04T15:16:45.207Z",
"dateReserved": "2025-10-04T15:14:15.918Z",
"dateUpdated": "2025-10-04T15:16:45.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39850 (GCVE-0-2025-39850)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
When the "proxy" option is enabled on a VXLAN device, the device will
suppress ARP requests and IPv6 Neighbor Solicitation messages if it is
able to reply on behalf of the remote host. That is, if a matching and
valid neighbor entry is configured on the VXLAN device whose MAC address
is not behind the "any" remote (0.0.0.0 / ::).
The code currently assumes that the FDB entry for the neighbor's MAC
address points to a valid remote destination, but this is incorrect if
the entry is associated with an FDB nexthop group. This can result in a
NPD [1][3] which can be reproduced using [2][4].
Fix by checking that the remote destination exists before dereferencing
it.
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:vxlan_xmit+0xb58/0x15f0
[...]
Call Trace:
<TASK>
dev_hard_start_xmit+0x5d/0x1c0
__dev_queue_xmit+0x246/0xfd0
packet_sendmsg+0x113a/0x1850
__sock_sendmsg+0x38/0x70
__sys_sendto+0x126/0x180
__x64_sys_sendto+0x24/0x30
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2]
#!/bin/bash
ip address add 192.0.2.1/32 dev lo
ip nexthop add id 1 via 192.0.2.2 fdb
ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy
ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0
bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3
[3]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014
RIP: 0010:vxlan_xmit+0x803/0x1600
[...]
Call Trace:
<TASK>
dev_hard_start_xmit+0x5d/0x1c0
__dev_queue_xmit+0x246/0xfd0
ip6_finish_output2+0x210/0x6c0
ip6_finish_output+0x1af/0x2b0
ip6_mr_output+0x92/0x3e0
ip6_send_skb+0x30/0x90
rawv6_sendmsg+0xe6e/0x12e0
__sock_sendmsg+0x38/0x70
__sys_sendto+0x126/0x180
__x64_sys_sendto+0x24/0x30
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f383422ec77
[4]
#!/bin/bash
ip address add 2001:db8:1::1/128 dev lo
ip nexthop add id 1 via 2001:db8:1::1 fdb
ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy
ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0
bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e211e3f4199ac829bd493632efcd131d337cba9d",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "8cfa0f076842f9b3b4eb52ae0e41d16e25cbf8fa",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects\n\nWhen the \"proxy\" option is enabled on a VXLAN device, the device will\nsuppress ARP requests and IPv6 Neighbor Solicitation messages if it is\nable to reply on behalf of the remote host. That is, if a matching and\nvalid neighbor entry is configured on the VXLAN device whose MAC address\nis not behind the \"any\" remote (0.0.0.0 / ::).\n\nThe code currently assumes that the FDB entry for the neighbor\u0027s MAC\naddress points to a valid remote destination, but this is incorrect if\nthe entry is associated with an FDB nexthop group. This can result in a\nNPD [1][3] which can be reproduced using [2][4].\n\nFix by checking that the remote destination exists before dereferencing\nit.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:vxlan_xmit+0xb58/0x15f0\n[...]\nCall Trace:\n \u003cTASK\u003e\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n packet_sendmsg+0x113a/0x1850\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n #!/bin/bash\n\n ip address add 192.0.2.1/32 dev lo\n\n ip nexthop add id 1 via 192.0.2.2 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy\n\n ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3\n\n[3]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014\nRIP: 0010:vxlan_xmit+0x803/0x1600\n[...]\nCall Trace:\n \u003cTASK\u003e\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n ip6_finish_output2+0x210/0x6c0\n ip6_finish_output+0x1af/0x2b0\n ip6_mr_output+0x92/0x3e0\n ip6_send_skb+0x30/0x90\n rawv6_sendmsg+0xe6e/0x12e0\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f383422ec77\n\n[4]\n #!/bin/bash\n\n ip address add 2001:db8:1::1/128 dev lo\n\n ip nexthop add id 1 via 2001:db8:1::1 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy\n\n ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:01.501Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e211e3f4199ac829bd493632efcd131d337cba9d"
},
{
"url": "https://git.kernel.org/stable/c/8cfa0f076842f9b3b4eb52ae0e41d16e25cbf8fa"
},
{
"url": "https://git.kernel.org/stable/c/1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce"
}
],
"title": "vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39850",
"datePublished": "2025-09-19T15:26:22.803Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-09-29T06:01:01.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38687 (GCVE-0-2025-38687)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: fix race between polling and detaching
syzbot reports a use-after-free in comedi in the below link, which is
due to comedi gladly removing the allocated async area even though poll
requests are still active on the wait_queue_head inside of it. This can
cause a use-after-free when the poll entries are later triggered or
removed, as the memory for the wait_queue_head has been freed. We need
to check there are no tasks queued on any of the subdevices' wait queues
before allowing the device to be detached by the `COMEDI_DEVCONFIG`
ioctl.
Tasks will read-lock `dev->attach_lock` before adding themselves to the
subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl
handler by write-locking `dev->attach_lock` before checking that all of
the subdevices are safe to be deleted. This includes testing for any
sleepers on the subdevices' wait queues. It remains locked until the
device has been detached. This requires the `comedi_device_detach()`
function to be refactored slightly, moving the bulk of it into new
function `comedi_device_detach_locked()`.
Note that the refactor of `comedi_device_detach()` results in
`comedi_device_cancel_all()` now being called while `dev->attach_lock`
is write-locked, which wasn't the case previously, but that does not
matter.
Thanks to Jens Axboe for diagnosing the problem and co-developing this
patch.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 Version: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 Version: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 Version: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 Version: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 Version: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 Version: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 Version: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 Version: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:14.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c",
"drivers/comedi/comedi_internal.h",
"drivers/comedi/drivers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fe67122ba781df44a1a9716eb1dfd751321ab512",
"status": "affected",
"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
"versionType": "git"
},
{
"lessThan": "cd4286123d6948ff638ea9cd5818ae4796d5d252",
"status": "affected",
"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
"versionType": "git"
},
{
"lessThan": "d85fac8729c9acfd72368faff1d576ec585e5c8f",
"status": "affected",
"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
"versionType": "git"
},
{
"lessThan": "0f989f9d05492028afd2bded4b42023c57d8a76e",
"status": "affected",
"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
"versionType": "git"
},
{
"lessThan": "5c4a2ffcbd052c69bbf4680677d4c4eaa5a252d4",
"status": "affected",
"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
"versionType": "git"
},
{
"lessThan": "017198079551a2a5cf61eae966af3c4b145e1f3b",
"status": "affected",
"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
"versionType": "git"
},
{
"lessThan": "71ca60d2e631cf9c63bcbc7017961c61ff04e419",
"status": "affected",
"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
"versionType": "git"
},
{
"lessThan": "5724e82df4f9a4be62908362c97d522d25de75dd",
"status": "affected",
"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
"versionType": "git"
},
{
"lessThan": "35b6fc51c666fc96355be5cd633ed0fe4ccf68b2",
"status": "affected",
"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c",
"drivers/comedi/comedi_internal.h",
"drivers/comedi/drivers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: fix race between polling and detaching\n\nsyzbot reports a use-after-free in comedi in the below link, which is\ndue to comedi gladly removing the allocated async area even though poll\nrequests are still active on the wait_queue_head inside of it. This can\ncause a use-after-free when the poll entries are later triggered or\nremoved, as the memory for the wait_queue_head has been freed. We need\nto check there are no tasks queued on any of the subdevices\u0027 wait queues\nbefore allowing the device to be detached by the `COMEDI_DEVCONFIG`\nioctl.\n\nTasks will read-lock `dev-\u003eattach_lock` before adding themselves to the\nsubdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl\nhandler by write-locking `dev-\u003eattach_lock` before checking that all of\nthe subdevices are safe to be deleted. This includes testing for any\nsleepers on the subdevices\u0027 wait queues. It remains locked until the\ndevice has been detached. This requires the `comedi_device_detach()`\nfunction to be refactored slightly, moving the bulk of it into new\nfunction `comedi_device_detach_locked()`.\n\nNote that the refactor of `comedi_device_detach()` results in\n`comedi_device_cancel_all()` now being called while `dev-\u003eattach_lock`\nis write-locked, which wasn\u0027t the case previously, but that does not\nmatter.\n\nThanks to Jens Axboe for diagnosing the problem and co-developing this\npatch."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:00.621Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fe67122ba781df44a1a9716eb1dfd751321ab512"
},
{
"url": "https://git.kernel.org/stable/c/cd4286123d6948ff638ea9cd5818ae4796d5d252"
},
{
"url": "https://git.kernel.org/stable/c/d85fac8729c9acfd72368faff1d576ec585e5c8f"
},
{
"url": "https://git.kernel.org/stable/c/0f989f9d05492028afd2bded4b42023c57d8a76e"
},
{
"url": "https://git.kernel.org/stable/c/5c4a2ffcbd052c69bbf4680677d4c4eaa5a252d4"
},
{
"url": "https://git.kernel.org/stable/c/017198079551a2a5cf61eae966af3c4b145e1f3b"
},
{
"url": "https://git.kernel.org/stable/c/71ca60d2e631cf9c63bcbc7017961c61ff04e419"
},
{
"url": "https://git.kernel.org/stable/c/5724e82df4f9a4be62908362c97d522d25de75dd"
},
{
"url": "https://git.kernel.org/stable/c/35b6fc51c666fc96355be5cd633ed0fe4ccf68b2"
}
],
"title": "comedi: fix race between polling and detaching",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38687",
"datePublished": "2025-09-04T15:32:41.702Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:14.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50577 (GCVE-0-2022-50577)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: Fix memory leak in __ima_inode_hash()
Commit f3cc6b25dcc5 ("ima: always measure and audit files in policy") lets
measurement or audit happen even if the file digest cannot be calculated.
As a result, iint->ima_hash could have been allocated despite
ima_collect_measurement() returning an error.
Since ima_hash belongs to a temporary inode metadata structure, declared
at the beginning of __ima_inode_hash(), just add a kfree() call if
ima_collect_measurement() returns an error different from -ENOMEM (in that
case, ima_hash should not have been allocated).
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4df8cb38f139ed9f4296868c0a6f15a26e8c491",
"status": "affected",
"version": "280fe8367b0dc45b6ac5e04fad03e16e99540c0c",
"versionType": "git"
},
{
"lessThan": "f375bcf69f58fd0744c9dfd1b6b891a27301d67b",
"status": "affected",
"version": "280fe8367b0dc45b6ac5e04fad03e16e99540c0c",
"versionType": "git"
},
{
"lessThan": "8c1d6a050a0f16e0a9d32eaf53b965c77279c6f8",
"status": "affected",
"version": "280fe8367b0dc45b6ac5e04fad03e16e99540c0c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix memory leak in __ima_inode_hash()\n\nCommit f3cc6b25dcc5 (\"ima: always measure and audit files in policy\") lets\nmeasurement or audit happen even if the file digest cannot be calculated.\n\nAs a result, iint-\u003eima_hash could have been allocated despite\nima_collect_measurement() returning an error.\n\nSince ima_hash belongs to a temporary inode metadata structure, declared\nat the beginning of __ima_inode_hash(), just add a kfree() call if\nima_collect_measurement() returns an error different from -ENOMEM (in that\ncase, ima_hash should not have been allocated)."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:30.910Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4df8cb38f139ed9f4296868c0a6f15a26e8c491"
},
{
"url": "https://git.kernel.org/stable/c/f375bcf69f58fd0744c9dfd1b6b891a27301d67b"
},
{
"url": "https://git.kernel.org/stable/c/8c1d6a050a0f16e0a9d32eaf53b965c77279c6f8"
}
],
"title": "ima: Fix memory leak in __ima_inode_hash()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50577",
"datePublished": "2025-10-22T13:23:30.910Z",
"dateReserved": "2025-10-22T13:20:23.761Z",
"dateUpdated": "2025-10-22T13:23:30.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53515 (GCVE-0-2023-53515)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio-mmio: don't break lifecycle of vm_dev
vm_dev has a separate lifecycle because it has a 'struct device'
embedded. Thus, having a release callback for it is correct.
Allocating the vm_dev struct with devres totally breaks this protection,
though. Instead of waiting for the vm_dev release callback, the memory
is freed when the platform_device is removed. Resulting in a
use-after-free when finally the callback is to be called.
To easily see the problem, compile the kernel with
CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.
The fix is easy, don't use devres in this case.
Found during my research about object lifetime problems.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 Version: 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_mmio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "97a2d55ead76358245b446efd87818e919196d7a",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "b788ad3b2468512339c05f23692e36860264e674",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "3ff54d904fafabd0912796785e53cce4e69ca123",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "5b7d5c2dd664eb8b9a06ecbc06e28d39359c422e",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "af5818c35173e096085c6ae2e3aac605d3d15e41",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "2dcb368fe5a8eee498ca75c93a18ce2f3b0d6a8e",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
},
{
"lessThan": "55c91fedd03d7b9cf0c5199b2eb12b9b8e95281a",
"status": "affected",
"version": "7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_mmio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-mmio: don\u0027t break lifecycle of vm_dev\n\nvm_dev has a separate lifecycle because it has a \u0027struct device\u0027\nembedded. Thus, having a release callback for it is correct.\n\nAllocating the vm_dev struct with devres totally breaks this protection,\nthough. Instead of waiting for the vm_dev release callback, the memory\nis freed when the platform_device is removed. Resulting in a\nuse-after-free when finally the callback is to be called.\n\nTo easily see the problem, compile the kernel with\nCONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.\n\nThe fix is easy, don\u0027t use devres in this case.\n\nFound during my research about object lifetime problems."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:03.192Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/97a2d55ead76358245b446efd87818e919196d7a"
},
{
"url": "https://git.kernel.org/stable/c/b788ad3b2468512339c05f23692e36860264e674"
},
{
"url": "https://git.kernel.org/stable/c/3ff54d904fafabd0912796785e53cce4e69ca123"
},
{
"url": "https://git.kernel.org/stable/c/5b7d5c2dd664eb8b9a06ecbc06e28d39359c422e"
},
{
"url": "https://git.kernel.org/stable/c/af5818c35173e096085c6ae2e3aac605d3d15e41"
},
{
"url": "https://git.kernel.org/stable/c/2dcb368fe5a8eee498ca75c93a18ce2f3b0d6a8e"
},
{
"url": "https://git.kernel.org/stable/c/55c91fedd03d7b9cf0c5199b2eb12b9b8e95281a"
}
],
"title": "virtio-mmio: don\u0027t break lifecycle of vm_dev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53515",
"datePublished": "2025-10-01T11:46:03.192Z",
"dateReserved": "2025-10-01T11:39:39.406Z",
"dateUpdated": "2025-10-01T11:46:03.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53252 (GCVE-0-2023-53252)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-15 14:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
hci_update_accept_list_sync iterates over hdev->pend_le_conns and
hdev->pend_le_reports, and waits for controller events in the loop body,
without holding hdev lock.
Meanwhile, these lists and the items may be modified e.g. by
le_scan_cleanup. This can invalidate the list cursor or any other item
in the list, resulting to invalid behavior (eg use-after-free).
Use RCU for the hci_conn_params action lists. Since the loop bodies in
hci_sync block and we cannot use RCU or hdev->lock for the whole loop,
copy list items first and then iterate on the copy. Only the flags field
is written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we
read valid values.
Free params everywhere with hci_conn_params_free so the cleanup is
guaranteed to be done properly.
This fixes the following, which can be triggered e.g. by BlueZ new
mgmt-tester case "Add + Remove Device Nowait - Success", or by changing
hci_le_set_cig_params to always return false, and running iso-tester:
==================================================================
BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
kasan_report (mm/kasan/report.c:538)
? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
? mutex_lock (kernel/locking/mutex.c:282)
? __pfx_mutex_lock (kernel/locking/mutex.c:282)
? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
? __pfx_worker_thread (kernel/workqueue.c:2480)
kthread (kernel/kthread.c:376)
? __pfx_kthread (kernel/kthread.c:331)
ret_from_fork (arch/x86/entry/entry_64.S:314)
</TASK>
Allocated by task 31:
kasan_save_stack (mm/kasan/common.c:46)
kasan_set_track (mm/kasan/common.c:52)
__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
hci_connect_cis (net/bluetooth/hci_conn.c:2266)
iso_connect_cis (net/bluetooth/iso.c:390)
iso_sock_connect (net/bluetooth/iso.c:899)
__sys_connect (net/socket.c:2003 net/socket.c:2020)
__x64_sys_connect (net/socket.c:2027)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
Freed by task 15:
kasan_save_stack (mm/kasan/common.c:46)
kasan_set_track (mm/kasan/common.c:52)
kasan_save_free_info (mm/kasan/generic.c:523)
__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
hci_conn_params_del (net/bluetooth/hci_core.c:2323)
le_scan_cleanup (net/bluetooth/hci_conn.c:202)
process_one_work (./arch/x86/include/asm/preempt.
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_conn.c",
"net/bluetooth/hci_core.c",
"net/bluetooth/hci_event.c",
"net/bluetooth/hci_sync.c",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13ad45ad14df992a6754a130a19abc8c142d54e2",
"status": "affected",
"version": "e8907f76544ffe225ab95d70f7313267b1d0c76d",
"versionType": "git"
},
{
"lessThan": "cef88a0fd8e9c2e838162fbb742b3e713b811a7e",
"status": "affected",
"version": "e8907f76544ffe225ab95d70f7313267b1d0c76d",
"versionType": "git"
},
{
"lessThan": "195ef75e19287b4bc413da3e3e3722b030ac881e",
"status": "affected",
"version": "e8907f76544ffe225ab95d70f7313267b1d0c76d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_conn.c",
"net/bluetooth/hci_core.c",
"net/bluetooth/hci_event.c",
"net/bluetooth/hci_sync.c",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: use RCU for hci_conn_params and iterate safely in hci_sync\n\nhci_update_accept_list_sync iterates over hdev-\u003epend_le_conns and\nhdev-\u003epend_le_reports, and waits for controller events in the loop body,\nwithout holding hdev lock.\n\nMeanwhile, these lists and the items may be modified e.g. by\nle_scan_cleanup. This can invalidate the list cursor or any other item\nin the list, resulting to invalid behavior (eg use-after-free).\n\nUse RCU for the hci_conn_params action lists. Since the loop bodies in\nhci_sync block and we cannot use RCU or hdev-\u003elock for the whole loop,\ncopy list items first and then iterate on the copy. Only the flags field\nis written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we\nread valid values.\n\nFree params everywhere with hci_conn_params_free so the cleanup is\nguaranteed to be done properly.\n\nThis fixes the following, which can be triggered e.g. by BlueZ new\nmgmt-tester case \"Add + Remove Device Nowait - Success\", or by changing\nhci_le_set_cig_params to always return false, and running iso-tester:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\nRead of size 8 at addr ffff888001265018 by task kworker/u3:0/32\n\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)\nprint_report (mm/kasan/report.c:320 mm/kasan/report.c:430)\n? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)\n? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\nkasan_report (mm/kasan/report.c:538)\n? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\nhci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\n? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)\n? mutex_lock (kernel/locking/mutex.c:282)\n? __pfx_mutex_lock (kernel/locking/mutex.c:282)\n? __pfx_mutex_unlock (kernel/locking/mutex.c:538)\n? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)\nhci_cmd_sync_work (net/bluetooth/hci_sync.c:306)\nprocess_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)\nworker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)\n? __pfx_worker_thread (kernel/workqueue.c:2480)\nkthread (kernel/kthread.c:376)\n? __pfx_kthread (kernel/kthread.c:331)\nret_from_fork (arch/x86/entry/entry_64.S:314)\n\u003c/TASK\u003e\n\nAllocated by task 31:\nkasan_save_stack (mm/kasan/common.c:46)\nkasan_set_track (mm/kasan/common.c:52)\n__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)\nhci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)\nhci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)\nhci_connect_cis (net/bluetooth/hci_conn.c:2266)\niso_connect_cis (net/bluetooth/iso.c:390)\niso_sock_connect (net/bluetooth/iso.c:899)\n__sys_connect (net/socket.c:2003 net/socket.c:2020)\n__x64_sys_connect (net/socket.c:2027)\ndo_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n\nFreed by task 15:\nkasan_save_stack (mm/kasan/common.c:46)\nkasan_set_track (mm/kasan/common.c:52)\nkasan_save_free_info (mm/kasan/generic.c:523)\n__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)\n__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)\nhci_conn_params_del (net/bluetooth/hci_core.c:2323)\nle_scan_cleanup (net/bluetooth/hci_conn.c:202)\nprocess_one_work (./arch/x86/include/asm/preempt.\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:21.720Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13ad45ad14df992a6754a130a19abc8c142d54e2"
},
{
"url": "https://git.kernel.org/stable/c/cef88a0fd8e9c2e838162fbb742b3e713b811a7e"
},
{
"url": "https://git.kernel.org/stable/c/195ef75e19287b4bc413da3e3e3722b030ac881e"
}
],
"title": "Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53252",
"datePublished": "2025-09-15T14:46:21.720Z",
"dateReserved": "2025-09-15T14:19:21.849Z",
"dateUpdated": "2025-09-15T14:46:21.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50475 (GCVE-0-2022-50475)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Make sure "ib_port" is valid when access sysfs node
The "ib_port" structure must be set before adding the sysfs kobject,
and reset after removing it, otherwise it may crash when accessing
the sysfs node:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
Mem abort info:
ESR = 0x96000006
Exception class = DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e85f5ba5
[0000000000000050] pgd=0000000848fd9003, pud=000000085b387003, pmd=0000000000000000
Internal error: Oops: 96000006 [#2] PREEMPT SMP
Modules linked in: ib_umad(O) mlx5_ib(O) nfnetlink_cttimeout(E) nfnetlink(E) act_gact(E) cls_flower(E) sch_ingress(E) openvswitch(E) nsh(E) nf_nat_ipv6(E) nf_nat_ipv4(E) nf_conncount(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) mst_pciconf(O) ipmi_devintf(E) ipmi_msghandler(E) ipmb_dev_int(OE) mlx5_core(O) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) ib_core(O) mlx_compat(O) psample(E) sbsa_gwdt(E) uio_pdrv_genirq(E) uio(E) mlxbf_pmc(OE) mlxbf_gige(OE) mlxbf_tmfifo(OE) gpio_mlxbf2(OE) pwr_mlxbf(OE) mlx_trio(OE) i2c_mlxbf(OE) mlx_bootctl(OE) bluefield_edac(OE) knem(O) ip_tables(E) ipv6(E) crc_ccitt(E) [last unloaded: mst_pci]
Process grep (pid: 3372, stack limit = 0x0000000022055c92)
CPU: 5 PID: 3372 Comm: grep Tainted: G D OE 4.19.161-mlnx.47.gadcd9e3 #1
Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.9.2-15-ga2403ab Sep 8 2022
pstate: 40000005 (nZcv daif -PAN -UAO)
pc : hw_stat_port_show+0x4c/0x80 [ib_core]
lr : port_attr_show+0x40/0x58 [ib_core]
sp : ffff000029f43b50
x29: ffff000029f43b50 x28: 0000000019375000
x27: ffff8007b821a540 x26: ffff000029f43e30
x25: 0000000000008000 x24: ffff000000eaa958
x23: 0000000000001000 x22: ffff8007a4ce3000
x21: ffff8007baff8000 x20: ffff8007b9066ac0
x19: ffff8007bae97578 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000
x15: 0000000000000000 x14: 0000000000000000
x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000
x9 : 0000000000000000 x8 : ffff8007a4ce4000
x7 : 0000000000000000 x6 : 000000000000003f
x5 : ffff000000e6a280 x4 : ffff8007a4ce3000
x3 : 0000000000000000 x2 : aaaaaaaaaaaaaaab
x1 : ffff8007b9066a10 x0 : ffff8007baff8000
Call trace:
hw_stat_port_show+0x4c/0x80 [ib_core]
port_attr_show+0x40/0x58 [ib_core]
sysfs_kf_seq_show+0x8c/0x150
kernfs_seq_show+0x44/0x50
seq_read+0x1b4/0x45c
kernfs_fop_read+0x148/0x1d8
__vfs_read+0x58/0x180
vfs_read+0x94/0x154
ksys_read+0x68/0xd8
__arm64_sys_read+0x28/0x34
el0_svc_common+0x88/0x18c
el0_svc_handler+0x78/0x94
el0_svc+0x8/0xe8
Code: f2955562 aa1603e4 aa1503e0 f9405683 (f9402861)
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f981c697b2f9bd5dd2f060e47ff8b5e0a2cd0c06",
"status": "affected",
"version": "d8a5883814b9f7c08d7ff291070687d925b4f859",
"versionType": "git"
},
{
"lessThan": "ac7a7d7079124f46180714b2d41a1703d37101bb",
"status": "affected",
"version": "d8a5883814b9f7c08d7ff291070687d925b4f859",
"versionType": "git"
},
{
"lessThan": "cd06d32a71fbb198b2d43dddf794badd80ffd25d",
"status": "affected",
"version": "d8a5883814b9f7c08d7ff291070687d925b4f859",
"versionType": "git"
},
{
"lessThan": "5e15ff29b156bbbdeadae230c8ecd5ecd8ca2477",
"status": "affected",
"version": "d8a5883814b9f7c08d7ff291070687d925b4f859",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Make sure \"ib_port\" is valid when access sysfs node\n\nThe \"ib_port\" structure must be set before adding the sysfs kobject,\nand reset after removing it, otherwise it may crash when accessing\nthe sysfs node:\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Mem abort info:\n ESR = 0x96000006\n Exception class = DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e85f5ba5\n [0000000000000050] pgd=0000000848fd9003, pud=000000085b387003, pmd=0000000000000000\n Internal error: Oops: 96000006 [#2] PREEMPT SMP\n Modules linked in: ib_umad(O) mlx5_ib(O) nfnetlink_cttimeout(E) nfnetlink(E) act_gact(E) cls_flower(E) sch_ingress(E) openvswitch(E) nsh(E) nf_nat_ipv6(E) nf_nat_ipv4(E) nf_conncount(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) mst_pciconf(O) ipmi_devintf(E) ipmi_msghandler(E) ipmb_dev_int(OE) mlx5_core(O) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) ib_core(O) mlx_compat(O) psample(E) sbsa_gwdt(E) uio_pdrv_genirq(E) uio(E) mlxbf_pmc(OE) mlxbf_gige(OE) mlxbf_tmfifo(OE) gpio_mlxbf2(OE) pwr_mlxbf(OE) mlx_trio(OE) i2c_mlxbf(OE) mlx_bootctl(OE) bluefield_edac(OE) knem(O) ip_tables(E) ipv6(E) crc_ccitt(E) [last unloaded: mst_pci]\n Process grep (pid: 3372, stack limit = 0x0000000022055c92)\n CPU: 5 PID: 3372 Comm: grep Tainted: G D OE 4.19.161-mlnx.47.gadcd9e3 #1\n Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.9.2-15-ga2403ab Sep 8 2022\n pstate: 40000005 (nZcv daif -PAN -UAO)\n pc : hw_stat_port_show+0x4c/0x80 [ib_core]\n lr : port_attr_show+0x40/0x58 [ib_core]\n sp : ffff000029f43b50\n x29: ffff000029f43b50 x28: 0000000019375000\n x27: ffff8007b821a540 x26: ffff000029f43e30\n x25: 0000000000008000 x24: ffff000000eaa958\n x23: 0000000000001000 x22: ffff8007a4ce3000\n x21: ffff8007baff8000 x20: ffff8007b9066ac0\n x19: ffff8007bae97578 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000\n x15: 0000000000000000 x14: 0000000000000000\n x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000\n x9 : 0000000000000000 x8 : ffff8007a4ce4000\n x7 : 0000000000000000 x6 : 000000000000003f\n x5 : ffff000000e6a280 x4 : ffff8007a4ce3000\n x3 : 0000000000000000 x2 : aaaaaaaaaaaaaaab\n x1 : ffff8007b9066a10 x0 : ffff8007baff8000\n Call trace:\n hw_stat_port_show+0x4c/0x80 [ib_core]\n port_attr_show+0x40/0x58 [ib_core]\n sysfs_kf_seq_show+0x8c/0x150\n kernfs_seq_show+0x44/0x50\n seq_read+0x1b4/0x45c\n kernfs_fop_read+0x148/0x1d8\n __vfs_read+0x58/0x180\n vfs_read+0x94/0x154\n ksys_read+0x68/0xd8\n __arm64_sys_read+0x28/0x34\n el0_svc_common+0x88/0x18c\n el0_svc_handler+0x78/0x94\n el0_svc+0x8/0xe8\n Code: f2955562 aa1603e4 aa1503e0 f9405683 (f9402861)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:36.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f981c697b2f9bd5dd2f060e47ff8b5e0a2cd0c06"
},
{
"url": "https://git.kernel.org/stable/c/ac7a7d7079124f46180714b2d41a1703d37101bb"
},
{
"url": "https://git.kernel.org/stable/c/cd06d32a71fbb198b2d43dddf794badd80ffd25d"
},
{
"url": "https://git.kernel.org/stable/c/5e15ff29b156bbbdeadae230c8ecd5ecd8ca2477"
}
],
"title": "RDMA/core: Make sure \"ib_port\" is valid when access sysfs node",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50475",
"datePublished": "2025-10-04T15:16:36.235Z",
"dateReserved": "2025-10-04T15:13:33.467Z",
"dateUpdated": "2025-10-04T15:16:36.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53362 (GCVE-0-2023-53362)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bus: fsl-mc: don't assume child devices are all fsl-mc devices
Changes in VFIO caused a pseudo-device to be created as child of
fsl-mc devices causing a crash [1] when trying to bind a fsl-mc
device to VFIO. Fix this by checking the device type when enumerating
fsl-mc child devices.
[1]
Modules linked in:
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
CPU: 6 PID: 1289 Comm: sh Not tainted 6.2.0-rc5-00047-g7c46948a6e9c #2
Hardware name: NXP Layerscape LX2160ARDB (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mc_send_command+0x24/0x1f0
lr : dprc_get_obj_region+0xfc/0x1c0
sp : ffff80000a88b900
x29: ffff80000a88b900 x28: ffff48a9429e1400 x27: 00000000000002b2
x26: ffff48a9429e1718 x25: 0000000000000000 x24: 0000000000000000
x23: ffffd59331ba3918 x22: ffffd59331ba3000 x21: 0000000000000000
x20: ffff80000a88b9b8 x19: 0000000000000000 x18: 0000000000000001
x17: 7270642f636d2d6c x16: 73662e3030303030 x15: ffffffffffffffff
x14: ffffd59330f1d668 x13: ffff48a8727dc389 x12: ffff48a8727dc386
x11: 0000000000000002 x10: 00008ceaf02f35d4 x9 : 0000000000000012
x8 : 0000000000000000 x7 : 0000000000000006 x6 : ffff80000a88bab0
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000a88b9e8
x2 : ffff80000a88b9e8 x1 : 0000000000000000 x0 : ffff48a945142b80
Call trace:
mc_send_command+0x24/0x1f0
dprc_get_obj_region+0xfc/0x1c0
fsl_mc_device_add+0x340/0x590
fsl_mc_obj_device_add+0xd0/0xf8
dprc_scan_objects+0x1c4/0x340
dprc_scan_container+0x38/0x60
vfio_fsl_mc_probe+0x9c/0xf8
fsl_mc_driver_probe+0x24/0x70
really_probe+0xbc/0x2a8
__driver_probe_device+0x78/0xe0
device_driver_attach+0x30/0x68
bind_store+0xa8/0x130
drv_attr_store+0x24/0x38
sysfs_kf_write+0x44/0x60
kernfs_fop_write_iter+0x128/0x1b8
vfs_write+0x334/0x448
ksys_write+0x68/0xf0
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x44/0x108
el0_svc_common.constprop.1+0x94/0xf8
do_el0_svc+0x38/0xb0
el0_svc+0x20/0x50
el0t_64_sync_handler+0x98/0xc0
el0t_64_sync+0x174/0x178
Code: aa0103f4 a9025bf5 d5384100 b9400801 (79401260)
---[ end trace 0000000000000000 ]---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/dprc-driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5bd9dc3e767edf582be483be8d6bbc7433bd4cf8",
"status": "affected",
"version": "3c28a76124b25882411f005924be73795b6ef078",
"versionType": "git"
},
{
"lessThan": "8bdd5c21ec02835bd445d022f4c23195aff407d2",
"status": "affected",
"version": "3c28a76124b25882411f005924be73795b6ef078",
"versionType": "git"
},
{
"lessThan": "303c9c63abb9390e906052863f82bb4e9824e5c0",
"status": "affected",
"version": "3c28a76124b25882411f005924be73795b6ef078",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/dprc-driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: don\u0027t assume child devices are all fsl-mc devices\n\nChanges in VFIO caused a pseudo-device to be created as child of\nfsl-mc devices causing a crash [1] when trying to bind a fsl-mc\ndevice to VFIO. Fix this by checking the device type when enumerating\nfsl-mc child devices.\n\n[1]\nModules linked in:\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nCPU: 6 PID: 1289 Comm: sh Not tainted 6.2.0-rc5-00047-g7c46948a6e9c #2\nHardware name: NXP Layerscape LX2160ARDB (DT)\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mc_send_command+0x24/0x1f0\nlr : dprc_get_obj_region+0xfc/0x1c0\nsp : ffff80000a88b900\nx29: ffff80000a88b900 x28: ffff48a9429e1400 x27: 00000000000002b2\nx26: ffff48a9429e1718 x25: 0000000000000000 x24: 0000000000000000\nx23: ffffd59331ba3918 x22: ffffd59331ba3000 x21: 0000000000000000\nx20: ffff80000a88b9b8 x19: 0000000000000000 x18: 0000000000000001\nx17: 7270642f636d2d6c x16: 73662e3030303030 x15: ffffffffffffffff\nx14: ffffd59330f1d668 x13: ffff48a8727dc389 x12: ffff48a8727dc386\nx11: 0000000000000002 x10: 00008ceaf02f35d4 x9 : 0000000000000012\nx8 : 0000000000000000 x7 : 0000000000000006 x6 : ffff80000a88bab0\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000a88b9e8\nx2 : ffff80000a88b9e8 x1 : 0000000000000000 x0 : ffff48a945142b80\nCall trace:\n mc_send_command+0x24/0x1f0\n dprc_get_obj_region+0xfc/0x1c0\n fsl_mc_device_add+0x340/0x590\n fsl_mc_obj_device_add+0xd0/0xf8\n dprc_scan_objects+0x1c4/0x340\n dprc_scan_container+0x38/0x60\n vfio_fsl_mc_probe+0x9c/0xf8\n fsl_mc_driver_probe+0x24/0x70\n really_probe+0xbc/0x2a8\n __driver_probe_device+0x78/0xe0\n device_driver_attach+0x30/0x68\n bind_store+0xa8/0x130\n drv_attr_store+0x24/0x38\n sysfs_kf_write+0x44/0x60\n kernfs_fop_write_iter+0x128/0x1b8\n vfs_write+0x334/0x448\n ksys_write+0x68/0xf0\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x44/0x108\n el0_svc_common.constprop.1+0x94/0xf8\n do_el0_svc+0x38/0xb0\n el0_svc+0x20/0x50\n el0t_64_sync_handler+0x98/0xc0\n el0t_64_sync+0x174/0x178\nCode: aa0103f4 a9025bf5 d5384100 b9400801 (79401260)\n---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:51.728Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5bd9dc3e767edf582be483be8d6bbc7433bd4cf8"
},
{
"url": "https://git.kernel.org/stable/c/8bdd5c21ec02835bd445d022f4c23195aff407d2"
},
{
"url": "https://git.kernel.org/stable/c/303c9c63abb9390e906052863f82bb4e9824e5c0"
}
],
"title": "bus: fsl-mc: don\u0027t assume child devices are all fsl-mc devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53362",
"datePublished": "2025-09-17T14:56:51.728Z",
"dateReserved": "2025-09-17T14:54:09.733Z",
"dateUpdated": "2025-09-17T14:56:51.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39713 (GCVE-0-2025-39713)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
In the interrupt handler rain_interrupt(), the buffer full check on
rain->buf_len is performed before acquiring rain->buf_lock. This
creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as
rain->buf_len is concurrently accessed and modified in the work
handler rain_irq_work_handler() under the same lock.
Multiple interrupt invocations can race, with each reading buf_len
before it becomes full and then proceeding. This can lead to both
interrupts attempting to write to the buffer, incrementing buf_len
beyond its capacity (DATA_SIZE) and causing a buffer overflow.
Fix this bug by moving the spin_lock() to before the buffer full
check. This ensures that the check and the subsequent buffer modification
are performed atomically, preventing the race condition. An corresponding
spin_unlock() is added to the overflow path to correctly release the
lock.
This possible bug was found by an experimental static analysis tool
developed by our team.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac Version: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac Version: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac Version: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac Version: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac Version: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac Version: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac Version: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:39.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/cec/usb/rainshadow/rainshadow-cec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2964dbe631fd21ad7873b1752b895548d3c12496",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "6aaef1a75985865d8c6c5b65fb54152060faba48",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "fbc81e78d75bf28972bc22b1599559557b1a1b83",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "3c3e33b7edca7a2d6a96801f287f9faeb684d655",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "1c2769dc80255824542ea5a4ff1a07dcdeb1603f",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "ed905fe7cba03cf22ae0b84cf1b73cd1c070423a",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
},
{
"lessThan": "7af160aea26c7dc9e6734d19306128cce156ec40",
"status": "affected",
"version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/cec/usb/rainshadow/rainshadow-cec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()\n\nIn the interrupt handler rain_interrupt(), the buffer full check on\nrain-\u003ebuf_len is performed before acquiring rain-\u003ebuf_lock. This\ncreates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as\nrain-\u003ebuf_len is concurrently accessed and modified in the work\nhandler rain_irq_work_handler() under the same lock.\n\nMultiple interrupt invocations can race, with each reading buf_len\nbefore it becomes full and then proceeding. This can lead to both\ninterrupts attempting to write to the buffer, incrementing buf_len\nbeyond its capacity (DATA_SIZE) and causing a buffer overflow.\n\nFix this bug by moving the spin_lock() to before the buffer full\ncheck. This ensures that the check and the subsequent buffer modification\nare performed atomically, preventing the race condition. An corresponding\nspin_unlock() is added to the overflow path to correctly release the\nlock.\n\nThis possible bug was found by an experimental static analysis tool\ndeveloped by our team."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:57.855Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2964dbe631fd21ad7873b1752b895548d3c12496"
},
{
"url": "https://git.kernel.org/stable/c/6aaef1a75985865d8c6c5b65fb54152060faba48"
},
{
"url": "https://git.kernel.org/stable/c/fbc81e78d75bf28972bc22b1599559557b1a1b83"
},
{
"url": "https://git.kernel.org/stable/c/3c3e33b7edca7a2d6a96801f287f9faeb684d655"
},
{
"url": "https://git.kernel.org/stable/c/1c2769dc80255824542ea5a4ff1a07dcdeb1603f"
},
{
"url": "https://git.kernel.org/stable/c/ed905fe7cba03cf22ae0b84cf1b73cd1c070423a"
},
{
"url": "https://git.kernel.org/stable/c/ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59"
},
{
"url": "https://git.kernel.org/stable/c/7af160aea26c7dc9e6734d19306128cce156ec40"
}
],
"title": "media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39713",
"datePublished": "2025-09-05T17:21:20.459Z",
"dateReserved": "2025-04-16T07:20:57.116Z",
"dateUpdated": "2025-11-03T17:42:39.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50497 (GCVE-0-2022-50497)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
binfmt_misc: fix shift-out-of-bounds in check_special_flags
UBSAN reported a shift-out-of-bounds warning:
left shift of 1 by 31 places cannot be represented in type 'int'
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106
ubsan_epilogue+0xa/0x44 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds+0x1e7/0x208 lib/ubsan.c:322
check_special_flags fs/binfmt_misc.c:241 [inline]
create_entry fs/binfmt_misc.c:456 [inline]
bm_register_write+0x9d3/0xa20 fs/binfmt_misc.c:654
vfs_write+0x11e/0x580 fs/read_write.c:582
ksys_write+0xcf/0x120 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x4194e1
Since the type of Node's flags is unsigned long, we should define these
macros with same type too.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/binfmt_misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f1a48994b3e516d5c7fd5d12204fdba7a604771",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ea6145370be8016755c43aca799815fc4b8c88b1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "97382a2639b1cd9631f6069061e9d7062cd2b098",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "419b808504c26b3e3342365f34ccd0843e09a7f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dcbc51d31d0afbd45e830e3cf565a7b3ca7bf0d8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "88cea1676a09f7c45a1438153a126610c33b1590",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a651bb5ff997b9f02662bcdef3d8b4e6f0d79656",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a91123d4bda463469f68f0427adabf8108001f94",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6a46bf558803dd2b959ca7435a5c143efe837217",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/binfmt_misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_misc: fix shift-out-of-bounds in check_special_flags\n\nUBSAN reported a shift-out-of-bounds warning:\n\n left shift of 1 by 31 places cannot be represented in type \u0027int\u0027\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106\n ubsan_epilogue+0xa/0x44 lib/ubsan.c:151\n __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 lib/ubsan.c:322\n check_special_flags fs/binfmt_misc.c:241 [inline]\n create_entry fs/binfmt_misc.c:456 [inline]\n bm_register_write+0x9d3/0xa20 fs/binfmt_misc.c:654\n vfs_write+0x11e/0x580 fs/read_write.c:582\n ksys_write+0xcf/0x120 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x4194e1\n\nSince the type of Node\u0027s flags is unsigned long, we should define these\nmacros with same type too."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:48.656Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f1a48994b3e516d5c7fd5d12204fdba7a604771"
},
{
"url": "https://git.kernel.org/stable/c/ea6145370be8016755c43aca799815fc4b8c88b1"
},
{
"url": "https://git.kernel.org/stable/c/97382a2639b1cd9631f6069061e9d7062cd2b098"
},
{
"url": "https://git.kernel.org/stable/c/419b808504c26b3e3342365f34ccd0843e09a7f8"
},
{
"url": "https://git.kernel.org/stable/c/dcbc51d31d0afbd45e830e3cf565a7b3ca7bf0d8"
},
{
"url": "https://git.kernel.org/stable/c/88cea1676a09f7c45a1438153a126610c33b1590"
},
{
"url": "https://git.kernel.org/stable/c/a651bb5ff997b9f02662bcdef3d8b4e6f0d79656"
},
{
"url": "https://git.kernel.org/stable/c/a91123d4bda463469f68f0427adabf8108001f94"
},
{
"url": "https://git.kernel.org/stable/c/6a46bf558803dd2b959ca7435a5c143efe837217"
}
],
"title": "binfmt_misc: fix shift-out-of-bounds in check_special_flags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50497",
"datePublished": "2025-10-04T15:43:48.656Z",
"dateReserved": "2025-10-04T15:39:19.464Z",
"dateUpdated": "2025-10-04T15:43:48.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50534 (GCVE-0-2022-50534)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm thin: Use last transaction's pmd->root when commit failed
Recently we found a softlock up problem in dm thin pool btree lookup
code due to corrupted metadata:
Kernel panic - not syncing: softlockup: hung tasks
CPU: 7 PID: 2669225 Comm: kworker/u16:3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Workqueue: dm-thin do_worker [dm_thin_pool]
Call Trace:
<IRQ>
dump_stack+0x9c/0xd3
panic+0x35d/0x6b9
watchdog_timer_fn.cold+0x16/0x25
__run_hrtimer+0xa2/0x2d0
</IRQ>
RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]
__bufio_new+0x11f/0x4f0 [dm_bufio]
new_read+0xa3/0x1e0 [dm_bufio]
dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]
ro_step+0x63/0x100 [dm_persistent_data]
btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]
dm_btree_lookup+0x16f/0x210 [dm_persistent_data]
dm_thin_find_block+0x12c/0x210 [dm_thin_pool]
__process_bio_read_only+0xc5/0x400 [dm_thin_pool]
process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]
process_one_work+0x3c5/0x730
Following process may generate a broken btree mixed with fresh and
stale btree nodes, which could get dm thin trapped in an infinite loop
while looking up data block:
Transaction 1: pmd->root = A, A->B->C // One path in btree
pmd->root = X, X->Y->Z // Copy-up
Transaction 2: X,Z is updated on disk, Y write failed.
// Commit failed, dm thin becomes read-only.
process_bio_read_only
dm_thin_find_block
__find_block
dm_btree_lookup(pmd->root)
The pmd->root points to a broken btree, Y may contain stale node
pointing to any block, for example X, which gets dm thin trapped into
a dead loop while looking up Z.
Fix this by setting pmd->root in __open_metadata(), so that dm thin
will use the last transaction's pmd->root if commit failed.
Fetch a reproducer in [Link].
Linke: https://bugzilla.kernel.org/show_bug.cgi?id=216790
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-thin-metadata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b35a22760aa5008d82533e59b0f0b5eb1b02d4e5",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "87d69b8824ca9b090f5a8ed47f758e8f6eecb871",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "3db757ffdd87ed8d7118b2250236a496502a660f",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "f758987ff0af3a4b5ee69e95cab6a5294e4367b0",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "94f01ecc2aa0be992865acc80ebb6701f731f955",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "4b710e8481ade7c9200e94d3018e99dc42a0a0e8",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "a63ce4eca86fd207e3db07c00fb7ccf4adf1b230",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "b91f481300e3a10eaf66b94fc39b740928762aaf",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "7991dbff6849f67e823b7cc0c15e5a90b0549b9f",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-thin-metadata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Use last transaction\u0027s pmd-\u003eroot when commit failed\n\nRecently we found a softlock up problem in dm thin pool btree lookup\ncode due to corrupted metadata:\n\n Kernel panic - not syncing: softlockup: hung tasks\n CPU: 7 PID: 2669225 Comm: kworker/u16:3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: dm-thin do_worker [dm_thin_pool]\n Call Trace:\n \u003cIRQ\u003e\n dump_stack+0x9c/0xd3\n panic+0x35d/0x6b9\n watchdog_timer_fn.cold+0x16/0x25\n __run_hrtimer+0xa2/0x2d0\n \u003c/IRQ\u003e\n RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]\n __bufio_new+0x11f/0x4f0 [dm_bufio]\n new_read+0xa3/0x1e0 [dm_bufio]\n dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]\n ro_step+0x63/0x100 [dm_persistent_data]\n btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]\n dm_btree_lookup+0x16f/0x210 [dm_persistent_data]\n dm_thin_find_block+0x12c/0x210 [dm_thin_pool]\n __process_bio_read_only+0xc5/0x400 [dm_thin_pool]\n process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]\n process_one_work+0x3c5/0x730\n\nFollowing process may generate a broken btree mixed with fresh and\nstale btree nodes, which could get dm thin trapped in an infinite loop\nwhile looking up data block:\n Transaction 1: pmd-\u003eroot = A, A-\u003eB-\u003eC // One path in btree\n pmd-\u003eroot = X, X-\u003eY-\u003eZ // Copy-up\n Transaction 2: X,Z is updated on disk, Y write failed.\n // Commit failed, dm thin becomes read-only.\n process_bio_read_only\n\t\t dm_thin_find_block\n\t\t __find_block\n\t\t dm_btree_lookup(pmd-\u003eroot)\nThe pmd-\u003eroot points to a broken btree, Y may contain stale node\npointing to any block, for example X, which gets dm thin trapped into\na dead loop while looking up Z.\n\nFix this by setting pmd-\u003eroot in __open_metadata(), so that dm thin\nwill use the last transaction\u0027s pmd-\u003eroot if commit failed.\n\nFetch a reproducer in [Link].\n\nLinke: https://bugzilla.kernel.org/show_bug.cgi?id=216790"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:23.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b35a22760aa5008d82533e59b0f0b5eb1b02d4e5"
},
{
"url": "https://git.kernel.org/stable/c/87d69b8824ca9b090f5a8ed47f758e8f6eecb871"
},
{
"url": "https://git.kernel.org/stable/c/3db757ffdd87ed8d7118b2250236a496502a660f"
},
{
"url": "https://git.kernel.org/stable/c/f758987ff0af3a4b5ee69e95cab6a5294e4367b0"
},
{
"url": "https://git.kernel.org/stable/c/94f01ecc2aa0be992865acc80ebb6701f731f955"
},
{
"url": "https://git.kernel.org/stable/c/4b710e8481ade7c9200e94d3018e99dc42a0a0e8"
},
{
"url": "https://git.kernel.org/stable/c/a63ce4eca86fd207e3db07c00fb7ccf4adf1b230"
},
{
"url": "https://git.kernel.org/stable/c/b91f481300e3a10eaf66b94fc39b740928762aaf"
},
{
"url": "https://git.kernel.org/stable/c/7991dbff6849f67e823b7cc0c15e5a90b0549b9f"
}
],
"title": "dm thin: Use last transaction\u0027s pmd-\u003eroot when commit failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50534",
"datePublished": "2025-10-07T15:19:23.958Z",
"dateReserved": "2025-10-07T15:15:38.665Z",
"dateUpdated": "2025-10-07T15:19:23.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50302 (GCVE-0-2024-50302)
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2025-11-03 22:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: zero-initialize the report buffer
Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: b2b6cadad699d44a8a5b2a60f3d960e00d6fb3b7 Version: fe6c9b48ebc920ff21c10c50ab2729440c734254 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50302",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T04:55:26.718337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-03-04",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50302"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:35.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50302"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-04T00:00:00+00:00",
"value": "CVE-2024-50302 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:28:19.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7ea60184e1e88a3c9e437b3265cbb6439aa7e26",
"status": "affected",
"version": "27ce405039bfe6d3f4143415c638f56a3df77dca",
"versionType": "git"
},
{
"lessThan": "3f9e88f2672c4635960570ee9741778d4135ecf5",
"status": "affected",
"version": "27ce405039bfe6d3f4143415c638f56a3df77dca",
"versionType": "git"
},
{
"lessThan": "d7dc68d82ab3fcfc3f65322465da3d7031d4ab46",
"status": "affected",
"version": "27ce405039bfe6d3f4143415c638f56a3df77dca",
"versionType": "git"
},
{
"lessThan": "05ade5d4337867929e7ef664e7ac8e0c734f1aaf",
"status": "affected",
"version": "27ce405039bfe6d3f4143415c638f56a3df77dca",
"versionType": "git"
},
{
"lessThan": "1884ab3d22536a5c14b17c78c2ce76d1734e8b0b",
"status": "affected",
"version": "27ce405039bfe6d3f4143415c638f56a3df77dca",
"versionType": "git"
},
{
"lessThan": "9d9f5c75c0c7f31766ec27d90f7a6ac673193191",
"status": "affected",
"version": "27ce405039bfe6d3f4143415c638f56a3df77dca",
"versionType": "git"
},
{
"lessThan": "492015e6249fbcd42138b49de3c588d826dd9648",
"status": "affected",
"version": "27ce405039bfe6d3f4143415c638f56a3df77dca",
"versionType": "git"
},
{
"lessThan": "177f25d1292c7e16e1199b39c85480f7f8815552",
"status": "affected",
"version": "27ce405039bfe6d3f4143415c638f56a3df77dca",
"versionType": "git"
},
{
"status": "affected",
"version": "b2b6cadad699d44a8a5b2a60f3d960e00d6fb3b7",
"versionType": "git"
},
{
"status": "affected",
"version": "fe6c9b48ebc920ff21c10c50ab2729440c734254",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.324",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.286",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.230",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.172",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.117",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.61",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.8",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.11.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: zero-initialize the report buffer\n\nSince the report buffer is used by all kinds of drivers in various ways, let\u0027s\nzero-initialize it during allocation to make sure that it can\u0027t be ever used\nto leak kernel memory via specially-crafted report."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:00:14.113Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7ea60184e1e88a3c9e437b3265cbb6439aa7e26"
},
{
"url": "https://git.kernel.org/stable/c/3f9e88f2672c4635960570ee9741778d4135ecf5"
},
{
"url": "https://git.kernel.org/stable/c/d7dc68d82ab3fcfc3f65322465da3d7031d4ab46"
},
{
"url": "https://git.kernel.org/stable/c/05ade5d4337867929e7ef664e7ac8e0c734f1aaf"
},
{
"url": "https://git.kernel.org/stable/c/1884ab3d22536a5c14b17c78c2ce76d1734e8b0b"
},
{
"url": "https://git.kernel.org/stable/c/9d9f5c75c0c7f31766ec27d90f7a6ac673193191"
},
{
"url": "https://git.kernel.org/stable/c/492015e6249fbcd42138b49de3c588d826dd9648"
},
{
"url": "https://git.kernel.org/stable/c/177f25d1292c7e16e1199b39c85480f7f8815552"
}
],
"title": "HID: core: zero-initialize the report buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50302",
"datePublished": "2024-11-19T01:30:51.300Z",
"dateReserved": "2024-10-21T19:36:19.987Z",
"dateUpdated": "2025-11-03T22:28:19.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53248 (GCVE-0-2023-53248)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-16 08:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: install stub fence into potential unused fence pointers
When using cpu to update page tables, vm update fences are unused.
Install stub fence into these fence pointers instead of NULL
to avoid NULL dereference when calling dma_fence_wait() on them.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78b25110eb8c6990f7f5096bc0136c12a2b4cc99",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "aa9e9ba5748c524eb0925a2ef6984b78793646d6",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "187916e6ed9d0c3b3abc27429f7a5f8c936bd1f0",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: install stub fence into potential unused fence pointers\n\nWhen using cpu to update page tables, vm update fences are unused.\nInstall stub fence into these fence pointers instead of NULL\nto avoid NULL dereference when calling dma_fence_wait() on them."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:26.382Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78b25110eb8c6990f7f5096bc0136c12a2b4cc99"
},
{
"url": "https://git.kernel.org/stable/c/aa9e9ba5748c524eb0925a2ef6984b78793646d6"
},
{
"url": "https://git.kernel.org/stable/c/187916e6ed9d0c3b3abc27429f7a5f8c936bd1f0"
}
],
"title": "drm/amdgpu: install stub fence into potential unused fence pointers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53248",
"datePublished": "2025-09-15T14:46:18.349Z",
"dateReserved": "2025-09-15T14:19:21.849Z",
"dateUpdated": "2025-09-16T08:02:26.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53686 (GCVE-0-2023-53686)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/handshake: fix null-ptr-deref in handshake_nl_done_doit()
We should not call trace_handshake_cmd_done_err() if socket lookup has failed.
Also we should call trace_handshake_cmd_done_err() before releasing the file,
otherwise dereferencing sock->sk can return garbage.
This also reverts 7afc6d0a107f ("net/handshake: Fix uninitialized local variable")
Unable to handle kernel paging request at virtual address dfff800000000003
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000003] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 5986 Comm: syz-executor292 Not tainted 6.5.0-rc7-syzkaller-gfe4469582053 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : handshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193
lr : handshake_nl_done_doit+0x180/0x9c8
sp : ffff800096e37180
x29: ffff800096e37200 x28: 1ffff00012dc6e34 x27: dfff800000000000
x26: ffff800096e373d0 x25: 0000000000000000 x24: 00000000ffffffa8
x23: ffff800096e373f0 x22: 1ffff00012dc6e38 x21: 0000000000000000
x20: ffff800096e371c0 x19: 0000000000000018 x18: 0000000000000000
x17: 0000000000000000 x16: ffff800080516cc4 x15: 0000000000000001
x14: 1fffe0001b14aa3b x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000003
x8 : 0000000000000003 x7 : ffff800080afe47c x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080a88078
x2 : 0000000000000001 x1 : 00000000ffffffa8 x0 : 0000000000000000
Call trace:
handshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193
genl_family_rcv_msg_doit net/netlink/genetlink.c:970 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1050 [inline]
genl_rcv_msg+0x96c/0xc50 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2549
genl_rcv+0x38/0x50 net/netlink/genetlink.c:1078
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1914
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg net/socket.c:748 [inline]
____sys_sendmsg+0x56c/0x840 net/socket.c:2494
___sys_sendmsg net/socket.c:2548 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2577
__do_sys_sendmsg net/socket.c:2586 [inline]
__se_sys_sendmsg net/socket.c:2584 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2584
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Code: 12800108 b90043e8 910062b3 d343fe68 (387b6908)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/handshake/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d69f18edcca282351394c5870bec24cc99d745",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "82ba0ff7bf0483d962e592017bef659ae022d754",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/handshake/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: fix null-ptr-deref in handshake_nl_done_doit()\n\nWe should not call trace_handshake_cmd_done_err() if socket lookup has failed.\n\nAlso we should call trace_handshake_cmd_done_err() before releasing the file,\notherwise dereferencing sock-\u003esk can return garbage.\n\nThis also reverts 7afc6d0a107f (\"net/handshake: Fix uninitialized local variable\")\n\nUnable to handle kernel paging request at virtual address dfff800000000003\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\nMem abort info:\nESR = 0x0000000096000005\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x05: level 1 translation fault\nData abort info:\nISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[dfff800000000003] address between user and kernel address ranges\nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 5986 Comm: syz-executor292 Not tainted 6.5.0-rc7-syzkaller-gfe4469582053 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : handshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193\nlr : handshake_nl_done_doit+0x180/0x9c8\nsp : ffff800096e37180\nx29: ffff800096e37200 x28: 1ffff00012dc6e34 x27: dfff800000000000\nx26: ffff800096e373d0 x25: 0000000000000000 x24: 00000000ffffffa8\nx23: ffff800096e373f0 x22: 1ffff00012dc6e38 x21: 0000000000000000\nx20: ffff800096e371c0 x19: 0000000000000018 x18: 0000000000000000\nx17: 0000000000000000 x16: ffff800080516cc4 x15: 0000000000000001\nx14: 1fffe0001b14aa3b x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000003\nx8 : 0000000000000003 x7 : ffff800080afe47c x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080a88078\nx2 : 0000000000000001 x1 : 00000000ffffffa8 x0 : 0000000000000000\nCall trace:\nhandshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193\ngenl_family_rcv_msg_doit net/netlink/genetlink.c:970 [inline]\ngenl_family_rcv_msg net/netlink/genetlink.c:1050 [inline]\ngenl_rcv_msg+0x96c/0xc50 net/netlink/genetlink.c:1067\nnetlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2549\ngenl_rcv+0x38/0x50 net/netlink/genetlink.c:1078\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365\nnetlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1914\nsock_sendmsg_nosec net/socket.c:725 [inline]\nsock_sendmsg net/socket.c:748 [inline]\n____sys_sendmsg+0x56c/0x840 net/socket.c:2494\n___sys_sendmsg net/socket.c:2548 [inline]\n__sys_sendmsg+0x26c/0x33c net/socket.c:2577\n__do_sys_sendmsg net/socket.c:2586 [inline]\n__se_sys_sendmsg net/socket.c:2584 [inline]\n__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2584\n__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\ninvoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\nel0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\ndo_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\nel0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678\nel0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\nCode: 12800108 b90043e8 910062b3 d343fe68 (387b6908)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:38.824Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d69f18edcca282351394c5870bec24cc99d745"
},
{
"url": "https://git.kernel.org/stable/c/82ba0ff7bf0483d962e592017bef659ae022d754"
}
],
"title": "net/handshake: fix null-ptr-deref in handshake_nl_done_doit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53686",
"datePublished": "2025-10-07T15:21:38.824Z",
"dateReserved": "2025-10-07T15:16:59.665Z",
"dateUpdated": "2025-10-07T15:21:38.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39827 (GCVE-0-2025-39827)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: include node references in rose_neigh refcount
Current implementation maintains two separate reference counting
mechanisms: the 'count' field in struct rose_neigh tracks references from
rose_node structures, while the 'use' field (now refcount_t) tracks
references from rose_sock.
This patch merges these two reference counting systems using 'use' field
for proper reference management. Specifically, this patch adds incrementing
and decrementing of rose_neigh->use when rose_neigh->count is incremented
or decremented.
This patch also modifies rose_rt_free(), rose_rt_device_down() and
rose_clear_route() to properly release references to rose_neigh objects
before freeing a rose_node through rose_remove_node().
These changes ensure rose_neigh structures are properly freed only when
all references, including those from rose_node structures, are released.
As a result, this resolves a slab-use-after-free issue reported by Syzbot.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:48.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/rose_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cce478c3e82a5fc788d72adb2f4c4e983997639",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c547c8eee9d1cf6e744611d688b9f725cf9a115",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7563b456ed44151e1a82091d96f60166daea89b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "384210cceb1873a4c8218b27ba0745444436b728",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "da9c9c877597170b929a6121a68dcd3dd9a80f45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/rose_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: include node references in rose_neigh refcount\n\nCurrent implementation maintains two separate reference counting\nmechanisms: the \u0027count\u0027 field in struct rose_neigh tracks references from\nrose_node structures, while the \u0027use\u0027 field (now refcount_t) tracks\nreferences from rose_sock.\n\nThis patch merges these two reference counting systems using \u0027use\u0027 field\nfor proper reference management. Specifically, this patch adds incrementing\nand decrementing of rose_neigh-\u003euse when rose_neigh-\u003ecount is incremented\nor decremented.\n\nThis patch also modifies rose_rt_free(), rose_rt_device_down() and\nrose_clear_route() to properly release references to rose_neigh objects\nbefore freeing a rose_node through rose_remove_node().\n\nThese changes ensure rose_neigh structures are properly freed only when\nall references, including those from rose_node structures, are released.\nAs a result, this resolves a slab-use-after-free issue reported by Syzbot."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:28.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639"
},
{
"url": "https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115"
},
{
"url": "https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b"
},
{
"url": "https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728"
},
{
"url": "https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45"
}
],
"title": "net: rose: include node references in rose_neigh refcount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39827",
"datePublished": "2025-09-16T13:00:25.555Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-11-03T17:43:48.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40058 (GCVE-0-2025-40058)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Disallow dirty tracking if incoherent page walk
Dirty page tracking relies on the IOMMU atomically updating the dirty bit
in the paging-structure entry. For this operation to succeed, the paging-
structure memory must be coherent between the IOMMU and the CPU. In
another word, if the iommu page walk is incoherent, dirty page tracking
doesn't work.
The Intel VT-d specification, Section 3.10 "Snoop Behavior" states:
"Remapping hardware encountering the need to atomically update A/EA/D bits
in a paging-structure entry that is not snooped will result in a non-
recoverable fault."
To prevent an IOMMU from being incorrectly configured for dirty page
tracking when it is operating in an incoherent mode, mark SSADS as
supported only when both ecap_slads and ecap_smpwc are supported.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/iommu.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ebe16d245a00626bb87163862a1b07daf5475a3e",
"status": "affected",
"version": "f35f22cc760eb2c7034bf53251399685d611e03f",
"versionType": "git"
},
{
"lessThan": "8d096ce0e87bdc361f0b25d7943543bc53aa0b9e",
"status": "affected",
"version": "f35f22cc760eb2c7034bf53251399685d611e03f",
"versionType": "git"
},
{
"lessThan": "57f55048e564dedd8a4546d018e29d6bbfff0a7e",
"status": "affected",
"version": "f35f22cc760eb2c7034bf53251399685d611e03f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/iommu.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Disallow dirty tracking if incoherent page walk\n\nDirty page tracking relies on the IOMMU atomically updating the dirty bit\nin the paging-structure entry. For this operation to succeed, the paging-\nstructure memory must be coherent between the IOMMU and the CPU. In\nanother word, if the iommu page walk is incoherent, dirty page tracking\ndoesn\u0027t work.\n\nThe Intel VT-d specification, Section 3.10 \"Snoop Behavior\" states:\n\n\"Remapping hardware encountering the need to atomically update A/EA/D bits\n in a paging-structure entry that is not snooped will result in a non-\n recoverable fault.\"\n\nTo prevent an IOMMU from being incorrectly configured for dirty page\ntracking when it is operating in an incoherent mode, mark SSADS as\nsupported only when both ecap_slads and ecap_smpwc are supported."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:31.567Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ebe16d245a00626bb87163862a1b07daf5475a3e"
},
{
"url": "https://git.kernel.org/stable/c/8d096ce0e87bdc361f0b25d7943543bc53aa0b9e"
},
{
"url": "https://git.kernel.org/stable/c/57f55048e564dedd8a4546d018e29d6bbfff0a7e"
}
],
"title": "iommu/vt-d: Disallow dirty tracking if incoherent page walk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40058",
"datePublished": "2025-10-28T11:48:31.567Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-10-28T11:48:31.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53539 (GCVE-0-2023-53539)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix incomplete state save in rxe_requester
If a send packet is dropped by the IP layer in rxe_requester()
the call to rxe_xmit_packet() can fail with err == -EAGAIN.
To recover, the state of the wqe is restored to the state before
the packet was sent so it can be resent. However, the routines
that save and restore the state miss a significnt part of the
variable state in the wqe, the dma struct which is used to process
through the sge table. And, the state is not saved before the packet
is built which modifies the dma struct.
Under heavy stress testing with many QPs on a fast node sending
large messages to a slow node dropped packets are observed and
the resent packets are corrupted because the dma struct was not
restored. This patch fixes this behavior and allows the test cases
to succeed.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_req.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70518f3aaf5a059b691867d7d2d46b999319656a",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
},
{
"lessThan": "2f2a6422287fe29f9343247d77b645100ece0652",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
},
{
"lessThan": "255c0e60e1d16874fc151358d94bc8df661600dd",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
},
{
"lessThan": "5d122db2ff80cd2aed4dcd630befb56b51ddf947",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_req.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix incomplete state save in rxe_requester\n\nIf a send packet is dropped by the IP layer in rxe_requester()\nthe call to rxe_xmit_packet() can fail with err == -EAGAIN.\nTo recover, the state of the wqe is restored to the state before\nthe packet was sent so it can be resent. However, the routines\nthat save and restore the state miss a significnt part of the\nvariable state in the wqe, the dma struct which is used to process\nthrough the sge table. And, the state is not saved before the packet\nis built which modifies the dma struct.\n\nUnder heavy stress testing with many QPs on a fast node sending\nlarge messages to a slow node dropped packets are observed and\nthe resent packets are corrupted because the dma struct was not\nrestored. This patch fixes this behavior and allows the test cases\nto succeed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:49.379Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70518f3aaf5a059b691867d7d2d46b999319656a"
},
{
"url": "https://git.kernel.org/stable/c/2f2a6422287fe29f9343247d77b645100ece0652"
},
{
"url": "https://git.kernel.org/stable/c/255c0e60e1d16874fc151358d94bc8df661600dd"
},
{
"url": "https://git.kernel.org/stable/c/5d122db2ff80cd2aed4dcd630befb56b51ddf947"
}
],
"title": "RDMA/rxe: Fix incomplete state save in rxe_requester",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53539",
"datePublished": "2025-10-04T15:16:49.379Z",
"dateReserved": "2025-10-04T15:14:15.919Z",
"dateUpdated": "2025-10-04T15:16:49.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53560 (GCVE-0-2023-53560)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/histograms: Add histograms to hist_vars if they have referenced variables
Hist triggers can have referenced variables without having direct
variables fields. This can be the case if referenced variables are added
for trigger actions. In this case the newly added references will not
have field variables. Not taking such referenced variables into
consideration can result in a bug where it would be possible to remove
hist trigger with variables being refenced. This will result in a bug
that is easily reproducable like so
$ cd /sys/kernel/tracing
$ echo 'synthetic_sys_enter char[] comm; long id' >> synthetic_events
$ echo 'hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger
$ echo 'hist:keys=common_pid.execname,id.syscall:onmatch(raw_syscalls.sys_enter).synthetic_sys_enter($comm, id)' >> events/raw_syscalls/sys_enter/trigger
$ echo '!hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger
[ 100.263533] ==================================================================
[ 100.264634] BUG: KASAN: slab-use-after-free in resolve_var_refs+0xc7/0x180
[ 100.265520] Read of size 8 at addr ffff88810375d0f0 by task bash/439
[ 100.266320]
[ 100.266533] CPU: 2 PID: 439 Comm: bash Not tainted 6.5.0-rc1 #4
[ 100.267277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
[ 100.268561] Call Trace:
[ 100.268902] <TASK>
[ 100.269189] dump_stack_lvl+0x4c/0x70
[ 100.269680] print_report+0xc5/0x600
[ 100.270165] ? resolve_var_refs+0xc7/0x180
[ 100.270697] ? kasan_complete_mode_report_info+0x80/0x1f0
[ 100.271389] ? resolve_var_refs+0xc7/0x180
[ 100.271913] kasan_report+0xbd/0x100
[ 100.272380] ? resolve_var_refs+0xc7/0x180
[ 100.272920] __asan_load8+0x71/0xa0
[ 100.273377] resolve_var_refs+0xc7/0x180
[ 100.273888] event_hist_trigger+0x749/0x860
[ 100.274505] ? kasan_save_stack+0x2a/0x50
[ 100.275024] ? kasan_set_track+0x29/0x40
[ 100.275536] ? __pfx_event_hist_trigger+0x10/0x10
[ 100.276138] ? ksys_write+0xd1/0x170
[ 100.276607] ? do_syscall_64+0x3c/0x90
[ 100.277099] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 100.277771] ? destroy_hist_data+0x446/0x470
[ 100.278324] ? event_hist_trigger_parse+0xa6c/0x3860
[ 100.278962] ? __pfx_event_hist_trigger_parse+0x10/0x10
[ 100.279627] ? __kasan_check_write+0x18/0x20
[ 100.280177] ? mutex_unlock+0x85/0xd0
[ 100.280660] ? __pfx_mutex_unlock+0x10/0x10
[ 100.281200] ? kfree+0x7b/0x120
[ 100.281619] ? ____kasan_slab_free+0x15d/0x1d0
[ 100.282197] ? event_trigger_write+0xac/0x100
[ 100.282764] ? __kasan_slab_free+0x16/0x20
[ 100.283293] ? __kmem_cache_free+0x153/0x2f0
[ 100.283844] ? sched_mm_cid_remote_clear+0xb1/0x250
[ 100.284550] ? __pfx_sched_mm_cid_remote_clear+0x10/0x10
[ 100.285221] ? event_trigger_write+0xbc/0x100
[ 100.285781] ? __kasan_check_read+0x15/0x20
[ 100.286321] ? __bitmap_weight+0x66/0xa0
[ 100.286833] ? _find_next_bit+0x46/0xe0
[ 100.287334] ? task_mm_cid_work+0x37f/0x450
[ 100.287872] event_triggers_call+0x84/0x150
[ 100.288408] trace_event_buffer_commit+0x339/0x430
[ 100.289073] ? ring_buffer_event_data+0x3f/0x60
[ 100.292189] trace_event_raw_event_sys_enter+0x8b/0xe0
[ 100.295434] syscall_trace_enter.constprop.0+0x18f/0x1b0
[ 100.298653] syscall_enter_from_user_mode+0x32/0x40
[ 100.301808] do_syscall_64+0x1a/0x90
[ 100.304748] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 100.307775] RIP: 0033:0x7f686c75c1cb
[ 100.310617] Code: 73 01 c3 48 8b 0d 65 3c 10 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 21 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 3c 10 00 f7 d8 64 89 01 48
[ 100.317847] RSP: 002b:00007ffc60137a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000021
[ 100.321200] RA
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ffad1528e81c91769d9da1f8436080861c8ec67",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "4815359056083c555f97a5ee3af86519be5166de",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "1576f0df7b4d1f82db588d6654b89d796fa06929",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "97f54b330c797ed27fba8791baeaa38ace886cbd",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "5fd32eb6fa0ac795aa5a64bc004ab68d7b44196a",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "4a540f63618e525e433b37d2b5522cda08e321d7",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "6018b585e8c6fa7d85d4b38d9ce49a5b67be7078",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/histograms: Add histograms to hist_vars if they have referenced variables\n\nHist triggers can have referenced variables without having direct\nvariables fields. This can be the case if referenced variables are added\nfor trigger actions. In this case the newly added references will not\nhave field variables. Not taking such referenced variables into\nconsideration can result in a bug where it would be possible to remove\nhist trigger with variables being refenced. This will result in a bug\nthat is easily reproducable like so\n\n$ cd /sys/kernel/tracing\n$ echo \u0027synthetic_sys_enter char[] comm; long id\u0027 \u003e\u003e synthetic_events\n$ echo \u0027hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname\u0027 \u003e\u003e events/raw_syscalls/sys_enter/trigger\n$ echo \u0027hist:keys=common_pid.execname,id.syscall:onmatch(raw_syscalls.sys_enter).synthetic_sys_enter($comm, id)\u0027 \u003e\u003e events/raw_syscalls/sys_enter/trigger\n$ echo \u0027!hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname\u0027 \u003e\u003e events/raw_syscalls/sys_enter/trigger\n\n[ 100.263533] ==================================================================\n[ 100.264634] BUG: KASAN: slab-use-after-free in resolve_var_refs+0xc7/0x180\n[ 100.265520] Read of size 8 at addr ffff88810375d0f0 by task bash/439\n[ 100.266320]\n[ 100.266533] CPU: 2 PID: 439 Comm: bash Not tainted 6.5.0-rc1 #4\n[ 100.267277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\n[ 100.268561] Call Trace:\n[ 100.268902] \u003cTASK\u003e\n[ 100.269189] dump_stack_lvl+0x4c/0x70\n[ 100.269680] print_report+0xc5/0x600\n[ 100.270165] ? resolve_var_refs+0xc7/0x180\n[ 100.270697] ? kasan_complete_mode_report_info+0x80/0x1f0\n[ 100.271389] ? resolve_var_refs+0xc7/0x180\n[ 100.271913] kasan_report+0xbd/0x100\n[ 100.272380] ? resolve_var_refs+0xc7/0x180\n[ 100.272920] __asan_load8+0x71/0xa0\n[ 100.273377] resolve_var_refs+0xc7/0x180\n[ 100.273888] event_hist_trigger+0x749/0x860\n[ 100.274505] ? kasan_save_stack+0x2a/0x50\n[ 100.275024] ? kasan_set_track+0x29/0x40\n[ 100.275536] ? __pfx_event_hist_trigger+0x10/0x10\n[ 100.276138] ? ksys_write+0xd1/0x170\n[ 100.276607] ? do_syscall_64+0x3c/0x90\n[ 100.277099] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 100.277771] ? destroy_hist_data+0x446/0x470\n[ 100.278324] ? event_hist_trigger_parse+0xa6c/0x3860\n[ 100.278962] ? __pfx_event_hist_trigger_parse+0x10/0x10\n[ 100.279627] ? __kasan_check_write+0x18/0x20\n[ 100.280177] ? mutex_unlock+0x85/0xd0\n[ 100.280660] ? __pfx_mutex_unlock+0x10/0x10\n[ 100.281200] ? kfree+0x7b/0x120\n[ 100.281619] ? ____kasan_slab_free+0x15d/0x1d0\n[ 100.282197] ? event_trigger_write+0xac/0x100\n[ 100.282764] ? __kasan_slab_free+0x16/0x20\n[ 100.283293] ? __kmem_cache_free+0x153/0x2f0\n[ 100.283844] ? sched_mm_cid_remote_clear+0xb1/0x250\n[ 100.284550] ? __pfx_sched_mm_cid_remote_clear+0x10/0x10\n[ 100.285221] ? event_trigger_write+0xbc/0x100\n[ 100.285781] ? __kasan_check_read+0x15/0x20\n[ 100.286321] ? __bitmap_weight+0x66/0xa0\n[ 100.286833] ? _find_next_bit+0x46/0xe0\n[ 100.287334] ? task_mm_cid_work+0x37f/0x450\n[ 100.287872] event_triggers_call+0x84/0x150\n[ 100.288408] trace_event_buffer_commit+0x339/0x430\n[ 100.289073] ? ring_buffer_event_data+0x3f/0x60\n[ 100.292189] trace_event_raw_event_sys_enter+0x8b/0xe0\n[ 100.295434] syscall_trace_enter.constprop.0+0x18f/0x1b0\n[ 100.298653] syscall_enter_from_user_mode+0x32/0x40\n[ 100.301808] do_syscall_64+0x1a/0x90\n[ 100.304748] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 100.307775] RIP: 0033:0x7f686c75c1cb\n[ 100.310617] Code: 73 01 c3 48 8b 0d 65 3c 10 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 21 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 3c 10 00 f7 d8 64 89 01 48\n[ 100.317847] RSP: 002b:00007ffc60137a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000021\n[ 100.321200] RA\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:04.299Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ffad1528e81c91769d9da1f8436080861c8ec67"
},
{
"url": "https://git.kernel.org/stable/c/4815359056083c555f97a5ee3af86519be5166de"
},
{
"url": "https://git.kernel.org/stable/c/1576f0df7b4d1f82db588d6654b89d796fa06929"
},
{
"url": "https://git.kernel.org/stable/c/97f54b330c797ed27fba8791baeaa38ace886cbd"
},
{
"url": "https://git.kernel.org/stable/c/5fd32eb6fa0ac795aa5a64bc004ab68d7b44196a"
},
{
"url": "https://git.kernel.org/stable/c/4a540f63618e525e433b37d2b5522cda08e321d7"
},
{
"url": "https://git.kernel.org/stable/c/6018b585e8c6fa7d85d4b38d9ce49a5b67be7078"
}
],
"title": "tracing/histograms: Add histograms to hist_vars if they have referenced variables",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53560",
"datePublished": "2025-10-04T15:17:04.299Z",
"dateReserved": "2025-10-04T15:14:15.923Z",
"dateUpdated": "2025-10-04T15:17:04.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38085 (GCVE-0-2025-38085)
Vulnerability from cvelistv5
Published
2025-06-28 07:44
Modified
2025-11-03 17:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
huge_pmd_unshare() drops a reference on a page table that may have
previously been shared across processes, potentially turning it into a
normal page table used in another process in which unrelated VMAs can
afterwards be installed.
If this happens in the middle of a concurrent gup_fast(), gup_fast() could
end up walking the page tables of another process. While I don't see any
way in which that immediately leads to kernel memory corruption, it is
really weird and unexpected.
Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),
just like we do in khugepaged when removing page tables for a THP
collapse.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:54.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "952596b08c74e8fe9e2883d1dc8a8f54a37384ec",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "a3d864c901a300c295692d129159fc3001a56185",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "b7754d3aa7bf9f62218d096c0c8f6c13698fac8b",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "fe684290418ef9ef76630072086ee530b92f02b8",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "034a52b5ef57c9c8225d94e9067f3390bb33922f",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "a6bfeb97941a9187833b526bc6cc4ff5706d0ce9",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "1013af4f585fccc4d3e5c5824d174de2257f7d6d",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\n\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\n\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process. While I don\u0027t see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\n\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T05:58:57.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec"
},
{
"url": "https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185"
},
{
"url": "https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b"
},
{
"url": "https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8"
},
{
"url": "https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f"
},
{
"url": "https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9"
},
{
"url": "https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d"
},
{
"url": "https://project-zero.issues.chromium.org/issues/420715744"
}
],
"title": "mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38085",
"datePublished": "2025-06-28T07:44:26.178Z",
"dateReserved": "2025-04-16T04:51:23.981Z",
"dateUpdated": "2025-11-03T17:33:54.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38495 (GCVE-0-2025-38495)
Vulnerability from cvelistv5
Published
2025-07-28 11:22
Modified
2025-11-03 17:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: ensure the allocated report buffer can contain the reserved report ID
When the report ID is not used, the low level transport drivers expect
the first byte to be 0. However, currently the allocated buffer not
account for that extra byte, meaning that instead of having 8 guaranteed
bytes for implement to be working, we only have 7.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:03.891Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7228e36c7875e4b035374cf68ca5e44dffa596b2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f2892f7233a8f1320fe671d0f95f122191bfbcd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7fa83d0043370003e9a0b46ab7ae8f53b00fab06",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d3ed1d84a84538a39b3eb2055d6a97a936c108f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fcda39a9c5b834346088c14b1374336b079466c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a262370f385e53ff7470efdcdaf40468e5756717",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a47d9d9895bad9ce0e840a39836f19ca0b2a343a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f15ee98304b96e164ff2340e1dfd6181c3f42aa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: ensure the allocated report buffer can contain the reserved report ID\n\nWhen the report ID is not used, the low level transport drivers expect\nthe first byte to be 0. However, currently the allocated buffer not\naccount for that extra byte, meaning that instead of having 8 guaranteed\nbytes for implement to be working, we only have 7."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:29.931Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7228e36c7875e4b035374cf68ca5e44dffa596b2"
},
{
"url": "https://git.kernel.org/stable/c/9f2892f7233a8f1320fe671d0f95f122191bfbcd"
},
{
"url": "https://git.kernel.org/stable/c/7fa83d0043370003e9a0b46ab7ae8f53b00fab06"
},
{
"url": "https://git.kernel.org/stable/c/d3ed1d84a84538a39b3eb2055d6a97a936c108f2"
},
{
"url": "https://git.kernel.org/stable/c/fcda39a9c5b834346088c14b1374336b079466c1"
},
{
"url": "https://git.kernel.org/stable/c/a262370f385e53ff7470efdcdaf40468e5756717"
},
{
"url": "https://git.kernel.org/stable/c/a47d9d9895bad9ce0e840a39836f19ca0b2a343a"
},
{
"url": "https://git.kernel.org/stable/c/4f15ee98304b96e164ff2340e1dfd6181c3f42aa"
}
],
"title": "HID: core: ensure the allocated report buffer can contain the reserved report ID",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38495",
"datePublished": "2025-07-28T11:22:04.169Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-11-03T17:39:03.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50523 (GCVE-0-2022-50523)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
If clk_register() fails, @pll->rate_table may have allocated memory by
kmemdup(), so it needs to be freed, otherwise will cause memory leak
issue, this patch fixes it.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 Version: 90c590254051f511299538c158e12fdad41ce163 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/rockchip/clk-pll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20201c3a0a32f127fa4bdf379d6ac01c2978702d",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "86e1e080ad14c5fb6c14a5f0eb530b1b38cbc968",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "f02c1d8dc8d880cbaaf9094b4f396fe868ee23ff",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "26b94635f1c84d7f6cb482179125cb17e59c90a5",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "f4d70c139d313948e02360304a6cbcd3a4f5deb5",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "5b0a1f1247cd42ac5e0d369f8dbb58762692edee",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "dcd4ba068b194c6ef0071491aa3f12bec8c14d5b",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "f2ffb8653ea85ae39ce44347751fcc4c3e41f6bb",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
},
{
"lessThan": "739a6a6bbdb793bd57938cb24aa5a6df89983546",
"status": "affected",
"version": "90c590254051f511299538c158e12fdad41ce163",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/rockchip/clk-pll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: rockchip: Fix memory leak in rockchip_clk_register_pll()\n\nIf clk_register() fails, @pll-\u003erate_table may have allocated memory by\nkmemdup(), so it needs to be freed, otherwise will cause memory leak\nissue, this patch fixes it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:16.595Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20201c3a0a32f127fa4bdf379d6ac01c2978702d"
},
{
"url": "https://git.kernel.org/stable/c/86e1e080ad14c5fb6c14a5f0eb530b1b38cbc968"
},
{
"url": "https://git.kernel.org/stable/c/f02c1d8dc8d880cbaaf9094b4f396fe868ee23ff"
},
{
"url": "https://git.kernel.org/stable/c/26b94635f1c84d7f6cb482179125cb17e59c90a5"
},
{
"url": "https://git.kernel.org/stable/c/f4d70c139d313948e02360304a6cbcd3a4f5deb5"
},
{
"url": "https://git.kernel.org/stable/c/5b0a1f1247cd42ac5e0d369f8dbb58762692edee"
},
{
"url": "https://git.kernel.org/stable/c/dcd4ba068b194c6ef0071491aa3f12bec8c14d5b"
},
{
"url": "https://git.kernel.org/stable/c/f2ffb8653ea85ae39ce44347751fcc4c3e41f6bb"
},
{
"url": "https://git.kernel.org/stable/c/739a6a6bbdb793bd57938cb24aa5a6df89983546"
}
],
"title": "clk: rockchip: Fix memory leak in rockchip_clk_register_pll()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50523",
"datePublished": "2025-10-07T15:19:16.595Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:16.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53292 (GCVE-0-2023-53292)
Vulnerability from cvelistv5
Published
2025-09-16 08:11
Modified
2025-09-16 08:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none
After grabbing q->sysfs_lock, q->elevator may become NULL because of
elevator switch.
Fix the NULL dereference on q->elevator by checking it with lock.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e977386521b71471e66ec2ba82efdfcc456adf2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "245165658e1c9f95c0fecfe02b9b1ebd30a1198a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix NULL dereference on q-\u003eelevator in blk_mq_elv_switch_none\n\nAfter grabbing q-\u003esysfs_lock, q-\u003eelevator may become NULL because of\nelevator switch.\n\nFix the NULL dereference on q-\u003eelevator by checking it with lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:24.583Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e977386521b71471e66ec2ba82efdfcc456adf2"
},
{
"url": "https://git.kernel.org/stable/c/245165658e1c9f95c0fecfe02b9b1ebd30a1198a"
}
],
"title": "blk-mq: fix NULL dereference on q-\u003eelevator in blk_mq_elv_switch_none",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53292",
"datePublished": "2025-09-16T08:11:24.583Z",
"dateReserved": "2025-09-16T08:09:37.992Z",
"dateUpdated": "2025-09-16T08:11:24.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40100 (GCVE-0-2025-40100)
Vulnerability from cvelistv5
Published
2025-10-30 09:48
Modified
2025-10-30 09:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not assert we found block group item when creating free space tree
Currently, when building a free space tree at populate_free_space_tree(),
if we are not using the block group tree feature, we always expect to find
block group items (either extent items or a block group item with key type
BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with
btrfs_search_slot_for_read(), so we assert that we found an item. However
this expectation is wrong since we can have a new block group created in
the current transaction which is still empty and for which we still have
not added the block group's item to the extent tree, in which case we do
not have any items in the extent tree associated to the block group.
The insertion of a new block group's block group item in the extent tree
happens at btrfs_create_pending_block_groups() when it calls the helper
insert_block_group_item(). This typically is done when a transaction
handle is released, committed or when running delayed refs (either as
part of a transaction commit or when serving tickets for space reservation
if we are low on free space).
So remove the assertion at populate_free_space_tree() even when the block
group tree feature is not enabled and update the comment to mention this
case.
Syzbot reported this with the following stack trace:
BTRFS info (device loop3 state M): rebuilding free space tree
assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115
------------[ cut here ]------------
kernel BUG at fs/btrfs/free-space-tree.c:1115!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115
Code: ff ff e8 d3 (...)
RSP: 0018:ffffc9000430f780 EFLAGS: 00010246
RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94
R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001
R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000
FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0
Call Trace:
<TASK>
btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364
btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062
btrfs_remount_rw fs/btrfs/super.c:1334 [inline]
btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559
reconfigure_super+0x227/0x890 fs/super.c:1076
do_remount fs/namespace.c:3279 [inline]
path_mount+0xd1a/0xfe0 fs/namespace.c:4027
do_mount fs/namespace.c:4048 [inline]
__do_sys_mount fs/namespace.c:4236 [inline]
__se_sys_mount+0x313/0x410 fs/namespace.c:4213
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f424e39066a
Code: d8 64 89 02 (...)
RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a
RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000
RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020
R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380
R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/free-space-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f4b9ca73f84130d9fbb0fc02306ce94ce8bdbe6",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
},
{
"lessThan": "289498da343b05c886f19b4269429606f86dd17b",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
},
{
"lessThan": "3fdcfd91b93f930d87843156c7c8cc5fbcf9b144",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
},
{
"lessThan": "eb145463f22d7d32d426b29fe9810de9e792b6ba",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
},
{
"lessThan": "a5a51bf4e9b7354ce7cd697e610d72c1b33fd949",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/free-space-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc2",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not assert we found block group item when creating free space tree\n\nCurrently, when building a free space tree at populate_free_space_tree(),\nif we are not using the block group tree feature, we always expect to find\nblock group items (either extent items or a block group item with key type\nBTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with\nbtrfs_search_slot_for_read(), so we assert that we found an item. However\nthis expectation is wrong since we can have a new block group created in\nthe current transaction which is still empty and for which we still have\nnot added the block group\u0027s item to the extent tree, in which case we do\nnot have any items in the extent tree associated to the block group.\n\nThe insertion of a new block group\u0027s block group item in the extent tree\nhappens at btrfs_create_pending_block_groups() when it calls the helper\ninsert_block_group_item(). This typically is done when a transaction\nhandle is released, committed or when running delayed refs (either as\npart of a transaction commit or when serving tickets for space reservation\nif we are low on free space).\n\nSo remove the assertion at populate_free_space_tree() even when the block\ngroup tree feature is not enabled and update the comment to mention this\ncase.\n\nSyzbot reported this with the following stack trace:\n\n BTRFS info (device loop3 state M): rebuilding free space tree\n assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/free-space-tree.c:1115!\n Oops: invalid opcode: 0000 [#1] SMP KASAN PTI\n CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115\n Code: ff ff e8 d3 (...)\n RSP: 0018:ffffc9000430f780 EFLAGS: 00010246\n RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000\n RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\n RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94\n R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001\n R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000\n FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0\n Call Trace:\n \u003cTASK\u003e\n btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364\n btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062\n btrfs_remount_rw fs/btrfs/super.c:1334 [inline]\n btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559\n reconfigure_super+0x227/0x890 fs/super.c:1076\n do_remount fs/namespace.c:3279 [inline]\n path_mount+0xd1a/0xfe0 fs/namespace.c:4027\n do_mount fs/namespace.c:4048 [inline]\n __do_sys_mount fs/namespace.c:4236 [inline]\n __se_sys_mount+0x313/0x410 fs/namespace.c:4213\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f424e39066a\n Code: d8 64 89 02 (...)\n RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5\n RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a\n RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000\n RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020\n R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380\n R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0\n \u003c/TASK\u003e\n Modules linked in:\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T09:48:06.521Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f4b9ca73f84130d9fbb0fc02306ce94ce8bdbe6"
},
{
"url": "https://git.kernel.org/stable/c/289498da343b05c886f19b4269429606f86dd17b"
},
{
"url": "https://git.kernel.org/stable/c/3fdcfd91b93f930d87843156c7c8cc5fbcf9b144"
},
{
"url": "https://git.kernel.org/stable/c/eb145463f22d7d32d426b29fe9810de9e792b6ba"
},
{
"url": "https://git.kernel.org/stable/c/a5a51bf4e9b7354ce7cd697e610d72c1b33fd949"
}
],
"title": "btrfs: do not assert we found block group item when creating free space tree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40100",
"datePublished": "2025-10-30T09:48:06.521Z",
"dateReserved": "2025-04-16T07:20:57.164Z",
"dateUpdated": "2025-10-30T09:48:06.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39824 (GCVE-0-2025-39824)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: asus: fix UAF via HID_CLAIMED_INPUT validation
After hid_hw_start() is called hidinput_connect() will eventually be
called to set up the device with the input layer since the
HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()
all input and output reports are processed and corresponding hid_inputs
are allocated and configured via hidinput_configure_usages(). This
process involves slot tagging report fields and configuring usages
by setting relevant bits in the capability bitmaps. However it is possible
that the capability bitmaps are not set at all leading to the subsequent
hidinput_has_been_populated() check to fail leading to the freeing of the
hid_input and the underlying input device.
This becomes problematic because a malicious HID device like a
ASUS ROG N-Key keyboard can trigger the above scenario via a
specially crafted descriptor which then leads to a user-after-free
when the name of the freed input device is written to later on after
hid_hw_start(). Below, report 93 intentionally utilises the
HID_UP_UNDEFINED Usage Page which is skipped during usage
configuration, leading to the frees.
0x05, 0x0D, // Usage Page (Digitizer)
0x09, 0x05, // Usage (Touch Pad)
0xA1, 0x01, // Collection (Application)
0x85, 0x0D, // Report ID (13)
0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00)
0x09, 0xC5, // Usage (0xC5)
0x15, 0x00, // Logical Minimum (0)
0x26, 0xFF, 0x00, // Logical Maximum (255)
0x75, 0x08, // Report Size (8)
0x95, 0x04, // Report Count (4)
0xB1, 0x02, // Feature (Data,Var,Abs)
0x85, 0x5D, // Report ID (93)
0x06, 0x00, 0x00, // Usage Page (Undefined)
0x09, 0x01, // Usage (0x01)
0x15, 0x00, // Logical Minimum (0)
0x26, 0xFF, 0x00, // Logical Maximum (255)
0x75, 0x08, // Report Size (8)
0x95, 0x1B, // Report Count (27)
0x81, 0x02, // Input (Data,Var,Abs)
0xC0, // End Collection
Below is the KASAN splat after triggering the UAF:
[ 21.672709] ==================================================================
[ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80
[ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54
[ 21.673700]
[ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)
[ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 21.673700] Call Trace:
[ 21.673700] <TASK>
[ 21.673700] dump_stack_lvl+0x5f/0x80
[ 21.673700] print_report+0xd1/0x660
[ 21.673700] kasan_report+0xe5/0x120
[ 21.673700] __asan_report_store8_noabort+0x1b/0x30
[ 21.673700] asus_probe+0xeeb/0xf80
[ 21.673700] hid_device_probe+0x2ee/0x700
[ 21.673700] really_probe+0x1c6/0x6b0
[ 21.673700] __driver_probe_device+0x24f/0x310
[ 21.673700] driver_probe_device+0x4e/0x220
[...]
[ 21.673700]
[ 21.673700] Allocated by task 54:
[ 21.673700] kasan_save_stack+0x3d/0x60
[ 21.673700] kasan_save_track+0x18/0x40
[ 21.673700] kasan_save_alloc_info+0x3b/0x50
[ 21.673700] __kasan_kmalloc+0x9c/0xa0
[ 21.673700] __kmalloc_cache_noprof+0x139/0x340
[ 21.673700] input_allocate_device+0x44/0x370
[ 21.673700] hidinput_connect+0xcb6/0x2630
[ 21.673700] hid_connect+0xf74/0x1d60
[ 21.673700] hid_hw_start+0x8c/0x110
[ 21.673700] asus_probe+0x5a3/0xf80
[ 21.673700] hid_device_probe+0x2ee/0x700
[ 21.673700] really_probe+0x1c6/0x6b0
[ 21.673700] __driver_probe_device+0x24f/0x310
[ 21.673700] driver_probe_device+0x4e/0x220
[...]
[ 21.673700]
[ 21.673700] Freed by task 54:
[ 21.673700] kasan_save_stack+0x3d/0x60
[ 21.673700] kasan_save_track+0x18/0x40
[ 21.673700] kasan_save_free_info+0x3f/0x60
[ 21.673700] __kasan_slab_free+0x3c/0x50
[ 21.673700] kfre
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:45.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-asus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a9e4a8317437bf944fa017c66e1e23a0368b5c7",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "eaae728e7335b5dbad70966e2bd520a731fdf7b2",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "5f3c0839b173f7f33415eb098331879e547d1d2d",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-asus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: fix UAF via HID_CLAIMED_INPUT validation\n\nAfter hid_hw_start() is called hidinput_connect() will eventually be\ncalled to set up the device with the input layer since the\nHID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()\nall input and output reports are processed and corresponding hid_inputs\nare allocated and configured via hidinput_configure_usages(). This\nprocess involves slot tagging report fields and configuring usages\nby setting relevant bits in the capability bitmaps. However it is possible\nthat the capability bitmaps are not set at all leading to the subsequent\nhidinput_has_been_populated() check to fail leading to the freeing of the\nhid_input and the underlying input device.\n\nThis becomes problematic because a malicious HID device like a\nASUS ROG N-Key keyboard can trigger the above scenario via a\nspecially crafted descriptor which then leads to a user-after-free\nwhen the name of the freed input device is written to later on after\nhid_hw_start(). Below, report 93 intentionally utilises the\nHID_UP_UNDEFINED Usage Page which is skipped during usage\nconfiguration, leading to the frees.\n\n0x05, 0x0D, // Usage Page (Digitizer)\n0x09, 0x05, // Usage (Touch Pad)\n0xA1, 0x01, // Collection (Application)\n0x85, 0x0D, // Report ID (13)\n0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00)\n0x09, 0xC5, // Usage (0xC5)\n0x15, 0x00, // Logical Minimum (0)\n0x26, 0xFF, 0x00, // Logical Maximum (255)\n0x75, 0x08, // Report Size (8)\n0x95, 0x04, // Report Count (4)\n0xB1, 0x02, // Feature (Data,Var,Abs)\n0x85, 0x5D, // Report ID (93)\n0x06, 0x00, 0x00, // Usage Page (Undefined)\n0x09, 0x01, // Usage (0x01)\n0x15, 0x00, // Logical Minimum (0)\n0x26, 0xFF, 0x00, // Logical Maximum (255)\n0x75, 0x08, // Report Size (8)\n0x95, 0x1B, // Report Count (27)\n0x81, 0x02, // Input (Data,Var,Abs)\n0xC0, // End Collection\n\nBelow is the KASAN splat after triggering the UAF:\n\n[ 21.672709] ==================================================================\n[ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80\n[ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54\n[ 21.673700]\n[ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)\n[ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[ 21.673700] Call Trace:\n[ 21.673700] \u003cTASK\u003e\n[ 21.673700] dump_stack_lvl+0x5f/0x80\n[ 21.673700] print_report+0xd1/0x660\n[ 21.673700] kasan_report+0xe5/0x120\n[ 21.673700] __asan_report_store8_noabort+0x1b/0x30\n[ 21.673700] asus_probe+0xeeb/0xf80\n[ 21.673700] hid_device_probe+0x2ee/0x700\n[ 21.673700] really_probe+0x1c6/0x6b0\n[ 21.673700] __driver_probe_device+0x24f/0x310\n[ 21.673700] driver_probe_device+0x4e/0x220\n[...]\n[ 21.673700]\n[ 21.673700] Allocated by task 54:\n[ 21.673700] kasan_save_stack+0x3d/0x60\n[ 21.673700] kasan_save_track+0x18/0x40\n[ 21.673700] kasan_save_alloc_info+0x3b/0x50\n[ 21.673700] __kasan_kmalloc+0x9c/0xa0\n[ 21.673700] __kmalloc_cache_noprof+0x139/0x340\n[ 21.673700] input_allocate_device+0x44/0x370\n[ 21.673700] hidinput_connect+0xcb6/0x2630\n[ 21.673700] hid_connect+0xf74/0x1d60\n[ 21.673700] hid_hw_start+0x8c/0x110\n[ 21.673700] asus_probe+0x5a3/0xf80\n[ 21.673700] hid_device_probe+0x2ee/0x700\n[ 21.673700] really_probe+0x1c6/0x6b0\n[ 21.673700] __driver_probe_device+0x24f/0x310\n[ 21.673700] driver_probe_device+0x4e/0x220\n[...]\n[ 21.673700]\n[ 21.673700] Freed by task 54:\n[ 21.673700] kasan_save_stack+0x3d/0x60\n[ 21.673700] kasan_save_track+0x18/0x40\n[ 21.673700] kasan_save_free_info+0x3f/0x60\n[ 21.673700] __kasan_slab_free+0x3c/0x50\n[ 21.673700] kfre\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:24.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a9e4a8317437bf944fa017c66e1e23a0368b5c7"
},
{
"url": "https://git.kernel.org/stable/c/7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5"
},
{
"url": "https://git.kernel.org/stable/c/eaae728e7335b5dbad70966e2bd520a731fdf7b2"
},
{
"url": "https://git.kernel.org/stable/c/a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c"
},
{
"url": "https://git.kernel.org/stable/c/5f3c0839b173f7f33415eb098331879e547d1d2d"
},
{
"url": "https://git.kernel.org/stable/c/c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c"
},
{
"url": "https://git.kernel.org/stable/c/72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275"
},
{
"url": "https://git.kernel.org/stable/c/d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4"
}
],
"title": "HID: asus: fix UAF via HID_CLAIMED_INPUT validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39824",
"datePublished": "2025-09-16T13:00:23.135Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-11-03T17:43:45.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53695 (GCVE-0-2023-53695)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: Detect system inodes linked into directory hierarchy
When UDF filesystem is corrupted, hidden system inodes can be linked
into directory hierarchy which is an avenue for further serious
corruption of the filesystem and kernel confusion as noticed by syzbot
fuzzed images. Refuse to access system inodes linked into directory
hierarchy and vice versa.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1dc71eeb198a8daa17d0c995998a53b0b749a158",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d747b31e2925a2f384e7dd1901a2e5bc5f984ed8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a44ec34b90440ada190924f5908b97026504fdcd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "37e74003d81e79457535cbbdfa1603431c03fac0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1f328751b65c49c13a312d67a3bf27766b85baf7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e3b5ef7d02eaa6553e79b4af9bd99227280f245",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "85a37983ec69cc9fcd188bc37c4de15ee326355a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.278",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.278",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Detect system inodes linked into directory hierarchy\n\nWhen UDF filesystem is corrupted, hidden system inodes can be linked\ninto directory hierarchy which is an avenue for further serious\ncorruption of the filesystem and kernel confusion as noticed by syzbot\nfuzzed images. Refuse to access system inodes linked into directory\nhierarchy and vice versa."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:36.524Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1dc71eeb198a8daa17d0c995998a53b0b749a158"
},
{
"url": "https://git.kernel.org/stable/c/d747b31e2925a2f384e7dd1901a2e5bc5f984ed8"
},
{
"url": "https://git.kernel.org/stable/c/a44ec34b90440ada190924f5908b97026504fdcd"
},
{
"url": "https://git.kernel.org/stable/c/37e74003d81e79457535cbbdfa1603431c03fac0"
},
{
"url": "https://git.kernel.org/stable/c/1f328751b65c49c13a312d67a3bf27766b85baf7"
},
{
"url": "https://git.kernel.org/stable/c/9e3b5ef7d02eaa6553e79b4af9bd99227280f245"
},
{
"url": "https://git.kernel.org/stable/c/85a37983ec69cc9fcd188bc37c4de15ee326355a"
}
],
"title": "udf: Detect system inodes linked into directory hierarchy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53695",
"datePublished": "2025-10-22T13:23:36.524Z",
"dateReserved": "2025-10-22T13:21:37.344Z",
"dateUpdated": "2025-10-22T13:23:36.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38718 (GCVE-0-2025-38718)
Vulnerability from cvelistv5
Published
2025-09-04 15:33
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: linearize cloned gso packets in sctp_rcv
A cloned head skb still shares these frag skbs in fraglist with the
original head skb. It's not safe to access these frag skbs.
syzbot reported two use-of-uninitialized-memory bugs caused by this:
BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998
sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331
sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122
__release_sock+0x1da/0x330 net/core/sock.c:3106
release_sock+0x6b/0x250 net/core/sock.c:3660
sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360
sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885
sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031
inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:718 [inline]
and
BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88
sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148
__release_sock+0x1d3/0x330 net/core/sock.c:3213
release_sock+0x6b/0x270 net/core/sock.c:3767
sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367
sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886
sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032
inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:712 [inline]
This patch fixes it by linearizing cloned gso packets in sctp_rcv().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:48.713Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0194e391bb493aa6cec56d177b14df6b29188d5",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "03d0cc6889e02420125510b5444b570f4bbf53d5",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "cd0e92bb2b7542fb96397ffac639b4f5b099d0cb",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "ea094f38d387d1b0ded5dee4a3e5720aa4ce0139",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "7d757f17bc2ef2727994ffa6d5d6e4bc4789a770",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "fc66772607101bd2030a4332b3bd0ea3b3605250",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "1bd5214ea681584c5886fea3ba03e49f93a43c0e",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "fd60d8a086191fe33c2d719732d2482052fa6805",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: linearize cloned gso packets in sctp_rcv\n\nA cloned head skb still shares these frag skbs in fraglist with the\noriginal head skb. It\u0027s not safe to access these frag skbs.\n\nsyzbot reported two use-of-uninitialized-memory bugs caused by this:\n\n BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\n sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\n sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998\n sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88\n sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331\n sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122\n __release_sock+0x1da/0x330 net/core/sock.c:3106\n release_sock+0x6b/0x250 net/core/sock.c:3660\n sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360\n sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885\n sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031\n inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:718 [inline]\n\nand\n\n BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\n sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\n sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88\n sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331\n sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148\n __release_sock+0x1d3/0x330 net/core/sock.c:3213\n release_sock+0x6b/0x270 net/core/sock.c:3767\n sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367\n sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886\n sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032\n inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:712 [inline]\n\nThis patch fixes it by linearizing cloned gso packets in sctp_rcv()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:42.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0194e391bb493aa6cec56d177b14df6b29188d5"
},
{
"url": "https://git.kernel.org/stable/c/03d0cc6889e02420125510b5444b570f4bbf53d5"
},
{
"url": "https://git.kernel.org/stable/c/cd0e92bb2b7542fb96397ffac639b4f5b099d0cb"
},
{
"url": "https://git.kernel.org/stable/c/ea094f38d387d1b0ded5dee4a3e5720aa4ce0139"
},
{
"url": "https://git.kernel.org/stable/c/7d757f17bc2ef2727994ffa6d5d6e4bc4789a770"
},
{
"url": "https://git.kernel.org/stable/c/fc66772607101bd2030a4332b3bd0ea3b3605250"
},
{
"url": "https://git.kernel.org/stable/c/1bd5214ea681584c5886fea3ba03e49f93a43c0e"
},
{
"url": "https://git.kernel.org/stable/c/fd60d8a086191fe33c2d719732d2482052fa6805"
}
],
"title": "sctp: linearize cloned gso packets in sctp_rcv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38718",
"datePublished": "2025-09-04T15:33:12.448Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:48.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38680 (GCVE-0-2025-38680)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
The buffer length check before calling uvc_parse_format() only ensured
that the buffer has at least 3 bytes (buflen > 2), buf the function
accesses buffer[3], requiring at least 4 bytes.
This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
Fix it by checking that the buffer has at least 4 bytes in
uvc_parse_format().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:05.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ad554217c9b945031c73df4e8176a475e2dea57",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "1e269581b3aa5962fdc52757ab40da286168c087",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "8343f3fe0b755925f83d60b05e92bf4396879758",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "ffdd82182953df643aa63d999b6f1653d0c93778",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "a97e062e4ff3dab84a2f1eb811e9eddc6699e2a9",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "cac702a439050df65272c49184aef7975fe3eff2",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "424980d33b3f816485513e538610168b03fab9f1",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "6d4a7c0b296162354b6fc759a1475b9d57ddfaa6",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "782b6a718651eda3478b1824b37a8b3185d2740c",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()\n\nThe buffer length check before calling uvc_parse_format() only ensured\nthat the buffer has at least 3 bytes (buflen \u003e 2), buf the function\naccesses buffer[3], requiring at least 4 bytes.\n\nThis can lead to an out-of-bounds read if the buffer has exactly 3 bytes.\n\nFix it by checking that the buffer has at least 4 bytes in\nuvc_parse_format()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:51.163Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ad554217c9b945031c73df4e8176a475e2dea57"
},
{
"url": "https://git.kernel.org/stable/c/1e269581b3aa5962fdc52757ab40da286168c087"
},
{
"url": "https://git.kernel.org/stable/c/8343f3fe0b755925f83d60b05e92bf4396879758"
},
{
"url": "https://git.kernel.org/stable/c/ffdd82182953df643aa63d999b6f1653d0c93778"
},
{
"url": "https://git.kernel.org/stable/c/a97e062e4ff3dab84a2f1eb811e9eddc6699e2a9"
},
{
"url": "https://git.kernel.org/stable/c/cac702a439050df65272c49184aef7975fe3eff2"
},
{
"url": "https://git.kernel.org/stable/c/424980d33b3f816485513e538610168b03fab9f1"
},
{
"url": "https://git.kernel.org/stable/c/6d4a7c0b296162354b6fc759a1475b9d57ddfaa6"
},
{
"url": "https://git.kernel.org/stable/c/782b6a718651eda3478b1824b37a8b3185d2740c"
}
],
"title": "media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38680",
"datePublished": "2025-09-04T15:32:35.963Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2025-11-03T17:41:05.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53582 (GCVE-0-2023-53582)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds
Fix a stack-out-of-bounds read in brcmfmac that occurs
when 'buf' that is not null-terminated is passed as an argument of
strreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with
a CLM version string by memcpy() in brcmf_fil_iovar_data_get().
Ensure buf is null-terminated.
Found by a modified version of syzkaller.
[ 33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
[ 33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22
[ 33.021554][ T1896] ==================================================================
[ 33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110
[ 33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896
[ 33.023852][ T1896]
[ 33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
[ 33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[ 33.026065][ T1896] Workqueue: usb_hub_wq hub_event
[ 33.026581][ T1896] Call Trace:
[ 33.026896][ T1896] dump_stack_lvl+0x57/0x7d
[ 33.027372][ T1896] print_address_description.constprop.0.cold+0xf/0x334
[ 33.028037][ T1896] ? strreplace+0xf2/0x110
[ 33.028403][ T1896] ? strreplace+0xf2/0x110
[ 33.028807][ T1896] kasan_report.cold+0x83/0xdf
[ 33.029283][ T1896] ? strreplace+0xf2/0x110
[ 33.029666][ T1896] strreplace+0xf2/0x110
[ 33.029966][ T1896] brcmf_c_preinit_dcmds+0xab1/0xc40
[ 33.030351][ T1896] ? brcmf_c_set_joinpref_default+0x100/0x100
[ 33.030787][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0
[ 33.031223][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 33.031661][ T1896] ? lock_acquire+0x19d/0x4e0
[ 33.032091][ T1896] ? find_held_lock+0x2d/0x110
[ 33.032605][ T1896] ? brcmf_usb_deq+0x1a7/0x260
[ 33.033087][ T1896] ? brcmf_usb_rx_fill_all+0x5a/0xf0
[ 33.033582][ T1896] brcmf_attach+0x246/0xd40
[ 33.034022][ T1896] ? wiphy_new_nm+0x1476/0x1d50
[ 33.034383][ T1896] ? kmemdup+0x30/0x40
[ 33.034722][ T1896] brcmf_usb_probe+0x12de/0x1690
[ 33.035223][ T1896] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470
[ 33.035833][ T1896] usb_probe_interface+0x25f/0x710
[ 33.036315][ T1896] really_probe+0x1be/0xa90
[ 33.036656][ T1896] __driver_probe_device+0x2ab/0x460
[ 33.037026][ T1896] ? usb_match_id.part.0+0x88/0xc0
[ 33.037383][ T1896] driver_probe_device+0x49/0x120
[ 33.037790][ T1896] __device_attach_driver+0x18a/0x250
[ 33.038300][ T1896] ? driver_allows_async_probing+0x120/0x120
[ 33.038986][ T1896] bus_for_each_drv+0x123/0x1a0
[ 33.039906][ T1896] ? bus_rescan_devices+0x20/0x20
[ 33.041412][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 33.041861][ T1896] ? trace_hardirqs_on+0x1c/0x120
[ 33.042330][ T1896] __device_attach+0x207/0x330
[ 33.042664][ T1896] ? device_bind_driver+0xb0/0xb0
[ 33.043026][ T1896] ? kobject_uevent_env+0x230/0x12c0
[ 33.043515][ T1896] bus_probe_device+0x1a2/0x260
[ 33.043914][ T1896] device_add+0xa61/0x1ce0
[ 33.044227][ T1896] ? __mutex_unlock_slowpath+0xe7/0x660
[ 33.044891][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550
[ 33.045531][ T1896] usb_set_configuration+0x984/0x1770
[ 33.046051][ T1896] ? kernfs_create_link+0x175/0x230
[ 33.046548][ T1896] usb_generic_driver_probe+0x69/0x90
[ 33.046931][ T1896] usb_probe_device+0x9c/0x220
[ 33.047434][ T1896] really_probe+0x1be/0xa90
[ 33.047760][ T1896] __driver_probe_device+0x2ab/0x460
[ 33.048134][ T1896] driver_probe_device+0x49/0x120
[ 33.048516][ T1896] __device_attach_driver+0x18a/0x250
[ 33.048910][ T1896] ? driver_allows_async_probing+0x120/0x120
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b173b4ad9c001a555f44adc7836d6fe3afbe9ec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "423a1297ea72bbddf64dbb0957f2879c0f2aa5d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0ca2efea4f11c6255061e852ac188264c469c197",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a0f0ce1c8ab9fe90618dc394e3d1568b5a9ac154",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ecb980dc79709c02f579a9c03cb92ccec189ab38",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c02f733024d70105f22de8dd0a1252a0350cd516",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "660145d708be52f946a82e5b633c020f58f996de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds\n\nFix a stack-out-of-bounds read in brcmfmac that occurs\nwhen \u0027buf\u0027 that is not null-terminated is passed as an argument of\nstrreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with\na CLM version string by memcpy() in brcmf_fil_iovar_data_get().\nEnsure buf is null-terminated.\n\nFound by a modified version of syzkaller.\n\n[ 33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available\n[ 33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22\n[ 33.021554][ T1896] ==================================================================\n[ 33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110\n[ 33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896\n[ 33.023852][ T1896]\n[ 33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132\n[ 33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[ 33.026065][ T1896] Workqueue: usb_hub_wq hub_event\n[ 33.026581][ T1896] Call Trace:\n[ 33.026896][ T1896] dump_stack_lvl+0x57/0x7d\n[ 33.027372][ T1896] print_address_description.constprop.0.cold+0xf/0x334\n[ 33.028037][ T1896] ? strreplace+0xf2/0x110\n[ 33.028403][ T1896] ? strreplace+0xf2/0x110\n[ 33.028807][ T1896] kasan_report.cold+0x83/0xdf\n[ 33.029283][ T1896] ? strreplace+0xf2/0x110\n[ 33.029666][ T1896] strreplace+0xf2/0x110\n[ 33.029966][ T1896] brcmf_c_preinit_dcmds+0xab1/0xc40\n[ 33.030351][ T1896] ? brcmf_c_set_joinpref_default+0x100/0x100\n[ 33.030787][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0\n[ 33.031223][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0\n[ 33.031661][ T1896] ? lock_acquire+0x19d/0x4e0\n[ 33.032091][ T1896] ? find_held_lock+0x2d/0x110\n[ 33.032605][ T1896] ? brcmf_usb_deq+0x1a7/0x260\n[ 33.033087][ T1896] ? brcmf_usb_rx_fill_all+0x5a/0xf0\n[ 33.033582][ T1896] brcmf_attach+0x246/0xd40\n[ 33.034022][ T1896] ? wiphy_new_nm+0x1476/0x1d50\n[ 33.034383][ T1896] ? kmemdup+0x30/0x40\n[ 33.034722][ T1896] brcmf_usb_probe+0x12de/0x1690\n[ 33.035223][ T1896] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n[ 33.035833][ T1896] usb_probe_interface+0x25f/0x710\n[ 33.036315][ T1896] really_probe+0x1be/0xa90\n[ 33.036656][ T1896] __driver_probe_device+0x2ab/0x460\n[ 33.037026][ T1896] ? usb_match_id.part.0+0x88/0xc0\n[ 33.037383][ T1896] driver_probe_device+0x49/0x120\n[ 33.037790][ T1896] __device_attach_driver+0x18a/0x250\n[ 33.038300][ T1896] ? driver_allows_async_probing+0x120/0x120\n[ 33.038986][ T1896] bus_for_each_drv+0x123/0x1a0\n[ 33.039906][ T1896] ? bus_rescan_devices+0x20/0x20\n[ 33.041412][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 33.041861][ T1896] ? trace_hardirqs_on+0x1c/0x120\n[ 33.042330][ T1896] __device_attach+0x207/0x330\n[ 33.042664][ T1896] ? device_bind_driver+0xb0/0xb0\n[ 33.043026][ T1896] ? kobject_uevent_env+0x230/0x12c0\n[ 33.043515][ T1896] bus_probe_device+0x1a2/0x260\n[ 33.043914][ T1896] device_add+0xa61/0x1ce0\n[ 33.044227][ T1896] ? __mutex_unlock_slowpath+0xe7/0x660\n[ 33.044891][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550\n[ 33.045531][ T1896] usb_set_configuration+0x984/0x1770\n[ 33.046051][ T1896] ? kernfs_create_link+0x175/0x230\n[ 33.046548][ T1896] usb_generic_driver_probe+0x69/0x90\n[ 33.046931][ T1896] usb_probe_device+0x9c/0x220\n[ 33.047434][ T1896] really_probe+0x1be/0xa90\n[ 33.047760][ T1896] __driver_probe_device+0x2ab/0x460\n[ 33.048134][ T1896] driver_probe_device+0x49/0x120\n[ 33.048516][ T1896] __device_attach_driver+0x18a/0x250\n[ 33.048910][ T1896] ? driver_allows_async_probing+0x120/0x120\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:58.493Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b173b4ad9c001a555f44adc7836d6fe3afbe9ec"
},
{
"url": "https://git.kernel.org/stable/c/423a1297ea72bbddf64dbb0957f2879c0f2aa5d0"
},
{
"url": "https://git.kernel.org/stable/c/0ca2efea4f11c6255061e852ac188264c469c197"
},
{
"url": "https://git.kernel.org/stable/c/a0f0ce1c8ab9fe90618dc394e3d1568b5a9ac154"
},
{
"url": "https://git.kernel.org/stable/c/ecb980dc79709c02f579a9c03cb92ccec189ab38"
},
{
"url": "https://git.kernel.org/stable/c/c02f733024d70105f22de8dd0a1252a0350cd516"
},
{
"url": "https://git.kernel.org/stable/c/660145d708be52f946a82e5b633c020f58f996de"
}
],
"title": "wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53582",
"datePublished": "2025-10-04T15:43:58.493Z",
"dateReserved": "2025-10-04T15:14:15.926Z",
"dateUpdated": "2025-10-04T15:43:58.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53617 (GCVE-0-2023-53617)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: aspeed: socinfo: Add kfree for kstrdup
Add kfree() in the later error handling in order to avoid memory leak.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/aspeed/aspeed-socinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfb9676ed25be25ca7cd198d0f0e093b76b7bc7f",
"status": "affected",
"version": "e0218dca5787c851b403fcbc33cdfec795446fca",
"versionType": "git"
},
{
"lessThan": "b662856b71343d9e731c1cd4bbe54758c7791abb",
"status": "affected",
"version": "e0218dca5787c851b403fcbc33cdfec795446fca",
"versionType": "git"
},
{
"lessThan": "d9a5ad4477d2a11e9b03f00c52694451e9332228",
"status": "affected",
"version": "e0218dca5787c851b403fcbc33cdfec795446fca",
"versionType": "git"
},
{
"lessThan": "6e6d847a8ce18ab2fbec4f579f682486a82d2c6b",
"status": "affected",
"version": "e0218dca5787c851b403fcbc33cdfec795446fca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/aspeed/aspeed-socinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: socinfo: Add kfree for kstrdup\n\nAdd kfree() in the later error handling in order to avoid memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:24.618Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfb9676ed25be25ca7cd198d0f0e093b76b7bc7f"
},
{
"url": "https://git.kernel.org/stable/c/b662856b71343d9e731c1cd4bbe54758c7791abb"
},
{
"url": "https://git.kernel.org/stable/c/d9a5ad4477d2a11e9b03f00c52694451e9332228"
},
{
"url": "https://git.kernel.org/stable/c/6e6d847a8ce18ab2fbec4f579f682486a82d2c6b"
}
],
"title": "soc: aspeed: socinfo: Add kfree for kstrdup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53617",
"datePublished": "2025-10-07T15:19:24.618Z",
"dateReserved": "2025-10-04T15:40:38.481Z",
"dateUpdated": "2025-10-07T15:19:24.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39839 (GCVE-0-2025-39839)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: fix OOB read/write in network-coding decode
batadv_nc_skb_decode_packet() trusts coded_len and checks only against
skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing
payload headroom, and the source skb length is not verified, allowing an
out-of-bounds read and a small out-of-bounds write.
Validate that coded_len fits within the payload area of both destination
and source sk_buffs before XORing.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb Version: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb Version: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb Version: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb Version: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb Version: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb Version: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb Version: 2df5278b0267c799f3e877e8eeddbb6e93cda0bb |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:54.812Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/network-coding.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30fc47248f02b8a14a61df469e1da4704be1a19f",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "1e36c6c8dc8023b4bbe9a16e819f9998b9b6a183",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "5d334bce9fad58cf328d8fa14ea1fff855819863",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "dce6c2aa70e94c04c523b375dfcc664d7a0a560a",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "bb37252c9af1cb250f34735ee98f80b46be3cef1",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "20080709457bc1e920eb002483d7d981d9b2ac1c",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "a67c6397fcb7e842d3c595243049940970541c48",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
},
{
"lessThan": "d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087",
"status": "affected",
"version": "2df5278b0267c799f3e877e8eeddbb6e93cda0bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/network-coding.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix OOB read/write in network-coding decode\n\nbatadv_nc_skb_decode_packet() trusts coded_len and checks only against\nskb-\u003elen. XOR starts at sizeof(struct batadv_unicast_packet), reducing\npayload headroom, and the source skb length is not verified, allowing an\nout-of-bounds read and a small out-of-bounds write.\n\nValidate that coded_len fits within the payload area of both destination\nand source sk_buffs before XORing."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:44.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30fc47248f02b8a14a61df469e1da4704be1a19f"
},
{
"url": "https://git.kernel.org/stable/c/1e36c6c8dc8023b4bbe9a16e819f9998b9b6a183"
},
{
"url": "https://git.kernel.org/stable/c/5d334bce9fad58cf328d8fa14ea1fff855819863"
},
{
"url": "https://git.kernel.org/stable/c/dce6c2aa70e94c04c523b375dfcc664d7a0a560a"
},
{
"url": "https://git.kernel.org/stable/c/bb37252c9af1cb250f34735ee98f80b46be3cef1"
},
{
"url": "https://git.kernel.org/stable/c/20080709457bc1e920eb002483d7d981d9b2ac1c"
},
{
"url": "https://git.kernel.org/stable/c/a67c6397fcb7e842d3c595243049940970541c48"
},
{
"url": "https://git.kernel.org/stable/c/d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087"
}
],
"title": "batman-adv: fix OOB read/write in network-coding decode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39839",
"datePublished": "2025-09-19T15:26:14.688Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:54.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53251 (GCVE-0-2023-53251)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-15 14:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: pcie: fix NULL pointer dereference in iwl_pcie_irq_rx_msix_handler()
rxq can be NULL only when trans_pcie->rxq is NULL and entry->entry
is zero. For the case when entry->entry is not equal to 0, rxq
won't be NULL even if trans_pcie->rxq is NULL. Modify checker to
check for trans_pcie->rxq.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/pcie/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b9de981fe7f1c6e07c7b852421ad69be3d4b6c2",
"status": "affected",
"version": "abc599efa67bb4138536360e07d677052b19e392",
"versionType": "git"
},
{
"lessThan": "2d690495eb2766d58e25c83676f422219c4fcf18",
"status": "affected",
"version": "abc599efa67bb4138536360e07d677052b19e392",
"versionType": "git"
},
{
"lessThan": "390e44efcf4d390b5053ad112553155d2d097c73",
"status": "affected",
"version": "abc599efa67bb4138536360e07d677052b19e392",
"versionType": "git"
},
{
"lessThan": "f71d0fc407dd028416bec002ddcc62f5acb0346a",
"status": "affected",
"version": "abc599efa67bb4138536360e07d677052b19e392",
"versionType": "git"
},
{
"lessThan": "1902f1953b8ba100ee8705cb8a6f1a9795550eca",
"status": "affected",
"version": "abc599efa67bb4138536360e07d677052b19e392",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/pcie/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: pcie: fix NULL pointer dereference in iwl_pcie_irq_rx_msix_handler()\n\nrxq can be NULL only when trans_pcie-\u003erxq is NULL and entry-\u003eentry\nis zero. For the case when entry-\u003eentry is not equal to 0, rxq\nwon\u0027t be NULL even if trans_pcie-\u003erxq is NULL. Modify checker to\ncheck for trans_pcie-\u003erxq."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:20.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b9de981fe7f1c6e07c7b852421ad69be3d4b6c2"
},
{
"url": "https://git.kernel.org/stable/c/2d690495eb2766d58e25c83676f422219c4fcf18"
},
{
"url": "https://git.kernel.org/stable/c/390e44efcf4d390b5053ad112553155d2d097c73"
},
{
"url": "https://git.kernel.org/stable/c/f71d0fc407dd028416bec002ddcc62f5acb0346a"
},
{
"url": "https://git.kernel.org/stable/c/1902f1953b8ba100ee8705cb8a6f1a9795550eca"
}
],
"title": "wifi: iwlwifi: pcie: fix NULL pointer dereference in iwl_pcie_irq_rx_msix_handler()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53251",
"datePublished": "2025-09-15T14:46:20.886Z",
"dateReserved": "2025-09-15T14:19:21.849Z",
"dateUpdated": "2025-09-15T14:46:20.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50515 (GCVE-0-2022-50515)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()
If construction of the array of work queues to handle hpd_rx_irq offload
work fails, we need to unwind. Destroy all the created workqueues and
the allocated memory for the hpd_rx_irq_offload_work_queue struct array.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ba3814c00a4817eb1cd31eff08d921c40e5f3a4",
"status": "affected",
"version": "e980e1d978e0eb4c0399cff37f175779237db53b",
"versionType": "git"
},
{
"lessThan": "8b8da09da2701330e7f2c371655887e3d7defe90",
"status": "affected",
"version": "8e794421bc981586d0af4e959ec76d668c793a55",
"versionType": "git"
},
{
"lessThan": "600de40ed50c8b5ecb9c7a4f41eb882066c15a00",
"status": "affected",
"version": "8e794421bc981586d0af4e959ec76d668c793a55",
"versionType": "git"
},
{
"lessThan": "7136f956c73c4ba50bfeb61653dfd6a9669ea915",
"status": "affected",
"version": "8e794421bc981586d0af4e959ec76d668c793a55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.15.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()\n\nIf construction of the array of work queues to handle hpd_rx_irq offload\nwork fails, we need to unwind. Destroy all the created workqueues and\nthe allocated memory for the hpd_rx_irq_offload_work_queue struct array."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:10.970Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ba3814c00a4817eb1cd31eff08d921c40e5f3a4"
},
{
"url": "https://git.kernel.org/stable/c/8b8da09da2701330e7f2c371655887e3d7defe90"
},
{
"url": "https://git.kernel.org/stable/c/600de40ed50c8b5ecb9c7a4f41eb882066c15a00"
},
{
"url": "https://git.kernel.org/stable/c/7136f956c73c4ba50bfeb61653dfd6a9669ea915"
}
],
"title": "drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50515",
"datePublished": "2025-10-07T15:19:10.970Z",
"dateReserved": "2025-10-07T15:15:38.661Z",
"dateUpdated": "2025-10-07T15:19:10.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53168 (GCVE-0-2024-53168)
Vulnerability from cvelistv5
Published
2024-12-27 13:49
Modified
2025-05-04 09:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket
BUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0
Read of size 1 at addr ffff888111f322cd by task swapper/0/0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1
Call Trace:
<IRQ>
dump_stack_lvl+0x68/0xa0
print_address_description.constprop.0+0x2c/0x3d0
print_report+0xb4/0x270
kasan_report+0xbd/0xf0
tcp_write_timer_handler+0x156/0x3e0
tcp_write_timer+0x66/0x170
call_timer_fn+0xfb/0x1d0
__run_timers+0x3f8/0x480
run_timer_softirq+0x9b/0x100
handle_softirqs+0x153/0x390
__irq_exit_rcu+0x103/0x120
irq_exit_rcu+0xe/0x20
sysvec_apic_timer_interrupt+0x76/0x90
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:default_idle+0xf/0x20
Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 <fa> c3 cc cc cc
cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffffffa2007e28 EFLAGS: 00000242
RAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d
R10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000
R13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0
default_idle_call+0x6b/0xa0
cpuidle_idle_call+0x1af/0x1f0
do_idle+0xbc/0x130
cpu_startup_entry+0x33/0x40
rest_init+0x11f/0x210
start_kernel+0x39a/0x420
x86_64_start_reservations+0x18/0x30
x86_64_start_kernel+0x97/0xa0
common_startup_64+0x13e/0x141
</TASK>
Allocated by task 595:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x87/0x90
kmem_cache_alloc_noprof+0x12b/0x3f0
copy_net_ns+0x94/0x380
create_new_namespaces+0x24c/0x500
unshare_nsproxy_namespaces+0x75/0xf0
ksys_unshare+0x24e/0x4f0
__x64_sys_unshare+0x1f/0x30
do_syscall_64+0x70/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 100:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x54/0x70
kmem_cache_free+0x156/0x5d0
cleanup_net+0x5d3/0x670
process_one_work+0x776/0xa90
worker_thread+0x2e2/0x560
kthread+0x1a8/0x1f0
ret_from_fork+0x34/0x60
ret_from_fork_asm+0x1a/0x30
Reproduction script:
mkdir -p /mnt/nfsshare
mkdir -p /mnt/nfs/netns_1
mkfs.ext4 /dev/sdb
mount /dev/sdb /mnt/nfsshare
systemctl restart nfs-server
chmod 777 /mnt/nfsshare
exportfs -i -o rw,no_root_squash *:/mnt/nfsshare
ip netns add netns_1
ip link add name veth_1_peer type veth peer veth_1
ifconfig veth_1_peer 11.11.0.254 up
ip link set veth_1 netns netns_1
ip netns exec netns_1 ifconfig veth_1 11.11.0.1
ip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \
--tcp-flags FIN FIN -j DROP
(note: In my environment, a DESTROY_CLIENTID operation is always sent
immediately, breaking the nfs tcp connection.)
ip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \
11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1
ip netns del netns_1
The reason here is that the tcp socket in netns_1 (nfs side) has been
shutdown and closed (done in xs_destroy), but the FIN message (with ack)
is discarded, and the nfsd side keeps sending retransmission messages.
As a result, when the tcp sock in netns_1 processes the received message,
it sends the message (FIN message) in the sending queue, and the tcp timer
is re-established. When the network namespace is deleted, the net structure
accessed by tcp's timer handler function causes problems.
To fix this problem, let's hold netns refcnt for the tcp kernel socket as
done in other modules. This is an ugly hack which can easily be backported
to earlier kernels. A proper fix which cleans up the interfaces will
follow, but may not be so easy to backport.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T17:13:17.133716Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T17:21:09.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svcsock.c",
"net/sunrpc/xprtsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ca87e5063757132a044d35baba40a7d4bb25394",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
},
{
"lessThan": "694ccb05b79ee5f5a9f14c2f80d2635d3bb8bdc3",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
},
{
"lessThan": "61c0a5eac96836de5e3a5897eccdc63162a94936",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
},
{
"lessThan": "3f23f96528e8fcf8619895c4c916c52653892ec1",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svcsock.c",
"net/sunrpc/xprtsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix one UAF issue caused by sunrpc kernel tcp socket\n\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0\nRead of size 1 at addr ffff888111f322cd by task swapper/0/0\n\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x68/0xa0\n print_address_description.constprop.0+0x2c/0x3d0\n print_report+0xb4/0x270\n kasan_report+0xbd/0xf0\n tcp_write_timer_handler+0x156/0x3e0\n tcp_write_timer+0x66/0x170\n call_timer_fn+0xfb/0x1d0\n __run_timers+0x3f8/0x480\n run_timer_softirq+0x9b/0x100\n handle_softirqs+0x153/0x390\n __irq_exit_rcu+0x103/0x120\n irq_exit_rcu+0xe/0x20\n sysvec_apic_timer_interrupt+0x76/0x90\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:default_idle+0xf/0x20\nCode: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90\n 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 \u003cfa\u003e c3 cc cc cc\n cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90\nRSP: 0018:ffffffffa2007e28 EFLAGS: 00000242\nRAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f\nRBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d\nR10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000\nR13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0\n default_idle_call+0x6b/0xa0\n cpuidle_idle_call+0x1af/0x1f0\n do_idle+0xbc/0x130\n cpu_startup_entry+0x33/0x40\n rest_init+0x11f/0x210\n start_kernel+0x39a/0x420\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0x97/0xa0\n common_startup_64+0x13e/0x141\n \u003c/TASK\u003e\n\nAllocated by task 595:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x87/0x90\n kmem_cache_alloc_noprof+0x12b/0x3f0\n copy_net_ns+0x94/0x380\n create_new_namespaces+0x24c/0x500\n unshare_nsproxy_namespaces+0x75/0xf0\n ksys_unshare+0x24e/0x4f0\n __x64_sys_unshare+0x1f/0x30\n do_syscall_64+0x70/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 100:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x54/0x70\n kmem_cache_free+0x156/0x5d0\n cleanup_net+0x5d3/0x670\n process_one_work+0x776/0xa90\n worker_thread+0x2e2/0x560\n kthread+0x1a8/0x1f0\n ret_from_fork+0x34/0x60\n ret_from_fork_asm+0x1a/0x30\n\nReproduction script:\n\nmkdir -p /mnt/nfsshare\nmkdir -p /mnt/nfs/netns_1\nmkfs.ext4 /dev/sdb\nmount /dev/sdb /mnt/nfsshare\nsystemctl restart nfs-server\nchmod 777 /mnt/nfsshare\nexportfs -i -o rw,no_root_squash *:/mnt/nfsshare\n\nip netns add netns_1\nip link add name veth_1_peer type veth peer veth_1\nifconfig veth_1_peer 11.11.0.254 up\nip link set veth_1 netns netns_1\nip netns exec netns_1 ifconfig veth_1 11.11.0.1\n\nip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \\\n\t--tcp-flags FIN FIN -j DROP\n\n(note: In my environment, a DESTROY_CLIENTID operation is always sent\n immediately, breaking the nfs tcp connection.)\nip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \\\n\t11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1\n\nip netns del netns_1\n\nThe reason here is that the tcp socket in netns_1 (nfs side) has been\nshutdown and closed (done in xs_destroy), but the FIN message (with ack)\nis discarded, and the nfsd side keeps sending retransmission messages.\nAs a result, when the tcp sock in netns_1 processes the received message,\nit sends the message (FIN message) in the sending queue, and the tcp timer\nis re-established. When the network namespace is deleted, the net structure\naccessed by tcp\u0027s timer handler function causes problems.\n\nTo fix this problem, let\u0027s hold netns refcnt for the tcp kernel socket as\ndone in other modules. This is an ugly hack which can easily be backported\nto earlier kernels. A proper fix which cleans up the interfaces will\nfollow, but may not be so easy to backport."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:54:45.571Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ca87e5063757132a044d35baba40a7d4bb25394"
},
{
"url": "https://git.kernel.org/stable/c/694ccb05b79ee5f5a9f14c2f80d2635d3bb8bdc3"
},
{
"url": "https://git.kernel.org/stable/c/61c0a5eac96836de5e3a5897eccdc63162a94936"
},
{
"url": "https://git.kernel.org/stable/c/3f23f96528e8fcf8619895c4c916c52653892ec1"
}
],
"title": "sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53168",
"datePublished": "2024-12-27T13:49:14.165Z",
"dateReserved": "2024-11-19T17:17:25.005Z",
"dateUpdated": "2025-05-04T09:54:45.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53507 (GCVE-0-2023-53507)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Unregister devlink params in case interface is down
Currently, in case an interface is down, mlx5 driver doesn't
unregister its devlink params, which leads to this WARN[1].
Fix it by unregistering devlink params in that case as well.
[1]
[ 295.244769 ] WARNING: CPU: 15 PID: 1 at net/core/devlink.c:9042 devlink_free+0x174/0x1fc
[ 295.488379 ] CPU: 15 PID: 1 Comm: shutdown Tainted: G S OE 5.15.0-1017.19.3.g0677e61-bluefield #g0677e61
[ 295.509330 ] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.2.0.12761 Jun 6 2023
[ 295.543096 ] pc : devlink_free+0x174/0x1fc
[ 295.551104 ] lr : mlx5_devlink_free+0x18/0x2c [mlx5_core]
[ 295.561816 ] sp : ffff80000809b850
[ 295.711155 ] Call trace:
[ 295.716030 ] devlink_free+0x174/0x1fc
[ 295.723346 ] mlx5_devlink_free+0x18/0x2c [mlx5_core]
[ 295.733351 ] mlx5_sf_dev_remove+0x98/0xb0 [mlx5_core]
[ 295.743534 ] auxiliary_bus_remove+0x2c/0x50
[ 295.751893 ] __device_release_driver+0x19c/0x280
[ 295.761120 ] device_release_driver+0x34/0x50
[ 295.769649 ] bus_remove_device+0xdc/0x170
[ 295.777656 ] device_del+0x17c/0x3a4
[ 295.784620 ] mlx5_sf_dev_remove+0x28/0xf0 [mlx5_core]
[ 295.794800 ] mlx5_sf_dev_table_destroy+0x98/0x110 [mlx5_core]
[ 295.806375 ] mlx5_unload+0x34/0xd0 [mlx5_core]
[ 295.815339 ] mlx5_unload_one+0x70/0xe4 [mlx5_core]
[ 295.824998 ] shutdown+0xb0/0xd8 [mlx5_core]
[ 295.833439 ] pci_device_shutdown+0x3c/0xa0
[ 295.841651 ] device_shutdown+0x170/0x340
[ 295.849486 ] __do_sys_reboot+0x1f4/0x2a0
[ 295.857322 ] __arm64_sys_reboot+0x2c/0x40
[ 295.865329 ] invoke_syscall+0x78/0x100
[ 295.872817 ] el0_svc_common.constprop.0+0x54/0x184
[ 295.882392 ] do_el0_svc+0x30/0xac
[ 295.889008 ] el0_svc+0x48/0x160
[ 295.895278 ] el0t_64_sync_handler+0xa4/0x130
[ 295.903807 ] el0t_64_sync+0x1a4/0x1a8
[ 295.911120 ] ---[ end trace 4f1d2381d00d9dce ]---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "471f59b3455314f0cafacf3096453727876355a9",
"status": "affected",
"version": "fe578cbb2f053f465e19d2671a523dcd01953888",
"versionType": "git"
},
{
"lessThan": "53d737dfd3d7b023fa9fa445ea3f3db0ac9da402",
"status": "affected",
"version": "fe578cbb2f053f465e19d2671a523dcd01953888",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Unregister devlink params in case interface is down\n\nCurrently, in case an interface is down, mlx5 driver doesn\u0027t\nunregister its devlink params, which leads to this WARN[1].\nFix it by unregistering devlink params in that case as well.\n\n[1]\n[ 295.244769 ] WARNING: CPU: 15 PID: 1 at net/core/devlink.c:9042 devlink_free+0x174/0x1fc\n[ 295.488379 ] CPU: 15 PID: 1 Comm: shutdown Tainted: G S OE 5.15.0-1017.19.3.g0677e61-bluefield #g0677e61\n[ 295.509330 ] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.2.0.12761 Jun 6 2023\n[ 295.543096 ] pc : devlink_free+0x174/0x1fc\n[ 295.551104 ] lr : mlx5_devlink_free+0x18/0x2c [mlx5_core]\n[ 295.561816 ] sp : ffff80000809b850\n[ 295.711155 ] Call trace:\n[ 295.716030 ] devlink_free+0x174/0x1fc\n[ 295.723346 ] mlx5_devlink_free+0x18/0x2c [mlx5_core]\n[ 295.733351 ] mlx5_sf_dev_remove+0x98/0xb0 [mlx5_core]\n[ 295.743534 ] auxiliary_bus_remove+0x2c/0x50\n[ 295.751893 ] __device_release_driver+0x19c/0x280\n[ 295.761120 ] device_release_driver+0x34/0x50\n[ 295.769649 ] bus_remove_device+0xdc/0x170\n[ 295.777656 ] device_del+0x17c/0x3a4\n[ 295.784620 ] mlx5_sf_dev_remove+0x28/0xf0 [mlx5_core]\n[ 295.794800 ] mlx5_sf_dev_table_destroy+0x98/0x110 [mlx5_core]\n[ 295.806375 ] mlx5_unload+0x34/0xd0 [mlx5_core]\n[ 295.815339 ] mlx5_unload_one+0x70/0xe4 [mlx5_core]\n[ 295.824998 ] shutdown+0xb0/0xd8 [mlx5_core]\n[ 295.833439 ] pci_device_shutdown+0x3c/0xa0\n[ 295.841651 ] device_shutdown+0x170/0x340\n[ 295.849486 ] __do_sys_reboot+0x1f4/0x2a0\n[ 295.857322 ] __arm64_sys_reboot+0x2c/0x40\n[ 295.865329 ] invoke_syscall+0x78/0x100\n[ 295.872817 ] el0_svc_common.constprop.0+0x54/0x184\n[ 295.882392 ] do_el0_svc+0x30/0xac\n[ 295.889008 ] el0_svc+0x48/0x160\n[ 295.895278 ] el0t_64_sync_handler+0xa4/0x130\n[ 295.903807 ] el0t_64_sync+0x1a4/0x1a8\n[ 295.911120 ] ---[ end trace 4f1d2381d00d9dce ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:57.310Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/471f59b3455314f0cafacf3096453727876355a9"
},
{
"url": "https://git.kernel.org/stable/c/53d737dfd3d7b023fa9fa445ea3f3db0ac9da402"
}
],
"title": "net/mlx5: Unregister devlink params in case interface is down",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53507",
"datePublished": "2025-10-01T11:45:57.310Z",
"dateReserved": "2025-10-01T11:39:39.405Z",
"dateUpdated": "2025-10-01T11:45:57.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53663 (GCVE-0-2023-53663)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: nSVM: Check instead of asserting on nested TSC scaling support
Check for nested TSC scaling support on nested SVM VMRUN instead of
asserting that TSC scaling is exposed to L1 if L1's MSR_AMD64_TSC_RATIO
has diverged from KVM's default. Userspace can trigger the WARN at will
by writing the MSR and then updating guest CPUID to hide the feature
(modifying guest CPUID is allowed anytime before KVM_RUN). E.g. hacking
KVM's state_test selftest to do
vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);
vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);
after restoring state in a new VM+vCPU yields an endless supply of:
------------[ cut here ]------------
WARNING: CPU: 164 PID: 62565 at arch/x86/kvm/svm/nested.c:699
nested_vmcb02_prepare_control+0x3d6/0x3f0 [kvm_amd]
Call Trace:
<TASK>
enter_svm_guest_mode+0x114/0x560 [kvm_amd]
nested_svm_vmrun+0x260/0x330 [kvm_amd]
vmrun_interception+0x29/0x30 [kvm_amd]
svm_invoke_exit_handler+0x35/0x100 [kvm_amd]
svm_handle_exit+0xe7/0x180 [kvm_amd]
kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]
kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]
__se_sys_ioctl+0x7a/0xc0
__x64_sys_ioctl+0x21/0x30
do_syscall_64+0x41/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x45ca1b
Note, the nested #VMEXIT path has the same flaw, but needs a different
fix and will be handled separately.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c1ecfea1daf6e75c46e295aad99dfbafd878897",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
},
{
"lessThan": "02b24270568f65dd607c4a848512dc8055b4491b",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
},
{
"lessThan": "7cafe9b8e22bb3d77f130c461aedf6868c4aaf58",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Check instead of asserting on nested TSC scaling support\n\nCheck for nested TSC scaling support on nested SVM VMRUN instead of\nasserting that TSC scaling is exposed to L1 if L1\u0027s MSR_AMD64_TSC_RATIO\nhas diverged from KVM\u0027s default. Userspace can trigger the WARN at will\nby writing the MSR and then updating guest CPUID to hide the feature\n(modifying guest CPUID is allowed anytime before KVM_RUN). E.g. hacking\nKVM\u0027s state_test selftest to do\n\n\t\tvcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);\n\t\tvcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);\n\nafter restoring state in a new VM+vCPU yields an endless supply of:\n\n ------------[ cut here ]------------\n WARNING: CPU: 164 PID: 62565 at arch/x86/kvm/svm/nested.c:699\n nested_vmcb02_prepare_control+0x3d6/0x3f0 [kvm_amd]\n Call Trace:\n \u003cTASK\u003e\n enter_svm_guest_mode+0x114/0x560 [kvm_amd]\n nested_svm_vmrun+0x260/0x330 [kvm_amd]\n vmrun_interception+0x29/0x30 [kvm_amd]\n svm_invoke_exit_handler+0x35/0x100 [kvm_amd]\n svm_handle_exit+0xe7/0x180 [kvm_amd]\n kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]\n kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]\n __se_sys_ioctl+0x7a/0xc0\n __x64_sys_ioctl+0x21/0x30\n do_syscall_64+0x41/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x45ca1b\n\nNote, the nested #VMEXIT path has the same flaw, but needs a different\nfix and will be handled separately."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:22.400Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c1ecfea1daf6e75c46e295aad99dfbafd878897"
},
{
"url": "https://git.kernel.org/stable/c/02b24270568f65dd607c4a848512dc8055b4491b"
},
{
"url": "https://git.kernel.org/stable/c/7cafe9b8e22bb3d77f130c461aedf6868c4aaf58"
}
],
"title": "KVM: nSVM: Check instead of asserting on nested TSC scaling support",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53663",
"datePublished": "2025-10-07T15:21:22.400Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:22.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38084 (GCVE-0-2025-38084)
Vulnerability from cvelistv5
Published
2025-06-28 07:44
Modified
2025-11-03 17:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: unshare page tables during VMA split, not before
Currently, __split_vma() triggers hugetlb page table unsharing through
vm_ops->may_split(). This happens before the VMA lock and rmap locks are
taken - which is too early, it allows racing VMA-locked page faults in our
process and racing rmap walks from other processes to cause page tables to
be shared again before we actually perform the split.
Fix it by explicitly calling into the hugetlb unshare logic from
__split_vma() in the same place where THP splitting also happens. At that
point, both the VMA and the rmap(s) are write-locked.
An annoying detail is that we can now call into the helper
hugetlb_unshare_pmds() from two different locking contexts:
1. from hugetlb_split(), holding:
- mmap lock (exclusively)
- VMA lock
- file rmap lock (exclusively)
2. hugetlb_unshare_all_pmds(), which I think is designed to be able to
call us with only the mmap lock held (in shared mode), but currently
only runs while holding mmap lock (exclusively) and VMA lock
Backporting note:
This commit fixes a racy protection that was introduced in commit
b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that
commit claimed to fix an issue introduced in 5.13, but it should actually
also go all the way back.
[jannh@google.com: v2]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa Version: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:52.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/hugetlb.h",
"mm/hugetlb.c",
"mm/vma.c",
"tools/testing/vma/vma_internal.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8847d18cd9fff1edbb45e963d9141273c3b539c",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "366298f2b04d2bf1f2f2b7078405bdf9df9bd5d0",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "2511ac64bc1617ca716d3ba8464e481a647c1902",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "af6cfcd0efb7f051af221c418ec8b37a10211947",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "9cf5b2a3b72c23fb7b84736d5d19ee6ea718762b",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "8a21d5584826f4880f45bbf8f72375f4e6c0ff2a",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/hugetlb.h",
"mm/hugetlb.c",
"mm/vma.c",
"tools/testing/vma/vma_internal.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: unshare page tables during VMA split, not before\n\nCurrently, __split_vma() triggers hugetlb page table unsharing through\nvm_ops-\u003emay_split(). This happens before the VMA lock and rmap locks are\ntaken - which is too early, it allows racing VMA-locked page faults in our\nprocess and racing rmap walks from other processes to cause page tables to\nbe shared again before we actually perform the split.\n\nFix it by explicitly calling into the hugetlb unshare logic from\n__split_vma() in the same place where THP splitting also happens. At that\npoint, both the VMA and the rmap(s) are write-locked.\n\nAn annoying detail is that we can now call into the helper\nhugetlb_unshare_pmds() from two different locking contexts:\n\n1. from hugetlb_split(), holding:\n - mmap lock (exclusively)\n - VMA lock\n - file rmap lock (exclusively)\n2. hugetlb_unshare_all_pmds(), which I think is designed to be able to\n call us with only the mmap lock held (in shared mode), but currently\n only runs while holding mmap lock (exclusively) and VMA lock\n\nBackporting note:\nThis commit fixes a racy protection that was introduced in commit\nb30c14cd6102 (\"hugetlb: unshare some PMDs when splitting VMAs\"); that\ncommit claimed to fix an issue introduced in 5.13, but it should actually\nalso go all the way back.\n\n[jannh@google.com: v2]"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T05:58:56.193Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8847d18cd9fff1edbb45e963d9141273c3b539c"
},
{
"url": "https://git.kernel.org/stable/c/366298f2b04d2bf1f2f2b7078405bdf9df9bd5d0"
},
{
"url": "https://git.kernel.org/stable/c/2511ac64bc1617ca716d3ba8464e481a647c1902"
},
{
"url": "https://git.kernel.org/stable/c/af6cfcd0efb7f051af221c418ec8b37a10211947"
},
{
"url": "https://git.kernel.org/stable/c/9cf5b2a3b72c23fb7b84736d5d19ee6ea718762b"
},
{
"url": "https://git.kernel.org/stable/c/8a21d5584826f4880f45bbf8f72375f4e6c0ff2a"
},
{
"url": "https://git.kernel.org/stable/c/081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0"
},
{
"url": "https://project-zero.issues.chromium.org/issues/420715744"
}
],
"title": "mm/hugetlb: unshare page tables during VMA split, not before",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38084",
"datePublished": "2025-06-28T07:44:25.379Z",
"dateReserved": "2025-04-16T04:51:23.981Z",
"dateUpdated": "2025-11-03T17:33:52.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39889 (GCVE-0-2025-39889)
Vulnerability from cvelistv5
Published
2025-09-24 11:02
Modified
2025-09-24 11:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: l2cap: Check encryption key size on incoming connection
This is required for passing GAP/SEC/SEM/BI-04-C PTS test case:
Security Mode 4 Level 4, Responder - Invalid Encryption Key Size
- 128 bit
This tests the security key with size from 1 to 15 bytes while the
Security Mode 4 Level 4 requests 16 bytes key size.
Currently PTS fails with the following logs:
- expected:Connection Response:
Code: [3 (0x03)] Code
Identifier: (lt)WildCard: Exists(gt)
Length: [8 (0x0008)]
Destination CID: (lt)WildCard: Exists(gt)
Source CID: [64 (0x0040)]
Result: [3 (0x0003)] Connection refused - Security block
Status: (lt)WildCard: Exists(gt),
but received:Connection Response:
Code: [3 (0x03)] Code
Identifier: [1 (0x01)]
Length: [8 (0x0008)]
Destination CID: [64 (0x0040)]
Source CID: [64 (0x0040)]
Result: [0 (0x0000)] Connection Successful
Status: [0 (0x0000)] No further information available
And HCI logs:
< HCI Command: Read Encrypti.. (0x05|0x0008) plen 2
Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)
> HCI Event: Command Complete (0x0e) plen 7
Read Encryption Key Size (0x05|0x0008) ncmd 1
Status: Success (0x00)
Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)
Key size: 7
> ACL Data RX: Handle 14 flags 0x02 dlen 12
L2CAP: Connection Request (0x02) ident 1 len 4
PSM: 4097 (0x1001)
Source CID: 64
< ACL Data TX: Handle 14 flags 0x00 dlen 16
L2CAP: Connection Response (0x03) ident 1 len 8
Destination CID: 64
Source CID: 64
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 288c06973daae4637f25a0d1bdaf65fdbf8455f9 Version: 288c06973daae4637f25a0d1bdaf65fdbf8455f9 Version: 288c06973daae4637f25a0d1bdaf65fdbf8455f9 Version: 288c06973daae4637f25a0d1bdaf65fdbf8455f9 Version: 288c06973daae4637f25a0d1bdaf65fdbf8455f9 Version: 288c06973daae4637f25a0d1bdaf65fdbf8455f9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24b2cdfc16e9bd6ab3d03b8e01c590755bd3141f",
"status": "affected",
"version": "288c06973daae4637f25a0d1bdaf65fdbf8455f9",
"versionType": "git"
},
{
"lessThan": "c6d527bbd3d3896375079f5dbc8b7f96734a3ba5",
"status": "affected",
"version": "288c06973daae4637f25a0d1bdaf65fdbf8455f9",
"versionType": "git"
},
{
"lessThan": "9e3114958d87ea88383cbbf38c89e04b8ea1bce5",
"status": "affected",
"version": "288c06973daae4637f25a0d1bdaf65fdbf8455f9",
"versionType": "git"
},
{
"lessThan": "d49798ecd26e0ee7995a7fc1e90ca5cd9b4402d6",
"status": "affected",
"version": "288c06973daae4637f25a0d1bdaf65fdbf8455f9",
"versionType": "git"
},
{
"lessThan": "d4ca2fd218caafbf50e3343ba1260c6a23b5676a",
"status": "affected",
"version": "288c06973daae4637f25a0d1bdaf65fdbf8455f9",
"versionType": "git"
},
{
"lessThan": "522e9ed157e3c21b4dd623c79967f72c21e45b78",
"status": "affected",
"version": "288c06973daae4637f25a0d1bdaf65fdbf8455f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.25",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.4",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: Check encryption key size on incoming connection\n\nThis is required for passing GAP/SEC/SEM/BI-04-C PTS test case:\n Security Mode 4 Level 4, Responder - Invalid Encryption Key Size\n - 128 bit\n\nThis tests the security key with size from 1 to 15 bytes while the\nSecurity Mode 4 Level 4 requests 16 bytes key size.\n\nCurrently PTS fails with the following logs:\n- expected:Connection Response:\n Code: [3 (0x03)] Code\n Identifier: (lt)WildCard: Exists(gt)\n Length: [8 (0x0008)]\n Destination CID: (lt)WildCard: Exists(gt)\n Source CID: [64 (0x0040)]\n Result: [3 (0x0003)] Connection refused - Security block\n Status: (lt)WildCard: Exists(gt),\nbut received:Connection Response:\n Code: [3 (0x03)] Code\n Identifier: [1 (0x01)]\n Length: [8 (0x0008)]\n Destination CID: [64 (0x0040)]\n Source CID: [64 (0x0040)]\n Result: [0 (0x0000)] Connection Successful\n Status: [0 (0x0000)] No further information available\n\nAnd HCI logs:\n\u003c HCI Command: Read Encrypti.. (0x05|0x0008) plen 2\n Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)\n\u003e HCI Event: Command Complete (0x0e) plen 7\n Read Encryption Key Size (0x05|0x0008) ncmd 1\n Status: Success (0x00)\n Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)\n Key size: 7\n\u003e ACL Data RX: Handle 14 flags 0x02 dlen 12\n L2CAP: Connection Request (0x02) ident 1 len 4\n PSM: 4097 (0x1001)\n Source CID: 64\n\u003c ACL Data TX: Handle 14 flags 0x00 dlen 16\n L2CAP: Connection Response (0x03) ident 1 len 8\n Destination CID: 64\n Source CID: 64\n Result: Connection successful (0x0000)\n Status: No further information available (0x0000)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T11:02:51.036Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24b2cdfc16e9bd6ab3d03b8e01c590755bd3141f"
},
{
"url": "https://git.kernel.org/stable/c/c6d527bbd3d3896375079f5dbc8b7f96734a3ba5"
},
{
"url": "https://git.kernel.org/stable/c/9e3114958d87ea88383cbbf38c89e04b8ea1bce5"
},
{
"url": "https://git.kernel.org/stable/c/d49798ecd26e0ee7995a7fc1e90ca5cd9b4402d6"
},
{
"url": "https://git.kernel.org/stable/c/d4ca2fd218caafbf50e3343ba1260c6a23b5676a"
},
{
"url": "https://git.kernel.org/stable/c/522e9ed157e3c21b4dd623c79967f72c21e45b78"
}
],
"title": "Bluetooth: l2cap: Check encryption key size on incoming connection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39889",
"datePublished": "2025-09-24T11:02:51.036Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-09-24T11:02:51.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39938 (GCVE-0-2025-39938)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed
If earlier opening of source graph fails (e.g. ADSP rejects due to
incorrect audioreach topology), the graph is closed and
"dai_data->graph[dai->id]" is assigned NULL. Preparing the DAI for sink
graph continues though and next call to q6apm_lpass_dai_prepare()
receives dai_data->graph[dai->id]=NULL leading to NULL pointer
exception:
qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd
qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1
q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78
q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22
Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8
...
Call trace:
q6apm_graph_media_format_pcm+0x48/0x120 (P)
q6apm_lpass_dai_prepare+0x110/0x1b4
snd_soc_pcm_dai_prepare+0x74/0x108
__soc_pcm_prepare+0x44/0x160
dpcm_be_dai_prepare+0x124/0x1c0
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/qcom/qdsp6/q6apm-lpass-dais.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01d1ba106c9e02a2e7d41e07be49031a0ff0ecaa",
"status": "affected",
"version": "30ad723b93ade607a678698e5947a55a4375c3a1",
"versionType": "git"
},
{
"lessThan": "411f7d4f7038200cdf6d4f71ee31026ebf2dfedb",
"status": "affected",
"version": "30ad723b93ade607a678698e5947a55a4375c3a1",
"versionType": "git"
},
{
"lessThan": "9c534dbfd1726502abcf0bd393a04214f62c050b",
"status": "affected",
"version": "30ad723b93ade607a678698e5947a55a4375c3a1",
"versionType": "git"
},
{
"lessThan": "cc336b242ea7e7a09b3ab9f885341455ca0a3bdb",
"status": "affected",
"version": "30ad723b93ade607a678698e5947a55a4375c3a1",
"versionType": "git"
},
{
"lessThan": "68f27f7c7708183e7873c585ded2f1b057ac5b97",
"status": "affected",
"version": "30ad723b93ade607a678698e5947a55a4375c3a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/qcom/qdsp6/q6apm-lpass-dais.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed\n\nIf earlier opening of source graph fails (e.g. ADSP rejects due to\nincorrect audioreach topology), the graph is closed and\n\"dai_data-\u003egraph[dai-\u003eid]\" is assigned NULL. Preparing the DAI for sink\ngraph continues though and next call to q6apm_lpass_dai_prepare()\nreceives dai_data-\u003egraph[dai-\u003eid]=NULL leading to NULL pointer\nexception:\n\n qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd\n qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1\n q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78\n q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22\n Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\n ...\n Call trace:\n q6apm_graph_media_format_pcm+0x48/0x120 (P)\n q6apm_lpass_dai_prepare+0x110/0x1b4\n snd_soc_pcm_dai_prepare+0x74/0x108\n __soc_pcm_prepare+0x44/0x160\n dpcm_be_dai_prepare+0x124/0x1c0"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:01.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01d1ba106c9e02a2e7d41e07be49031a0ff0ecaa"
},
{
"url": "https://git.kernel.org/stable/c/411f7d4f7038200cdf6d4f71ee31026ebf2dfedb"
},
{
"url": "https://git.kernel.org/stable/c/9c534dbfd1726502abcf0bd393a04214f62c050b"
},
{
"url": "https://git.kernel.org/stable/c/cc336b242ea7e7a09b3ab9f885341455ca0a3bdb"
},
{
"url": "https://git.kernel.org/stable/c/68f27f7c7708183e7873c585ded2f1b057ac5b97"
}
],
"title": "ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39938",
"datePublished": "2025-10-04T07:31:01.736Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:01.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39813 (GCVE-0-2025-39813)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
When calling ftrace_dump_one() concurrently with reading trace_pipe,
a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race
condition.
The issue occurs because:
CPU0 (ftrace_dump) CPU1 (reader)
echo z > /proc/sysrq-trigger
!trace_empty(&iter)
trace_iterator_reset(&iter) <- len = size = 0
cat /sys/kernel/tracing/trace_pipe
trace_find_next_entry_inc(&iter)
__find_next_entry
ring_buffer_empty_cpu <- all empty
return NULL
trace_printk_seq(&iter.seq)
WARN_ON_ONCE(s->seq.len >= s->seq.size)
In the context between trace_empty() and trace_find_next_entry_inc()
during ftrace_dump, the ring buffer data was consumed by other readers.
This caused trace_find_next_entry_inc to return NULL, failing to populate
`iter.seq`. At this point, due to the prior trace_iterator_reset, both
`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,
the WARN_ON_ONCE condition is triggered.
Move the trace_printk_seq() into the if block that checks to make sure the
return value of trace_find_next_entry_inc() is non-NULL in
ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before
subsequent operations.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:38.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f299353e7ccbcc5c2ed8993c48fbe7609cbe729a",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "5ab0ec206deb99eb3baf8f1d7602aeaa91dbcc85",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "a6f0f8873cc30fd4543b09adf03f7f51d293f0e6",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "e80ff23ba8bdb0f41a1afe2657078e4097d13a9a",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "28c8fb7ae2ad27d81c8de3c4fe608c509f6a18aa",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "ced94e137e6cd5e79c65564841d3b7695d0f5fa3",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "fbd4cf7ee4db65ef36796769fe978e9eba6f0de4",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "4013aef2ced9b756a410f50d12df9ebe6a883e4a",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix potential warning in trace_printk_seq during ftrace_dump\n\nWhen calling ftrace_dump_one() concurrently with reading trace_pipe,\na WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race\ncondition.\n\nThe issue occurs because:\n\nCPU0 (ftrace_dump) CPU1 (reader)\necho z \u003e /proc/sysrq-trigger\n\n!trace_empty(\u0026iter)\ntrace_iterator_reset(\u0026iter) \u003c- len = size = 0\n cat /sys/kernel/tracing/trace_pipe\ntrace_find_next_entry_inc(\u0026iter)\n __find_next_entry\n ring_buffer_empty_cpu \u003c- all empty\n return NULL\n\ntrace_printk_seq(\u0026iter.seq)\n WARN_ON_ONCE(s-\u003eseq.len \u003e= s-\u003eseq.size)\n\nIn the context between trace_empty() and trace_find_next_entry_inc()\nduring ftrace_dump, the ring buffer data was consumed by other readers.\nThis caused trace_find_next_entry_inc to return NULL, failing to populate\n`iter.seq`. At this point, due to the prior trace_iterator_reset, both\n`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,\nthe WARN_ON_ONCE condition is triggered.\n\nMove the trace_printk_seq() into the if block that checks to make sure the\nreturn value of trace_find_next_entry_inc() is non-NULL in\nftrace_dump_one(), ensuring the \u0027iter.seq\u0027 is properly populated before\nsubsequent operations."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:57.400Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f299353e7ccbcc5c2ed8993c48fbe7609cbe729a"
},
{
"url": "https://git.kernel.org/stable/c/5ab0ec206deb99eb3baf8f1d7602aeaa91dbcc85"
},
{
"url": "https://git.kernel.org/stable/c/a6f0f8873cc30fd4543b09adf03f7f51d293f0e6"
},
{
"url": "https://git.kernel.org/stable/c/e80ff23ba8bdb0f41a1afe2657078e4097d13a9a"
},
{
"url": "https://git.kernel.org/stable/c/28c8fb7ae2ad27d81c8de3c4fe608c509f6a18aa"
},
{
"url": "https://git.kernel.org/stable/c/ced94e137e6cd5e79c65564841d3b7695d0f5fa3"
},
{
"url": "https://git.kernel.org/stable/c/fbd4cf7ee4db65ef36796769fe978e9eba6f0de4"
},
{
"url": "https://git.kernel.org/stable/c/4013aef2ced9b756a410f50d12df9ebe6a883e4a"
}
],
"title": "ftrace: Fix potential warning in trace_printk_seq during ftrace_dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39813",
"datePublished": "2025-09-16T13:00:14.846Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-11-03T17:43:38.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37752 (GCVE-0-2025-37752)
Vulnerability from cvelistv5
Published
2025-05-01 12:55
Modified
2025-11-03 19:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: sch_sfq: move the limit validation
It is not sufficient to directly validate the limit on the data that
the user passes as it can be updated based on how the other parameters
are changed.
Move the check at the end of the configuration update process to also
catch scenarios where the limit is indirectly updated, for example
with the following configurations:
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1
This fixes the following syzkaller reported crash:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6
index 65535 is out of range for type 'struct sfq_head[128]'
CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429
sfq_link net/sched/sch_sfq.c:203 [inline]
sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231
sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493
sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518
qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339
qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311
netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]
dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e12f6013d0a69660e8b99bfe381b9546ae667328 Version: 1e6d9d87626cf89eeffb4d943db12cb5b10bf961 Version: 1b562b7f9231432da40d12e19786c1bd7df653a7 Version: 35d0137305ae2f97260a9047f445bd4434bd6cc7 Version: 833e9a1c27b82024db7ff5038a51651f48f05e5e Version: 7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4 Version: 7fefc294204f10a3405f175f4ac2be16d63f135e Version: 10685681bafce6febb39770f3387621bf5d67d0b Version: 10685681bafce6febb39770f3387621bf5d67d0b |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:54:26.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_sfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4",
"status": "affected",
"version": "e12f6013d0a69660e8b99bfe381b9546ae667328",
"versionType": "git"
},
{
"lessThan": "7d62ded97db6b7c94c891f704151f372b1ba4688",
"status": "affected",
"version": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
"versionType": "git"
},
{
"lessThan": "6c589aa318023690f1606c666a7fb5f4c1c9c219",
"status": "affected",
"version": "1b562b7f9231432da40d12e19786c1bd7df653a7",
"versionType": "git"
},
{
"lessThan": "1348214fa042a71406964097e743c87a42c85a49",
"status": "affected",
"version": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
"versionType": "git"
},
{
"lessThan": "d2718324f9e329b10ddc091fba5a0ba2b9d4d96a",
"status": "affected",
"version": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
"versionType": "git"
},
{
"lessThan": "f86293adce0c201cfabb283ef9d6f21292089bb8",
"status": "affected",
"version": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
"versionType": "git"
},
{
"lessThan": "5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d",
"status": "affected",
"version": "7fefc294204f10a3405f175f4ac2be16d63f135e",
"versionType": "git"
},
{
"lessThan": "b36a68192037d1614317a09b0d78c7814e2eecf9",
"status": "affected",
"version": "10685681bafce6febb39770f3387621bf5d67d0b",
"versionType": "git"
},
{
"lessThan": "b3bf8f63e6179076b57c9de660c9f80b5abefe70",
"status": "affected",
"version": "10685681bafce6febb39770f3387621bf5d67d0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_sfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"versionStartIncluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"versionStartIncluding": "6.6.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"versionStartIncluding": "6.13.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: move the limit validation\n\nIt is not sufficient to directly validate the limit on the data that\nthe user passes as it can be updated based on how the other parameters\nare changed.\n\nMove the check at the end of the configuration update process to also\ncatch scenarios where the limit is indirectly updated, for example\nwith the following configurations:\n\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1\n\nThis fixes the following syzkaller reported crash:\n\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429\n sfq_link net/sched/sch_sfq.c:203 [inline]\n sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231\n sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493\n sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311\n netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]\n dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:42:49.885Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4"
},
{
"url": "https://git.kernel.org/stable/c/7d62ded97db6b7c94c891f704151f372b1ba4688"
},
{
"url": "https://git.kernel.org/stable/c/6c589aa318023690f1606c666a7fb5f4c1c9c219"
},
{
"url": "https://git.kernel.org/stable/c/1348214fa042a71406964097e743c87a42c85a49"
},
{
"url": "https://git.kernel.org/stable/c/d2718324f9e329b10ddc091fba5a0ba2b9d4d96a"
},
{
"url": "https://git.kernel.org/stable/c/f86293adce0c201cfabb283ef9d6f21292089bb8"
},
{
"url": "https://git.kernel.org/stable/c/5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d"
},
{
"url": "https://git.kernel.org/stable/c/b36a68192037d1614317a09b0d78c7814e2eecf9"
},
{
"url": "https://git.kernel.org/stable/c/b3bf8f63e6179076b57c9de660c9f80b5abefe70"
}
],
"title": "net_sched: sch_sfq: move the limit validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37752",
"datePublished": "2025-05-01T12:55:57.280Z",
"dateReserved": "2025-04-16T04:51:23.937Z",
"dateUpdated": "2025-11-03T19:54:26.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53543 (GCVE-0-2023-53543)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa max vqp attr to avoid
such bugs.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff71709445ac033e6e250d971683110e4781c068",
"status": "affected",
"version": "ad69dd0bf26b88ec6ab26f8bbe5cd74fbed7672a",
"versionType": "git"
},
{
"lessThan": "ea65e8b5e6b1a34deda7564f09c90e9e80db436a",
"status": "affected",
"version": "ad69dd0bf26b88ec6ab26f8bbe5cd74fbed7672a",
"versionType": "git"
},
{
"lessThan": "5d6ba607d6cb5c58a4ddf33381e18c83dbb4098f",
"status": "affected",
"version": "ad69dd0bf26b88ec6ab26f8bbe5cd74fbed7672a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check\n\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info-\u003eattrs before entering into each handler\nin vdpa_nl_ops.\n\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\n\nThis patch adds the missing nla_policy for vdpa max vqp attr to avoid\nsuch bugs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:52.114Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff71709445ac033e6e250d971683110e4781c068"
},
{
"url": "https://git.kernel.org/stable/c/ea65e8b5e6b1a34deda7564f09c90e9e80db436a"
},
{
"url": "https://git.kernel.org/stable/c/5d6ba607d6cb5c58a4ddf33381e18c83dbb4098f"
}
],
"title": "vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53543",
"datePublished": "2025-10-04T15:16:52.114Z",
"dateReserved": "2025-10-04T15:14:15.920Z",
"dateUpdated": "2025-10-04T15:16:52.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53589 (GCVE-0-2023-53589)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: don't trust firmware n_channels
If the firmware sends us a corrupted MCC response with
n_channels much larger than the command response can be,
we might copy far too much (uninitialized) memory and
even crash if the n_channels is large enough to make it
run out of the one page allocated for the FW response.
Fix that by checking the lengths. Doing a < comparison
would be sufficient, but the firmware should be doing
it correctly, so check more strictly.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: dcaf9f5ecb6f395152609bdc40660d9b593dca63 Version: dcaf9f5ecb6f395152609bdc40660d9b593dca63 Version: dcaf9f5ecb6f395152609bdc40660d9b593dca63 Version: dcaf9f5ecb6f395152609bdc40660d9b593dca63 Version: dcaf9f5ecb6f395152609bdc40660d9b593dca63 Version: dcaf9f5ecb6f395152609bdc40660d9b593dca63 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mvm/nvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e519a404a5bbba37693cb10fa61794a5fce4fd9b",
"status": "affected",
"version": "dcaf9f5ecb6f395152609bdc40660d9b593dca63",
"versionType": "git"
},
{
"lessThan": "d0d39bed9e95f27a246be91c5929254ac043ed30",
"status": "affected",
"version": "dcaf9f5ecb6f395152609bdc40660d9b593dca63",
"versionType": "git"
},
{
"lessThan": "05ad5a4d421ce65652fcb24d46b7e273130240d6",
"status": "affected",
"version": "dcaf9f5ecb6f395152609bdc40660d9b593dca63",
"versionType": "git"
},
{
"lessThan": "557ba100d8cf3661ff8d71c0b4a2cba8db555ec2",
"status": "affected",
"version": "dcaf9f5ecb6f395152609bdc40660d9b593dca63",
"versionType": "git"
},
{
"lessThan": "c176f03350954b795322de0bfe1d7b514db41f45",
"status": "affected",
"version": "dcaf9f5ecb6f395152609bdc40660d9b593dca63",
"versionType": "git"
},
{
"lessThan": "682b6dc29d98e857e6ca4bbc077c7dc2899b7473",
"status": "affected",
"version": "dcaf9f5ecb6f395152609bdc40660d9b593dca63",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mvm/nvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don\u0027t trust firmware n_channels\n\nIf the firmware sends us a corrupted MCC response with\nn_channels much larger than the command response can be,\nwe might copy far too much (uninitialized) memory and\neven crash if the n_channels is large enough to make it\nrun out of the one page allocated for the FW response.\n\nFix that by checking the lengths. Doing a \u003c comparison\nwould be sufficient, but the firmware should be doing\nit correctly, so check more strictly."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:04.047Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e519a404a5bbba37693cb10fa61794a5fce4fd9b"
},
{
"url": "https://git.kernel.org/stable/c/d0d39bed9e95f27a246be91c5929254ac043ed30"
},
{
"url": "https://git.kernel.org/stable/c/05ad5a4d421ce65652fcb24d46b7e273130240d6"
},
{
"url": "https://git.kernel.org/stable/c/557ba100d8cf3661ff8d71c0b4a2cba8db555ec2"
},
{
"url": "https://git.kernel.org/stable/c/c176f03350954b795322de0bfe1d7b514db41f45"
},
{
"url": "https://git.kernel.org/stable/c/682b6dc29d98e857e6ca4bbc077c7dc2899b7473"
}
],
"title": "wifi: iwlwifi: mvm: don\u0027t trust firmware n_channels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53589",
"datePublished": "2025-10-04T15:44:04.047Z",
"dateReserved": "2025-10-04T15:40:38.478Z",
"dateUpdated": "2025-10-04T15:44:04.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53699 (GCVE-0-2023-53699)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: move memblock_allow_resize() after linear mapping is ready
The initial memblock metadata is accessed from kernel image mapping. The
regions arrays need to "reallocated" from memblock and accessed through
linear mapping to cover more memblock regions. So the resizing should
not be allowed until linear mapping is ready. Note that there are
memblock allocations when building linear mapping.
This patch is similar to 24cc61d8cb5a ("arm64: memblock: don't permit
memblock resizing until linear mapping is up").
In following log, many memblock regions are reserved before
create_linear_mapping_page_table(). And then it triggered reallocation
of memblock.reserved.regions and memcpy the old array in kernel image
mapping to the new array in linear mapping which caused a page fault.
[ 0.000000] memblock_reserve: [0x00000000bf01f000-0x00000000bf01ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6
[ 0.000000] memblock_reserve: [0x00000000bf021000-0x00000000bf021fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6
[ 0.000000] memblock_reserve: [0x00000000bf023000-0x00000000bf023fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6
[ 0.000000] memblock_reserve: [0x00000000bf025000-0x00000000bf025fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6
[ 0.000000] memblock_reserve: [0x00000000bf027000-0x00000000bf027fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6
[ 0.000000] memblock_reserve: [0x00000000bf029000-0x00000000bf029fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6
[ 0.000000] memblock_reserve: [0x00000000bf02b000-0x00000000bf02bfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6
[ 0.000000] memblock_reserve: [0x00000000bf02d000-0x00000000bf02dfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6
[ 0.000000] memblock_reserve: [0x00000000bf02f000-0x00000000bf02ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6
[ 0.000000] memblock_reserve: [0x00000000bf030000-0x00000000bf030fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6
[ 0.000000] OF: reserved mem: 0x0000000080000000..0x000000008007ffff (512 KiB) map non-reusable mmode_resv0@80000000
[ 0.000000] memblock_reserve: [0x00000000bf000000-0x00000000bf001fed] paging_init+0x19a/0x5ae
[ 0.000000] memblock_phys_alloc_range: 4096 bytes align=0x1000 from=0x0000000000000000 max_addr=0x0000000000000000 alloc_pmd_fixmap+0x14/0x1c
[ 0.000000] memblock_reserve: [0x000000017ffff000-0x000000017fffffff] memblock_alloc_range_nid+0xb8/0x128
[ 0.000000] memblock: reserved is doubled to 256 at [0x000000017fffd000-0x000000017fffe7ff]
[ 0.000000] Unable to handle kernel paging request at virtual address ff600000ffffd000
[ 0.000000] Oops [#1]
[ 0.000000] Modules linked in:
[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.4.0-rc1-00011-g99a670b2069c #66
[ 0.000000] Hardware name: riscv-virtio,qemu (DT)
[ 0.000000] epc : __memcpy+0x60/0xf8
[ 0.000000] ra : memblock_double_array+0x192/0x248
[ 0.000000] epc : ffffffff8081d214 ra : ffffffff80a3dfc0 sp : ffffffff81403bd0
[ 0.000000] gp : ffffffff814fbb38 tp : ffffffff8140dac0 t0 : 0000000001600000
[ 0.000000] t1 : 0000000000000000 t2 : 000000008f001000 s0 : ffffffff81403c60
[ 0.000000] s1 : ffffffff80c0bc98 a0 : ff600000ffffd000 a1 : ffffffff80c0bcd8
[ 0.000000] a2 : 0000000000000c00 a3 : ffffffff80c0c8d8 a4 : 0000000080000000
[ 0.000000] a5 : 0000000000080000 a6 : 0000000000000000 a7 : 0000000080200000
[ 0.000000] s2 : ff600000ffffd000 s3 : 0000000000002000 s4 : 0000000000000c00
[ 0.000000] s5 : ffffffff80c0bc60 s6 : ffffffff80c0bcc8 s7 : 0000000000000000
[ 0.000000] s8 : ffffffff814fd0a8 s9 : 000000017fffe7ff s10: 0000000000000000
[ 0.000000] s11: 0000000000001000 t3 : 0000000000001000 t4 : 0000000000000000
[ 0.000000] t5 : 000000008f003000 t6 : ff600000ffffd000
[ 0.000000] status: 0000000200000100 badaddr: ff600000ffffd000 cause: 000000000000000f
[ 0.000000] [<fff
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/mm/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4284246fca2ef482a8fcf5ad7d2c33a45b41e9c",
"status": "affected",
"version": "671f9a3e2e24cdeb2d2856abee7422f093e23e29",
"versionType": "git"
},
{
"lessThan": "0a1b80ff4f721c4be98707bfe9d20238df133eb8",
"status": "affected",
"version": "671f9a3e2e24cdeb2d2856abee7422f093e23e29",
"versionType": "git"
},
{
"lessThan": "ba11f4e59509538810e5c44578fc73984acdf1d7",
"status": "affected",
"version": "671f9a3e2e24cdeb2d2856abee7422f093e23e29",
"versionType": "git"
},
{
"lessThan": "85fadc0d04119c2fe4a20287767ab904c6d21ba1",
"status": "affected",
"version": "671f9a3e2e24cdeb2d2856abee7422f093e23e29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/mm/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: move memblock_allow_resize() after linear mapping is ready\n\nThe initial memblock metadata is accessed from kernel image mapping. The\nregions arrays need to \"reallocated\" from memblock and accessed through\nlinear mapping to cover more memblock regions. So the resizing should\nnot be allowed until linear mapping is ready. Note that there are\nmemblock allocations when building linear mapping.\n\nThis patch is similar to 24cc61d8cb5a (\"arm64: memblock: don\u0027t permit\nmemblock resizing until linear mapping is up\").\n\nIn following log, many memblock regions are reserved before\ncreate_linear_mapping_page_table(). And then it triggered reallocation\nof memblock.reserved.regions and memcpy the old array in kernel image\nmapping to the new array in linear mapping which caused a page fault.\n\n[ 0.000000] memblock_reserve: [0x00000000bf01f000-0x00000000bf01ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf021000-0x00000000bf021fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf023000-0x00000000bf023fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf025000-0x00000000bf025fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf027000-0x00000000bf027fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf029000-0x00000000bf029fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf02b000-0x00000000bf02bfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf02d000-0x00000000bf02dfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf02f000-0x00000000bf02ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf030000-0x00000000bf030fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] OF: reserved mem: 0x0000000080000000..0x000000008007ffff (512 KiB) map non-reusable mmode_resv0@80000000\n[ 0.000000] memblock_reserve: [0x00000000bf000000-0x00000000bf001fed] paging_init+0x19a/0x5ae\n[ 0.000000] memblock_phys_alloc_range: 4096 bytes align=0x1000 from=0x0000000000000000 max_addr=0x0000000000000000 alloc_pmd_fixmap+0x14/0x1c\n[ 0.000000] memblock_reserve: [0x000000017ffff000-0x000000017fffffff] memblock_alloc_range_nid+0xb8/0x128\n[ 0.000000] memblock: reserved is doubled to 256 at [0x000000017fffd000-0x000000017fffe7ff]\n[ 0.000000] Unable to handle kernel paging request at virtual address ff600000ffffd000\n[ 0.000000] Oops [#1]\n[ 0.000000] Modules linked in:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.4.0-rc1-00011-g99a670b2069c #66\n[ 0.000000] Hardware name: riscv-virtio,qemu (DT)\n[ 0.000000] epc : __memcpy+0x60/0xf8\n[ 0.000000] ra : memblock_double_array+0x192/0x248\n[ 0.000000] epc : ffffffff8081d214 ra : ffffffff80a3dfc0 sp : ffffffff81403bd0\n[ 0.000000] gp : ffffffff814fbb38 tp : ffffffff8140dac0 t0 : 0000000001600000\n[ 0.000000] t1 : 0000000000000000 t2 : 000000008f001000 s0 : ffffffff81403c60\n[ 0.000000] s1 : ffffffff80c0bc98 a0 : ff600000ffffd000 a1 : ffffffff80c0bcd8\n[ 0.000000] a2 : 0000000000000c00 a3 : ffffffff80c0c8d8 a4 : 0000000080000000\n[ 0.000000] a5 : 0000000000080000 a6 : 0000000000000000 a7 : 0000000080200000\n[ 0.000000] s2 : ff600000ffffd000 s3 : 0000000000002000 s4 : 0000000000000c00\n[ 0.000000] s5 : ffffffff80c0bc60 s6 : ffffffff80c0bcc8 s7 : 0000000000000000\n[ 0.000000] s8 : ffffffff814fd0a8 s9 : 000000017fffe7ff s10: 0000000000000000\n[ 0.000000] s11: 0000000000001000 t3 : 0000000000001000 t4 : 0000000000000000\n[ 0.000000] t5 : 000000008f003000 t6 : ff600000ffffd000\n[ 0.000000] status: 0000000200000100 badaddr: ff600000ffffd000 cause: 000000000000000f\n[ 0.000000] [\u003cfff\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:38.981Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4284246fca2ef482a8fcf5ad7d2c33a45b41e9c"
},
{
"url": "https://git.kernel.org/stable/c/0a1b80ff4f721c4be98707bfe9d20238df133eb8"
},
{
"url": "https://git.kernel.org/stable/c/ba11f4e59509538810e5c44578fc73984acdf1d7"
},
{
"url": "https://git.kernel.org/stable/c/85fadc0d04119c2fe4a20287767ab904c6d21ba1"
}
],
"title": "riscv: move memblock_allow_resize() after linear mapping is ready",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53699",
"datePublished": "2025-10-22T13:23:38.981Z",
"dateReserved": "2025-10-22T13:21:37.345Z",
"dateUpdated": "2025-10-22T13:23:38.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53235 (GCVE-0-2023-53235)
Vulnerability from cvelistv5
Published
2025-09-15 14:22
Modified
2025-09-15 14:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/tests: helpers: Avoid a driver uaf
when using __drm_kunit_helper_alloc_drm_device() the driver may be
dereferenced by device-managed resources up until the device is
freed, which is typically later than the kunit-managed resource code
frees it. Fix this by simply make the driver device-managed as well.
In short, the sequence leading to the UAF is as follows:
INIT:
Code allocates a struct device as a kunit-managed resource.
Code allocates a drm driver as a kunit-managed resource.
Code allocates a drm device as a device-managed resource.
EXIT:
Kunit resource cleanup frees the drm driver
Kunit resource cleanup puts the struct device, which starts a
device-managed resource cleanup
device-managed cleanup calls drm_dev_put()
drm_dev_put() dereferences the (now freed) drm driver -> Boom.
Related KASAN message:
[55272.551542] ==================================================================
[55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353
[55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G U N 6.5.0-rc7+ #155
[55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021
[55272.551626] Call Trace:
[55272.551629] <TASK>
[55272.551633] dump_stack_lvl+0x57/0x90
[55272.551639] print_report+0xcf/0x630
[55272.551645] ? _raw_spin_lock_irqsave+0x5f/0x70
[55272.551652] ? drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551694] kasan_report+0xd7/0x110
[55272.551699] ? drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551742] drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551783] devres_release_all+0x15d/0x1f0
[55272.551790] ? __pfx_devres_release_all+0x10/0x10
[55272.551797] device_unbind_cleanup+0x16/0x1a0
[55272.551802] device_release_driver_internal+0x3e5/0x540
[55272.551808] ? kobject_put+0x5d/0x4b0
[55272.551814] bus_remove_device+0x1f1/0x3f0
[55272.551819] device_del+0x342/0x910
[55272.551826] ? __pfx_device_del+0x10/0x10
[55272.551830] ? lock_release+0x339/0x5e0
[55272.551836] ? kunit_remove_resource+0x128/0x290 [kunit]
[55272.551845] ? __pfx_lock_release+0x10/0x10
[55272.551851] platform_device_del.part.0+0x1f/0x1e0
[55272.551856] ? _raw_spin_unlock_irqrestore+0x30/0x60
[55272.551863] kunit_remove_resource+0x195/0x290 [kunit]
[55272.551871] ? _raw_spin_unlock_irqrestore+0x30/0x60
[55272.551877] kunit_cleanup+0x78/0x120 [kunit]
[55272.551885] ? __kthread_parkme+0xc1/0x1f0
[55272.551891] ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit]
[55272.551900] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit]
[55272.551909] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
[55272.551919] kthread+0x2e7/0x3c0
[55272.551924] ? __pfx_kthread+0x10/0x10
[55272.551929] ret_from_fork+0x2d/0x70
[55272.551935] ? __pfx_kthread+0x10/0x10
[55272.551940] ret_from_fork_asm+0x1b/0x30
[55272.551948] </TASK>
[55272.551953] Allocated by task 10351:
[55272.551956] kasan_save_stack+0x1c/0x40
[55272.551962] kasan_set_track+0x21/0x30
[55272.551966] __kasan_kmalloc+0x8b/0x90
[55272.551970] __kmalloc+0x5e/0x160
[55272.551976] kunit_kmalloc_array+0x1c/0x50 [kunit]
[55272.551984] drm_exec_test_init+0xfa/0x2c0 [drm_exec_test]
[55272.551991] kunit_try_run_case+0xdd/0x250 [kunit]
[55272.551999] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
[55272.552008] kthread+0x2e7/0x3c0
[55272.552012] ret_from_fork+0x2d/0x70
[55272.552017] ret_from_fork_asm+0x1b/0x30
[55272.552024] Freed by task 10353:
[55272.552027] kasan_save_stack+0x1c/0x40
[55272.552032] kasan_set_track+0x21/0x30
[55272.552036] kasan_save_free_info+0x27/0x40
[55272.552041] __kasan_slab_free+0x106/0x180
[55272.552046] slab_free_freelist_hook+0xb3/0x160
[55272.552051] __kmem_cache_free+0xb2/0x290
[55272.552056] kunit_remove_resource+0x195/0x290 [kunit]
[55272.552064] kunit_cleanup+0x7
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/drm/drm_kunit_helpers.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c9d8be0e533738b744abb669263c4750d4830009",
"status": "affected",
"version": "d98780310719bf4076d975c2ff65c44c7c0d929e",
"versionType": "git"
},
{
"lessThan": "139a27854bf5ce93ff9805f9f7683b88c13074dc",
"status": "affected",
"version": "d98780310719bf4076d975c2ff65c44c7c0d929e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/drm/drm_kunit_helpers.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tests: helpers: Avoid a driver uaf\n\nwhen using __drm_kunit_helper_alloc_drm_device() the driver may be\ndereferenced by device-managed resources up until the device is\nfreed, which is typically later than the kunit-managed resource code\nfrees it. Fix this by simply make the driver device-managed as well.\n\nIn short, the sequence leading to the UAF is as follows:\n\nINIT:\nCode allocates a struct device as a kunit-managed resource.\nCode allocates a drm driver as a kunit-managed resource.\nCode allocates a drm device as a device-managed resource.\n\nEXIT:\nKunit resource cleanup frees the drm driver\nKunit resource cleanup puts the struct device, which starts a\n device-managed resource cleanup\ndevice-managed cleanup calls drm_dev_put()\ndrm_dev_put() dereferences the (now freed) drm driver -\u003e Boom.\n\nRelated KASAN message:\n[55272.551542] ==================================================================\n[55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm]\n[55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353\n\n[55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G U N 6.5.0-rc7+ #155\n[55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021\n[55272.551626] Call Trace:\n[55272.551629] \u003cTASK\u003e\n[55272.551633] dump_stack_lvl+0x57/0x90\n[55272.551639] print_report+0xcf/0x630\n[55272.551645] ? _raw_spin_lock_irqsave+0x5f/0x70\n[55272.551652] ? drm_dev_put.part.0+0xd4/0xe0 [drm]\n[55272.551694] kasan_report+0xd7/0x110\n[55272.551699] ? drm_dev_put.part.0+0xd4/0xe0 [drm]\n[55272.551742] drm_dev_put.part.0+0xd4/0xe0 [drm]\n[55272.551783] devres_release_all+0x15d/0x1f0\n[55272.551790] ? __pfx_devres_release_all+0x10/0x10\n[55272.551797] device_unbind_cleanup+0x16/0x1a0\n[55272.551802] device_release_driver_internal+0x3e5/0x540\n[55272.551808] ? kobject_put+0x5d/0x4b0\n[55272.551814] bus_remove_device+0x1f1/0x3f0\n[55272.551819] device_del+0x342/0x910\n[55272.551826] ? __pfx_device_del+0x10/0x10\n[55272.551830] ? lock_release+0x339/0x5e0\n[55272.551836] ? kunit_remove_resource+0x128/0x290 [kunit]\n[55272.551845] ? __pfx_lock_release+0x10/0x10\n[55272.551851] platform_device_del.part.0+0x1f/0x1e0\n[55272.551856] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[55272.551863] kunit_remove_resource+0x195/0x290 [kunit]\n[55272.551871] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[55272.551877] kunit_cleanup+0x78/0x120 [kunit]\n[55272.551885] ? __kthread_parkme+0xc1/0x1f0\n[55272.551891] ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit]\n[55272.551900] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit]\n[55272.551909] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]\n[55272.551919] kthread+0x2e7/0x3c0\n[55272.551924] ? __pfx_kthread+0x10/0x10\n[55272.551929] ret_from_fork+0x2d/0x70\n[55272.551935] ? __pfx_kthread+0x10/0x10\n[55272.551940] ret_from_fork_asm+0x1b/0x30\n[55272.551948] \u003c/TASK\u003e\n\n[55272.551953] Allocated by task 10351:\n[55272.551956] kasan_save_stack+0x1c/0x40\n[55272.551962] kasan_set_track+0x21/0x30\n[55272.551966] __kasan_kmalloc+0x8b/0x90\n[55272.551970] __kmalloc+0x5e/0x160\n[55272.551976] kunit_kmalloc_array+0x1c/0x50 [kunit]\n[55272.551984] drm_exec_test_init+0xfa/0x2c0 [drm_exec_test]\n[55272.551991] kunit_try_run_case+0xdd/0x250 [kunit]\n[55272.551999] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]\n[55272.552008] kthread+0x2e7/0x3c0\n[55272.552012] ret_from_fork+0x2d/0x70\n[55272.552017] ret_from_fork_asm+0x1b/0x30\n\n[55272.552024] Freed by task 10353:\n[55272.552027] kasan_save_stack+0x1c/0x40\n[55272.552032] kasan_set_track+0x21/0x30\n[55272.552036] kasan_save_free_info+0x27/0x40\n[55272.552041] __kasan_slab_free+0x106/0x180\n[55272.552046] slab_free_freelist_hook+0xb3/0x160\n[55272.552051] __kmem_cache_free+0xb2/0x290\n[55272.552056] kunit_remove_resource+0x195/0x290 [kunit]\n[55272.552064] kunit_cleanup+0x7\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:22:08.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c9d8be0e533738b744abb669263c4750d4830009"
},
{
"url": "https://git.kernel.org/stable/c/139a27854bf5ce93ff9805f9f7683b88c13074dc"
}
],
"title": "drm/tests: helpers: Avoid a driver uaf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53235",
"datePublished": "2025-09-15T14:22:08.322Z",
"dateReserved": "2025-09-15T14:19:21.847Z",
"dateUpdated": "2025-09-15T14:22:08.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53597 (GCVE-0-2023-53597)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix mid leak during reconnection after timeout threshold
When the number of responses with status of STATUS_IO_TIMEOUT
exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect
the connection. But we do not return the mid, or the credits
returned for the mid, or reduce the number of in-flight requests.
This bug could result in the server->in_flight count to go bad,
and also cause a leak in the mids.
This change moves the check to a few lines below where the
response is decrypted, even of the response is read from the
transform header. This way, the code for returning the mids
can be reused.
Also, the cifs_reconnect was reconnecting just the transport
connection before. In case of multi-channel, this may not be
what we want to do after several timeouts. Changed that to
reconnect the session and the tree too.
Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name
MAX_STATUS_IO_TIMEOUT.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df31d05f0678cdd0796ea19983a2b93edca18bb0",
"status": "affected",
"version": "8e670f77c4a55013db6d23b962f9bf6673a5e7b6",
"versionType": "git"
},
{
"lessThan": "c55901d381a22300c9922170e59704059f50977b",
"status": "affected",
"version": "8e670f77c4a55013db6d23b962f9bf6673a5e7b6",
"versionType": "git"
},
{
"lessThan": "57d25e9905c71133e201f6d06b56a3403d4ad433",
"status": "affected",
"version": "8e670f77c4a55013db6d23b962f9bf6673a5e7b6",
"versionType": "git"
},
{
"lessThan": "69cba9d3c1284e0838ae408830a02c4a063104bc",
"status": "affected",
"version": "8e670f77c4a55013db6d23b962f9bf6673a5e7b6",
"versionType": "git"
},
{
"status": "affected",
"version": "fa6d7a5853f93efb088aba36af12cb1944156411",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix mid leak during reconnection after timeout threshold\n\nWhen the number of responses with status of STATUS_IO_TIMEOUT\nexceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect\nthe connection. But we do not return the mid, or the credits\nreturned for the mid, or reduce the number of in-flight requests.\n\nThis bug could result in the server-\u003ein_flight count to go bad,\nand also cause a leak in the mids.\n\nThis change moves the check to a few lines below where the\nresponse is decrypted, even of the response is read from the\ntransform header. This way, the code for returning the mids\ncan be reused.\n\nAlso, the cifs_reconnect was reconnecting just the transport\nconnection before. In case of multi-channel, this may not be\nwhat we want to do after several timeouts. Changed that to\nreconnect the session and the tree too.\n\nAlso renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name\nMAX_STATUS_IO_TIMEOUT."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:09.616Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df31d05f0678cdd0796ea19983a2b93edca18bb0"
},
{
"url": "https://git.kernel.org/stable/c/c55901d381a22300c9922170e59704059f50977b"
},
{
"url": "https://git.kernel.org/stable/c/57d25e9905c71133e201f6d06b56a3403d4ad433"
},
{
"url": "https://git.kernel.org/stable/c/69cba9d3c1284e0838ae408830a02c4a063104bc"
}
],
"title": "cifs: fix mid leak during reconnection after timeout threshold",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53597",
"datePublished": "2025-10-04T15:44:09.616Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-04T15:44:09.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39757 (GCVE-0-2025-39757)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Validate UAC3 cluster segment descriptors
UAC3 class segment descriptors need to be verified whether their sizes
match with the declared lengths and whether they fit with the
allocated buffer sizes, too. Otherwise malicious firmware may lead to
the unexpected OOB accesses.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 11785ef53228d23ec386f5fe4a34601536f0c891 Version: 11785ef53228d23ec386f5fe4a34601536f0c891 Version: 11785ef53228d23ec386f5fe4a34601536f0c891 Version: 11785ef53228d23ec386f5fe4a34601536f0c891 Version: 11785ef53228d23ec386f5fe4a34601536f0c891 Version: 11785ef53228d23ec386f5fe4a34601536f0c891 Version: 11785ef53228d23ec386f5fe4a34601536f0c891 Version: 11785ef53228d23ec386f5fe4a34601536f0c891 Version: 11785ef53228d23ec386f5fe4a34601536f0c891 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:07.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "799c06ad4c9c790c265e8b6b94947213f1fb389c",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "786571b10b1ae6d90e1242848ce78ee7e1d493c4",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "275e37532e8ebe25e8a4069b2d9f955bfd202a46",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "47ab3d820cb0a502bd0074f83bb3cf7ab5d79902",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "1034719fdefd26caeec0a44a868bb5a412c2c1a5",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "ae17b3b5e753efc239421d186cd1ff06e5ac296e",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "dfdcbcde5c20df878178245d4449feada7d5b201",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "7ef3fd250f84494fb2f7871f357808edaa1fc6ce",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "ecfd41166b72b67d3bdeb88d224ff445f6163869",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Validate UAC3 cluster segment descriptors\n\nUAC3 class segment descriptors need to be verified whether their sizes\nmatch with the declared lengths and whether they fit with the\nallocated buffer sizes, too. Otherwise malicious firmware may lead to\nthe unexpected OOB accesses."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:47.538Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/799c06ad4c9c790c265e8b6b94947213f1fb389c"
},
{
"url": "https://git.kernel.org/stable/c/786571b10b1ae6d90e1242848ce78ee7e1d493c4"
},
{
"url": "https://git.kernel.org/stable/c/275e37532e8ebe25e8a4069b2d9f955bfd202a46"
},
{
"url": "https://git.kernel.org/stable/c/47ab3d820cb0a502bd0074f83bb3cf7ab5d79902"
},
{
"url": "https://git.kernel.org/stable/c/1034719fdefd26caeec0a44a868bb5a412c2c1a5"
},
{
"url": "https://git.kernel.org/stable/c/ae17b3b5e753efc239421d186cd1ff06e5ac296e"
},
{
"url": "https://git.kernel.org/stable/c/dfdcbcde5c20df878178245d4449feada7d5b201"
},
{
"url": "https://git.kernel.org/stable/c/7ef3fd250f84494fb2f7871f357808edaa1fc6ce"
},
{
"url": "https://git.kernel.org/stable/c/ecfd41166b72b67d3bdeb88d224ff445f6163869"
}
],
"title": "ALSA: usb-audio: Validate UAC3 cluster segment descriptors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39757",
"datePublished": "2025-09-11T16:52:26.900Z",
"dateReserved": "2025-04-16T07:20:57.125Z",
"dateUpdated": "2025-11-03T17:43:07.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39790 (GCVE-0-2025-39790)
Vulnerability from cvelistv5
Published
2025-09-11 16:56
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bus: mhi: host: Detect events pointing to unexpected TREs
When a remote device sends a completion event to the host, it contains a
pointer to the consumed TRE. The host uses this pointer to process all of
the TREs between it and the host's local copy of the ring's read pointer.
This works when processing completion for chained transactions, but can
lead to nasty results if the device sends an event for a single-element
transaction with a read pointer that is multiple elements ahead of the
host's read pointer.
For instance, if the host accesses an event ring while the device is
updating it, the pointer inside of the event might still point to an old
TRE. If the host uses the channel's xfer_cb() to directly free the buffer
pointed to by the TRE, the buffer will be double-freed.
This behavior was observed on an ep that used upstream EP stack without
'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer
is written")'. Where the device updated the events ring pointer before
updating the event contents, so it left a window where the host was able to
access the stale data the event pointed to, before the device had the
chance to update them. The usual pattern was that the host received an
event pointing to a TRE that is not immediately after the last processed
one, so it got treated as if it was a chained transaction, processing all
of the TREs in between the two read pointers.
This commit aims to harden the host by ensuring transactions where the
event points to a TRE that isn't local_rp + 1 are chained.
[mani: added stable tag and reworded commit message]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 Version: 1d3173a3bae7039b765a0956e3e4bf846dbaacb8 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:24.145Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bus/mhi/host/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b3f0e3b60c27f4fcb69927d84987e5fd6240530",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
},
{
"lessThan": "4079c6c59705b96285219b9efc63cab870d757b7",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
},
{
"lessThan": "5e17429679a8545afe438ce7a82a13a54e8ceabb",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
},
{
"lessThan": "2ec99b922f4661521927eeada76f431eebfbabc4",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
},
{
"lessThan": "44e1a079e18f78d6594a715b0c6d7e18c656f7b9",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
},
{
"lessThan": "5bd398e20f0833ae8a1267d4f343591a2dd20185",
"status": "affected",
"version": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bus/mhi/host/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Detect events pointing to unexpected TREs\n\nWhen a remote device sends a completion event to the host, it contains a\npointer to the consumed TRE. The host uses this pointer to process all of\nthe TREs between it and the host\u0027s local copy of the ring\u0027s read pointer.\nThis works when processing completion for chained transactions, but can\nlead to nasty results if the device sends an event for a single-element\ntransaction with a read pointer that is multiple elements ahead of the\nhost\u0027s read pointer.\n\nFor instance, if the host accesses an event ring while the device is\nupdating it, the pointer inside of the event might still point to an old\nTRE. If the host uses the channel\u0027s xfer_cb() to directly free the buffer\npointed to by the TRE, the buffer will be double-freed.\n\nThis behavior was observed on an ep that used upstream EP stack without\n\u0027commit 6f18d174b73d (\"bus: mhi: ep: Update read pointer only after buffer\nis written\")\u0027. Where the device updated the events ring pointer before\nupdating the event contents, so it left a window where the host was able to\naccess the stale data the event pointed to, before the device had the\nchance to update them. The usual pattern was that the host received an\nevent pointing to a TRE that is not immediately after the last processed\none, so it got treated as if it was a chained transaction, processing all\nof the TREs in between the two read pointers.\n\nThis commit aims to harden the host by ensuring transactions where the\nevent points to a TRE that isn\u0027t local_rp + 1 are chained.\n\n[mani: added stable tag and reworded commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:28.627Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b3f0e3b60c27f4fcb69927d84987e5fd6240530"
},
{
"url": "https://git.kernel.org/stable/c/4079c6c59705b96285219b9efc63cab870d757b7"
},
{
"url": "https://git.kernel.org/stable/c/5e17429679a8545afe438ce7a82a13a54e8ceabb"
},
{
"url": "https://git.kernel.org/stable/c/2ec99b922f4661521927eeada76f431eebfbabc4"
},
{
"url": "https://git.kernel.org/stable/c/44e1a079e18f78d6594a715b0c6d7e18c656f7b9"
},
{
"url": "https://git.kernel.org/stable/c/5bd398e20f0833ae8a1267d4f343591a2dd20185"
}
],
"title": "bus: mhi: host: Detect events pointing to unexpected TREs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39790",
"datePublished": "2025-09-11T16:56:38.643Z",
"dateReserved": "2025-04-16T07:20:57.131Z",
"dateUpdated": "2025-11-03T17:43:24.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40062 (GCVE-0-2025-40062)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs
When the initialization of qm->debug.acc_diff_reg fails,
the probe process does not exit. However, after qm->debug.qm_diff_regs is
freed, it is not set to NULL. This can lead to a double free when the
remove process attempts to free it again. Therefore, qm->debug.qm_diff_regs
should be set to NULL after it is freed.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c Version: 7fc8d9a525b5c3f8dfa5ed50901e764d8ede7e1e Version: 8be0913389718e8d27c4f1d4537b5e1b99ed7739 Version: 8be0913389718e8d27c4f1d4537b5e1b99ed7739 Version: 8be0913389718e8d27c4f1d4537b5e1b99ed7739 Version: e0a2d2df9ba7bd6bd7e0a9b6a5e3894f7e8445b3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7836260d5121949ba734e840d42a86ab4a32fcc",
"status": "affected",
"version": "eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c",
"versionType": "git"
},
{
"lessThan": "1750f1ec143ebabdbdfa013668665c9d5042c430",
"status": "affected",
"version": "7fc8d9a525b5c3f8dfa5ed50901e764d8ede7e1e",
"versionType": "git"
},
{
"lessThan": "a87a21a56244b8f4eb357f6bad879247005bbe38",
"status": "affected",
"version": "8be0913389718e8d27c4f1d4537b5e1b99ed7739",
"versionType": "git"
},
{
"lessThan": "7226a0650ad5705bd8d39a11be270fa21ed1e6a5",
"status": "affected",
"version": "8be0913389718e8d27c4f1d4537b5e1b99ed7739",
"versionType": "git"
},
{
"lessThan": "f0cafb02de883b3b413d34eb079c9680782a9cc1",
"status": "affected",
"version": "8be0913389718e8d27c4f1d4537b5e1b99ed7739",
"versionType": "git"
},
{
"status": "affected",
"version": "e0a2d2df9ba7bd6bd7e0a9b6a5e3894f7e8445b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/qm - set NULL to qm-\u003edebug.qm_diff_regs\n\nWhen the initialization of qm-\u003edebug.acc_diff_reg fails,\nthe probe process does not exit. However, after qm-\u003edebug.qm_diff_regs is\nfreed, it is not set to NULL. This can lead to a double free when the\nremove process attempts to free it again. Therefore, qm-\u003edebug.qm_diff_regs\nshould be set to NULL after it is freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:33.961Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7836260d5121949ba734e840d42a86ab4a32fcc"
},
{
"url": "https://git.kernel.org/stable/c/1750f1ec143ebabdbdfa013668665c9d5042c430"
},
{
"url": "https://git.kernel.org/stable/c/a87a21a56244b8f4eb357f6bad879247005bbe38"
},
{
"url": "https://git.kernel.org/stable/c/7226a0650ad5705bd8d39a11be270fa21ed1e6a5"
},
{
"url": "https://git.kernel.org/stable/c/f0cafb02de883b3b413d34eb079c9680782a9cc1"
}
],
"title": "crypto: hisilicon/qm - set NULL to qm-\u003edebug.qm_diff_regs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40062",
"datePublished": "2025-10-28T11:48:33.961Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-10-28T11:48:33.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53264 (GCVE-0-2023-53264)
Vulnerability from cvelistv5
Published
2025-09-16 08:06
Modified
2025-09-16 08:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: imx: clk-imxrt1050: fix memory leak in imxrt1050_clocks_probe
Use devm_of_iomap() instead of of_iomap() to automatically
handle the unused ioremap region. If any error occurs, regions allocated by
kzalloc() will leak, but using devm_kzalloc() instead will automatically
free the memory using devm_kfree().
Also, fix error handling of hws by adding unregister_hws label, which
unregisters remaining hws when iomap failed.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-imxrt1050.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1839032251a66f2ae5a043c495532830a55d28c4",
"status": "affected",
"version": "7154b046d8f3a441474ced1688eb348d42f5f165",
"versionType": "git"
},
{
"lessThan": "0fbdfd2542252e4c02e8158a06b7c0c9cfd40f99",
"status": "affected",
"version": "7154b046d8f3a441474ced1688eb348d42f5f165",
"versionType": "git"
},
{
"lessThan": "02e54db221bb001b32f839e0149ee8d890ab9aa1",
"status": "affected",
"version": "7154b046d8f3a441474ced1688eb348d42f5f165",
"versionType": "git"
},
{
"lessThan": "1b280598ab3bd8a2dc8b96a12530d5b1ee7a8f4a",
"status": "affected",
"version": "7154b046d8f3a441474ced1688eb348d42f5f165",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-imxrt1050.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: clk-imxrt1050: fix memory leak in imxrt1050_clocks_probe\n\nUse devm_of_iomap() instead of of_iomap() to automatically\nhandle the unused ioremap region. If any error occurs, regions allocated by\nkzalloc() will leak, but using devm_kzalloc() instead will automatically\nfree the memory using devm_kfree().\n\nAlso, fix error handling of hws by adding unregister_hws label, which\nunregisters remaining hws when iomap failed."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:06:54.827Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1839032251a66f2ae5a043c495532830a55d28c4"
},
{
"url": "https://git.kernel.org/stable/c/0fbdfd2542252e4c02e8158a06b7c0c9cfd40f99"
},
{
"url": "https://git.kernel.org/stable/c/02e54db221bb001b32f839e0149ee8d890ab9aa1"
},
{
"url": "https://git.kernel.org/stable/c/1b280598ab3bd8a2dc8b96a12530d5b1ee7a8f4a"
}
],
"title": "clk: imx: clk-imxrt1050: fix memory leak in imxrt1050_clocks_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53264",
"datePublished": "2025-09-16T08:06:54.827Z",
"dateReserved": "2025-09-16T08:05:12.515Z",
"dateUpdated": "2025-09-16T08:06:54.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53504 (GCVE-0-2023-53504)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF
ib_dealloc_device() should be called only after device cleanup. Fix the
dealloc sequence.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c95863f6d970ef968e7c1f3c481f72a4b0734654",
"status": "affected",
"version": "6d758147c7b80a46465f72e9e6294d244ee98a21",
"versionType": "git"
},
{
"lessThan": "5363fc488da579923edf6a2fdca3d3b651dd800b",
"status": "affected",
"version": "6d758147c7b80a46465f72e9e6294d244ee98a21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF\n\nib_dealloc_device() should be called only after device cleanup. Fix the\ndealloc sequence."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:54.977Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c95863f6d970ef968e7c1f3c481f72a4b0734654"
},
{
"url": "https://git.kernel.org/stable/c/5363fc488da579923edf6a2fdca3d3b651dd800b"
}
],
"title": "RDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53504",
"datePublished": "2025-10-01T11:45:54.977Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:54.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39697 (GCVE-0-2025-39697)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix a race when updating an existing write
After nfs_lock_and_join_requests() tests for whether the request is
still attached to the mapping, nothing prevents a call to
nfs_inode_remove_request() from succeeding until we actually lock the
page group.
The reason is that whoever called nfs_inode_remove_request() doesn't
necessarily have a lock on the page group head.
So in order to avoid races, let's take the page group lock earlier in
nfs_lock_and_join_requests(), and hold it across the removal of the
request in nfs_inode_remove_request().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a Version: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a Version: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a Version: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a Version: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a Version: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a Version: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:28.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/pagelist.c",
"fs/nfs/write.c",
"include/linux/nfs_page.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ff42a32784e0f2cb46a46da8e9f473538c13e1b",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "f230d40147cc37eb3aef4d50e2e2c06ea73d9a77",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "c32e3c71aaa1c1ba05da88605e2ddd493c58794f",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "181feb41f0b268e6288bf9a7b984624d7fe2031d",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "92278ae36935a54e65fef9f8ea8efe7e80481ace",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "202a3432d21ac060629a760fff3b0a39859da3ea",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
},
{
"lessThan": "76d2e3890fb169168c73f2e4f8375c7cc24a765e",
"status": "affected",
"version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/pagelist.c",
"fs/nfs/write.c",
"include/linux/nfs_page.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a race when updating an existing write\n\nAfter nfs_lock_and_join_requests() tests for whether the request is\nstill attached to the mapping, nothing prevents a call to\nnfs_inode_remove_request() from succeeding until we actually lock the\npage group.\nThe reason is that whoever called nfs_inode_remove_request() doesn\u0027t\nnecessarily have a lock on the page group head.\n\nSo in order to avoid races, let\u0027s take the page group lock earlier in\nnfs_lock_and_join_requests(), and hold it across the removal of the\nrequest in nfs_inode_remove_request()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:37.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ff42a32784e0f2cb46a46da8e9f473538c13e1b"
},
{
"url": "https://git.kernel.org/stable/c/f230d40147cc37eb3aef4d50e2e2c06ea73d9a77"
},
{
"url": "https://git.kernel.org/stable/c/c32e3c71aaa1c1ba05da88605e2ddd493c58794f"
},
{
"url": "https://git.kernel.org/stable/c/181feb41f0b268e6288bf9a7b984624d7fe2031d"
},
{
"url": "https://git.kernel.org/stable/c/92278ae36935a54e65fef9f8ea8efe7e80481ace"
},
{
"url": "https://git.kernel.org/stable/c/202a3432d21ac060629a760fff3b0a39859da3ea"
},
{
"url": "https://git.kernel.org/stable/c/76d2e3890fb169168c73f2e4f8375c7cc24a765e"
}
],
"title": "NFS: Fix a race when updating an existing write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39697",
"datePublished": "2025-09-05T17:21:03.178Z",
"dateReserved": "2025-04-16T07:20:57.115Z",
"dateUpdated": "2025-11-03T17:42:28.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40011 (GCVE-0-2025-40011)
Vulnerability from cvelistv5
Published
2025-10-20 15:26
Modified
2025-10-20 15:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/gma500: Fix null dereference in hdmi teardown
pci_set_drvdata sets the value of pdev->driver_data to NULL,
after which the driver_data obtained from the same dev is
dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is
extracted from it. To prevent this, swap these calls.
Found by Linux Verification Center (linuxtesting.org) with Svacer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/gma500/oaktrail_hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70b0c11483d3b90b2d0f416026e475e084a77e62",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "4bbfd1b290857b9d14ea9d91562bde55ff2bc85e",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "e15de80737d444ed743b1c60ced4a3a97913169b",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "02e4ff4941efb9bbb40d8d5b61efa1a4119b1ba7",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "6ffa6b5bc861a3ea9dfcdc007f002b4a347c24ba",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "f800f7054d2cf28b51296c7c575da27c29e3859b",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "0fc650fa475b50c1da8236c5e900b9460c7027bc",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "352e66900cde63f3dadb142364d3c35170bbaaff",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/gma500/oaktrail_hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix null dereference in hdmi teardown\n\npci_set_drvdata sets the value of pdev-\u003edriver_data to NULL,\nafter which the driver_data obtained from the same dev is\ndereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is\nextracted from it. To prevent this, swap these calls.\n\nFound by Linux Verification Center (linuxtesting.org) with Svacer."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:56.558Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70b0c11483d3b90b2d0f416026e475e084a77e62"
},
{
"url": "https://git.kernel.org/stable/c/4bbfd1b290857b9d14ea9d91562bde55ff2bc85e"
},
{
"url": "https://git.kernel.org/stable/c/e15de80737d444ed743b1c60ced4a3a97913169b"
},
{
"url": "https://git.kernel.org/stable/c/02e4ff4941efb9bbb40d8d5b61efa1a4119b1ba7"
},
{
"url": "https://git.kernel.org/stable/c/6ffa6b5bc861a3ea9dfcdc007f002b4a347c24ba"
},
{
"url": "https://git.kernel.org/stable/c/f800f7054d2cf28b51296c7c575da27c29e3859b"
},
{
"url": "https://git.kernel.org/stable/c/0fc650fa475b50c1da8236c5e900b9460c7027bc"
},
{
"url": "https://git.kernel.org/stable/c/352e66900cde63f3dadb142364d3c35170bbaaff"
}
],
"title": "drm/gma500: Fix null dereference in hdmi teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40011",
"datePublished": "2025-10-20T15:26:56.558Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:56.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53508 (GCVE-0-2023-53508)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: fail to start device if queue setup is interrupted
In ublk_ctrl_start_dev(), if wait_for_completion_interruptible() is
interrupted by signal, queues aren't setup successfully yet, so we
have to fail UBLK_CMD_START_DEV, otherwise kernel oops can be triggered.
Reported by German when working on qemu-storage-deamon which requires
single thread ublk daemon.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d5916c439574b18a0734872daa0022b3d6105ad",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "6ab3e7d424cd413d7a5e976c8a30b4ffa84a65dd",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "53e7d08f6d6e214c40db1f51291bb2975c789dc2",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fail to start device if queue setup is interrupted\n\nIn ublk_ctrl_start_dev(), if wait_for_completion_interruptible() is\ninterrupted by signal, queues aren\u0027t setup successfully yet, so we\nhave to fail UBLK_CMD_START_DEV, otherwise kernel oops can be triggered.\n\nReported by German when working on qemu-storage-deamon which requires\nsingle thread ublk daemon."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:58.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d5916c439574b18a0734872daa0022b3d6105ad"
},
{
"url": "https://git.kernel.org/stable/c/6ab3e7d424cd413d7a5e976c8a30b4ffa84a65dd"
},
{
"url": "https://git.kernel.org/stable/c/53e7d08f6d6e214c40db1f51291bb2975c789dc2"
}
],
"title": "ublk: fail to start device if queue setup is interrupted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53508",
"datePublished": "2025-10-01T11:45:58.042Z",
"dateReserved": "2025-10-01T11:39:39.405Z",
"dateUpdated": "2025-10-01T11:45:58.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53700 (GCVE-0-2023-53700)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: max9286: Fix memleak in max9286_v4l2_register()
There is a kmemleak when testing the media/i2c/max9286.c with bpf mock
device:
kmemleak: 5 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
unreferenced object 0xffff88810defc400 (size 256):
comm "python3", pid 278, jiffies 4294737563 (age 31.978s)
hex dump (first 32 bytes):
28 06 a7 0a 81 88 ff ff 00 fe 22 12 81 88 ff ff (.........".....
10 c4 ef 0d 81 88 ff ff 10 c4 ef 0d 81 88 ff ff ................
backtrace:
[<00000000191de6a7>] __kmalloc_node+0x44/0x1b0
[<000000002f4912b7>] kvmalloc_node+0x34/0x180
[<0000000057dc4cae>] v4l2_ctrl_new+0x325/0x10f0 [videodev]
[<0000000026030272>] v4l2_ctrl_new_std+0x16f/0x210 [videodev]
[<00000000f0d9ea2f>] max9286_probe+0x76e/0xbff [max9286]
[<00000000ea8f6455>] i2c_device_probe+0x28d/0x680
[<0000000087529af3>] really_probe+0x17c/0x3f0
[<00000000b08be526>] __driver_probe_device+0xe3/0x170
[<000000004382edea>] driver_probe_device+0x49/0x120
[<000000007bde528a>] __device_attach_driver+0xf7/0x150
[<000000009f9c6ab4>] bus_for_each_drv+0x114/0x180
[<00000000c8aaf588>] __device_attach+0x1e5/0x2d0
[<0000000041cc06b9>] bus_probe_device+0x126/0x140
[<000000002309860d>] device_add+0x810/0x1130
[<000000002827bf98>] i2c_new_client_device+0x359/0x4f0
[<00000000593bdc85>] of_i2c_register_device+0xf1/0x110
max9286_v4l2_register() calls v4l2_ctrl_new_std(), but won't free the
created v412_ctrl when fwnode_graph_get_endpoint_by_id() failed, which
causes the memleak. Call v4l2_ctrl_handler_free() to free the v412_ctrl.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/max9286.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "505ff3a0c5951684c3a43094ca4c1a74683d5681",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "5897fe3ebe8252993579e1bee715ebfe5504e052",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "724039e013b34f46344abdbf8c74e6a65a828327",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "5e31213fa017c20ccc989033a5f4a626473aa2ca",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "8636c5fc7658c7c6299fb8b352d24ea4b9ba99e2",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/max9286.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: max9286: Fix memleak in max9286_v4l2_register()\n\nThere is a kmemleak when testing the media/i2c/max9286.c with bpf mock\ndevice:\n\nkmemleak: 5 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n\nunreferenced object 0xffff88810defc400 (size 256):\n comm \"python3\", pid 278, jiffies 4294737563 (age 31.978s)\n hex dump (first 32 bytes):\n 28 06 a7 0a 81 88 ff ff 00 fe 22 12 81 88 ff ff (.........\".....\n 10 c4 ef 0d 81 88 ff ff 10 c4 ef 0d 81 88 ff ff ................\n backtrace:\n [\u003c00000000191de6a7\u003e] __kmalloc_node+0x44/0x1b0\n [\u003c000000002f4912b7\u003e] kvmalloc_node+0x34/0x180\n [\u003c0000000057dc4cae\u003e] v4l2_ctrl_new+0x325/0x10f0 [videodev]\n [\u003c0000000026030272\u003e] v4l2_ctrl_new_std+0x16f/0x210 [videodev]\n [\u003c00000000f0d9ea2f\u003e] max9286_probe+0x76e/0xbff [max9286]\n [\u003c00000000ea8f6455\u003e] i2c_device_probe+0x28d/0x680\n [\u003c0000000087529af3\u003e] really_probe+0x17c/0x3f0\n [\u003c00000000b08be526\u003e] __driver_probe_device+0xe3/0x170\n [\u003c000000004382edea\u003e] driver_probe_device+0x49/0x120\n [\u003c000000007bde528a\u003e] __device_attach_driver+0xf7/0x150\n [\u003c000000009f9c6ab4\u003e] bus_for_each_drv+0x114/0x180\n [\u003c00000000c8aaf588\u003e] __device_attach+0x1e5/0x2d0\n [\u003c0000000041cc06b9\u003e] bus_probe_device+0x126/0x140\n [\u003c000000002309860d\u003e] device_add+0x810/0x1130\n [\u003c000000002827bf98\u003e] i2c_new_client_device+0x359/0x4f0\n [\u003c00000000593bdc85\u003e] of_i2c_register_device+0xf1/0x110\n\nmax9286_v4l2_register() calls v4l2_ctrl_new_std(), but won\u0027t free the\ncreated v412_ctrl when fwnode_graph_get_endpoint_by_id() failed, which\ncauses the memleak. Call v4l2_ctrl_handler_free() to free the v412_ctrl."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:39.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/505ff3a0c5951684c3a43094ca4c1a74683d5681"
},
{
"url": "https://git.kernel.org/stable/c/5897fe3ebe8252993579e1bee715ebfe5504e052"
},
{
"url": "https://git.kernel.org/stable/c/724039e013b34f46344abdbf8c74e6a65a828327"
},
{
"url": "https://git.kernel.org/stable/c/5e31213fa017c20ccc989033a5f4a626473aa2ca"
},
{
"url": "https://git.kernel.org/stable/c/8636c5fc7658c7c6299fb8b352d24ea4b9ba99e2"
}
],
"title": "media: max9286: Fix memleak in max9286_v4l2_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53700",
"datePublished": "2025-10-22T13:23:39.560Z",
"dateReserved": "2025-10-22T13:21:37.345Z",
"dateUpdated": "2025-10-22T13:23:39.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49860 (GCVE-0-2024-49860)
Vulnerability from cvelistv5
Published
2024-10-21 12:27
Modified
2025-11-03 22:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: sysfs: validate return type of _STR method
Only buffer objects are valid return values of _STR.
If something else is returned description_show() will access invalid
memory.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T12:55:46.676497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T13:04:10.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:22:30.053Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/device_sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92fd5209fc014405f63a7db79802ca4b01dc0c05",
"status": "affected",
"version": "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba",
"versionType": "git"
},
{
"lessThan": "2364b6af90c6b6d8a4783e0d3481ca80af699554",
"status": "affected",
"version": "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba",
"versionType": "git"
},
{
"lessThan": "4b081991c4363e072e1748efed0bbec8a77daba5",
"status": "affected",
"version": "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba",
"versionType": "git"
},
{
"lessThan": "0cdfb9178a3bba843c95c2117c82c15f1a64b9ce",
"status": "affected",
"version": "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba",
"versionType": "git"
},
{
"lessThan": "5c8d007c14aefc3f2ddf71e4c40713733dc827be",
"status": "affected",
"version": "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba",
"versionType": "git"
},
{
"lessThan": "f0921ecd4ddc14646bb5511f49db4d7d3b0829f0",
"status": "affected",
"version": "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba",
"versionType": "git"
},
{
"lessThan": "f51e5a88f2e7224858b261546cf6b3037dfb1323",
"status": "affected",
"version": "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba",
"versionType": "git"
},
{
"lessThan": "f51f711d36e61fbb87c67b524fd200e05172668d",
"status": "affected",
"version": "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba",
"versionType": "git"
},
{
"lessThan": "4bb1e7d027413835b086aed35bc3f0713bc0f72b",
"status": "affected",
"version": "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/device_sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.227",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.54",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.13",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.2",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: sysfs: validate return type of _STR method\n\nOnly buffer objects are valid return values of _STR.\n\nIf something else is returned description_show() will access invalid\nmemory."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:39:44.814Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92fd5209fc014405f63a7db79802ca4b01dc0c05"
},
{
"url": "https://git.kernel.org/stable/c/2364b6af90c6b6d8a4783e0d3481ca80af699554"
},
{
"url": "https://git.kernel.org/stable/c/4b081991c4363e072e1748efed0bbec8a77daba5"
},
{
"url": "https://git.kernel.org/stable/c/0cdfb9178a3bba843c95c2117c82c15f1a64b9ce"
},
{
"url": "https://git.kernel.org/stable/c/5c8d007c14aefc3f2ddf71e4c40713733dc827be"
},
{
"url": "https://git.kernel.org/stable/c/f0921ecd4ddc14646bb5511f49db4d7d3b0829f0"
},
{
"url": "https://git.kernel.org/stable/c/f51e5a88f2e7224858b261546cf6b3037dfb1323"
},
{
"url": "https://git.kernel.org/stable/c/f51f711d36e61fbb87c67b524fd200e05172668d"
},
{
"url": "https://git.kernel.org/stable/c/4bb1e7d027413835b086aed35bc3f0713bc0f72b"
}
],
"title": "ACPI: sysfs: validate return type of _STR method",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49860",
"datePublished": "2024-10-21T12:27:18.640Z",
"dateReserved": "2024-10-21T12:17:06.017Z",
"dateUpdated": "2025-11-03T22:22:30.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40043 (GCVE-0-2025-40043)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: nci: Add parameter validation for packet data
Syzbot reported an uninitialized value bug in nci_init_req, which was
introduced by commit 5aca7966d2a7 ("Merge tag
'perf-tools-fixes-for-v6.17-2025-09-16' of
git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").
This bug arises due to very limited and poor input validation
that was done at nic_valid_size(). This validation only
validates the skb->len (directly reflects size provided at the
userspace interface) with the length provided in the buffer
itself (interpreted as NCI_HEADER). This leads to the processing
of memory content at the address assuming the correct layout
per what opcode requires there. This leads to the accesses to
buffer of `skb_buff->data` which is not assigned anything yet.
Following the same silent drop of packets of invalid sizes at
`nic_valid_size()`, add validation of the data in the respective
handlers and return error values in case of failure. Release
the skb if error values are returned from handlers in
`nci_nft_packet` and effectively do a silent drop
Possible TODO: because we silently drop the packets, the
call to `nci_request` will be waiting for completion of request
and will face timeouts. These timeouts can get excessively logged
in the dmesg. A proper handling of them may require to export
`nci_request_cancel` (or propagate error handling from the
nft packets handlers).
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/ntf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fcc7315a10a84264e55bb65ede10f0af20a983f",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "bfdda0123dde406dbff62e7e9136037e97998a15",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "0ba68bea1e356f466ad29449938bea12f5f3711f",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "74837bca0748763a77f77db47a0bdbe63b347628",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "c395d1e548cc68e84584ffa2e3ca9796a78bf7b9",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "9c328f54741bd5465ca1dc717c84c04242fac2e1",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/ntf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: nci: Add parameter validation for packet data\n\nSyzbot reported an uninitialized value bug in nci_init_req, which was\nintroduced by commit 5aca7966d2a7 (\"Merge tag\n\u0027perf-tools-fixes-for-v6.17-2025-09-16\u0027 of\ngit://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\").\n\nThis bug arises due to very limited and poor input validation\nthat was done at nic_valid_size(). This validation only\nvalidates the skb-\u003elen (directly reflects size provided at the\nuserspace interface) with the length provided in the buffer\nitself (interpreted as NCI_HEADER). This leads to the processing\nof memory content at the address assuming the correct layout\nper what opcode requires there. This leads to the accesses to\nbuffer of `skb_buff-\u003edata` which is not assigned anything yet.\n\nFollowing the same silent drop of packets of invalid sizes at\n`nic_valid_size()`, add validation of the data in the respective\nhandlers and return error values in case of failure. Release\nthe skb if error values are returned from handlers in\n`nci_nft_packet` and effectively do a silent drop\n\nPossible TODO: because we silently drop the packets, the\ncall to `nci_request` will be waiting for completion of request\nand will face timeouts. These timeouts can get excessively logged\nin the dmesg. A proper handling of them may require to export\n`nci_request_cancel` (or propagate error handling from the\nnft packets handlers)."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:22.230Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fcc7315a10a84264e55bb65ede10f0af20a983f"
},
{
"url": "https://git.kernel.org/stable/c/bfdda0123dde406dbff62e7e9136037e97998a15"
},
{
"url": "https://git.kernel.org/stable/c/0ba68bea1e356f466ad29449938bea12f5f3711f"
},
{
"url": "https://git.kernel.org/stable/c/74837bca0748763a77f77db47a0bdbe63b347628"
},
{
"url": "https://git.kernel.org/stable/c/c395d1e548cc68e84584ffa2e3ca9796a78bf7b9"
},
{
"url": "https://git.kernel.org/stable/c/9c328f54741bd5465ca1dc717c84c04242fac2e1"
}
],
"title": "net: nfc: nci: Add parameter validation for packet data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40043",
"datePublished": "2025-10-28T11:48:22.230Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-10-28T11:48:22.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53577 (GCVE-0-2023-53577)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, cpumap: Make sure kthread is running before map update returns
The following warning was reported when running stress-mode enabled
xdp_redirect_cpu with some RT threads:
------------[ cut here ]------------
WARNING: CPU: 4 PID: 65 at kernel/bpf/cpumap.c:135
CPU: 4 PID: 65 Comm: kworker/4:1 Not tainted 6.5.0-rc2+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Workqueue: events cpu_map_kthread_stop
RIP: 0010:put_cpu_map_entry+0xda/0x220
......
Call Trace:
<TASK>
? show_regs+0x65/0x70
? __warn+0xa5/0x240
......
? put_cpu_map_entry+0xda/0x220
cpu_map_kthread_stop+0x41/0x60
process_one_work+0x6b0/0xb80
worker_thread+0x96/0x720
kthread+0x1a5/0x1f0
ret_from_fork+0x3a/0x70
ret_from_fork_asm+0x1b/0x30
</TASK>
The root cause is the same as commit 436901649731 ("bpf: cpumap: Fix memory
leak in cpu_map_update_elem"). The kthread is stopped prematurely by
kthread_stop() in cpu_map_kthread_stop(), and kthread() doesn't call
cpu_map_kthread_run() at all but XDP program has already queued some
frames or skbs into ptr_ring. So when __cpu_map_ring_cleanup() checks
the ptr_ring, it will find it was not emptied and report a warning.
An alternative fix is to use __cpu_map_ring_cleanup() to drop these
pending frames or skbs when kthread_stop() returns -EINTR, but it may
confuse the user, because these frames or skbs have been handled
correctly by XDP program. So instead of dropping these frames or skbs,
just make sure the per-cpu kthread is running before
__cpu_map_entry_alloc() returns.
After apply the fix, the error handle for kthread_stop() will be
unnecessary because it will always return 0, so just remove it.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cpumap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b44d28b98f185d2f2348aa3c3636838c316f889e",
"status": "affected",
"version": "6710e1126934d8b4372b4d2f9ae1646cd3f151bf",
"versionType": "git"
},
{
"lessThan": "7a1178a3671b40746830d355836b72e47ceb2490",
"status": "affected",
"version": "6710e1126934d8b4372b4d2f9ae1646cd3f151bf",
"versionType": "git"
},
{
"lessThan": "ecb45b852af5e88257020b88bea5ff0798d72aca",
"status": "affected",
"version": "6710e1126934d8b4372b4d2f9ae1646cd3f151bf",
"versionType": "git"
},
{
"lessThan": "640a604585aa30f93e39b17d4d6ba69fcb1e66c9",
"status": "affected",
"version": "6710e1126934d8b4372b4d2f9ae1646cd3f151bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cpumap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cpumap: Make sure kthread is running before map update returns\n\nThe following warning was reported when running stress-mode enabled\nxdp_redirect_cpu with some RT threads:\n\n ------------[ cut here ]------------\n WARNING: CPU: 4 PID: 65 at kernel/bpf/cpumap.c:135\n CPU: 4 PID: 65 Comm: kworker/4:1 Not tainted 6.5.0-rc2+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: events cpu_map_kthread_stop\n RIP: 0010:put_cpu_map_entry+0xda/0x220\n ......\n Call Trace:\n \u003cTASK\u003e\n ? show_regs+0x65/0x70\n ? __warn+0xa5/0x240\n ......\n ? put_cpu_map_entry+0xda/0x220\n cpu_map_kthread_stop+0x41/0x60\n process_one_work+0x6b0/0xb80\n worker_thread+0x96/0x720\n kthread+0x1a5/0x1f0\n ret_from_fork+0x3a/0x70\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e\n\nThe root cause is the same as commit 436901649731 (\"bpf: cpumap: Fix memory\nleak in cpu_map_update_elem\"). The kthread is stopped prematurely by\nkthread_stop() in cpu_map_kthread_stop(), and kthread() doesn\u0027t call\ncpu_map_kthread_run() at all but XDP program has already queued some\nframes or skbs into ptr_ring. So when __cpu_map_ring_cleanup() checks\nthe ptr_ring, it will find it was not emptied and report a warning.\n\nAn alternative fix is to use __cpu_map_ring_cleanup() to drop these\npending frames or skbs when kthread_stop() returns -EINTR, but it may\nconfuse the user, because these frames or skbs have been handled\ncorrectly by XDP program. So instead of dropping these frames or skbs,\njust make sure the per-cpu kthread is running before\n__cpu_map_entry_alloc() returns.\n\nAfter apply the fix, the error handle for kthread_stop() will be\nunnecessary because it will always return 0, so just remove it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:16.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b44d28b98f185d2f2348aa3c3636838c316f889e"
},
{
"url": "https://git.kernel.org/stable/c/7a1178a3671b40746830d355836b72e47ceb2490"
},
{
"url": "https://git.kernel.org/stable/c/ecb45b852af5e88257020b88bea5ff0798d72aca"
},
{
"url": "https://git.kernel.org/stable/c/640a604585aa30f93e39b17d4d6ba69fcb1e66c9"
}
],
"title": "bpf, cpumap: Make sure kthread is running before map update returns",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53577",
"datePublished": "2025-10-04T15:17:16.632Z",
"dateReserved": "2025-10-04T15:14:15.926Z",
"dateUpdated": "2025-10-04T15:17:16.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50432 (GCVE-0-2022-50432)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
kernfs: fix use-after-free in __kernfs_remove
Syzkaller managed to trigger concurrent calls to
kernfs_remove_by_name_ns() for the same file resulting in
a KASAN detected use-after-free. The race occurs when the root
node is freed during kernfs_drain().
To prevent this acquire an additional reference for the root
of the tree that is removed before calling __kernfs_remove().
Found by syzkaller with the following reproducer (slab_nomerge is
required):
syz_mount_image$ext4(0x0, &(0x7f0000000100)='./file0\x00', 0x100000, 0x0, 0x0, 0x0, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\x00', 0x0, 0x0)
close(r0)
pipe2(&(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x800)
mount$9p_fd(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f00000000c0), 0x408, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@fsmagic={'fsmagic', 0x3d, 0x10001}}, {@dont_hash}]}})
Sample report:
==================================================================
BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline]
BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]
BUG: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369
Read of size 2 at addr ffff8880088807f0 by task syz-executor.2/857
CPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433
kasan_report+0xa3/0x130 mm/kasan/report.c:495
kernfs_type include/linux/kernfs.h:335 [inline]
kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]
__kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369
__kernfs_remove fs/kernfs/dir.c:1356 [inline]
kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589
sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943
__kmem_cache_create+0x3e0/0x550 mm/slub.c:4899
create_cache mm/slab_common.c:229 [inline]
kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335
p9_client_create+0xd4d/0x1190 net/9p/client.c:993
v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408
v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126
legacy_get_tree+0xf1/0x200 fs/fs_context.c:610
vfs_get_tree+0x85/0x2e0 fs/super.c:1530
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x675/0x1d00 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x282/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f725f983aed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000
R10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000
</TASK>
Allocated by task 855:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:7
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/kernfs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4dfd6a477a1525773469feaf3c514b2c0fef76b5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02eb35131050735332658029082f61515b7dfe38",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "028cf780743eea79abffa7206b9dcfc080ad3546",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c78b0dc6fb7fb389d674e491fd376388cdfb1d53",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6f72a3977ba9d0e5491a5c01315204272e7f9c44",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "94d2643df1e70a4c310ebb5e2c493eec33df1a06",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af1b57cc39beca203559576b3046094fc9e5eb32",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4abc99652812a2ddf932f137515d5c5a04723538",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/kernfs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: fix use-after-free in __kernfs_remove\n\nSyzkaller managed to trigger concurrent calls to\nkernfs_remove_by_name_ns() for the same file resulting in\na KASAN detected use-after-free. The race occurs when the root\nnode is freed during kernfs_drain().\n\nTo prevent this acquire an additional reference for the root\nof the tree that is removed before calling __kernfs_remove().\n\nFound by syzkaller with the following reproducer (slab_nomerge is\nrequired):\n\nsyz_mount_image$ext4(0x0, \u0026(0x7f0000000100)=\u0027./file0\\x00\u0027, 0x100000, 0x0, 0x0, 0x0, 0x0)\nr0 = openat(0xffffffffffffff9c, \u0026(0x7f0000000080)=\u0027/proc/self/exe\\x00\u0027, 0x0, 0x0)\nclose(r0)\npipe2(\u0026(0x7f0000000140)={0xffffffffffffffff, \u003cr1=\u003e0xffffffffffffffff}, 0x800)\nmount$9p_fd(0x0, \u0026(0x7f0000000040)=\u0027./file0\\x00\u0027, \u0026(0x7f00000000c0), 0x408, \u0026(0x7f0000000280)={\u0027trans=fd,\u0027, {\u0027rfdno\u0027, 0x3d, r0}, 0x2c, {\u0027wfdno\u0027, 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={\u0027mask\u0027, 0x3d, \u0027^MAY_EXEC\u0027}}, {@fsmagic={\u0027fsmagic\u0027, 0x3d, 0x10001}}, {@dont_hash}]}})\n\nSample report:\n\n==================================================================\nBUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline]\nBUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]\nBUG: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369\nRead of size 2 at addr ffff8880088807f0 by task syz-executor.2/857\n\nCPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433\n kasan_report+0xa3/0x130 mm/kasan/report.c:495\n kernfs_type include/linux/kernfs.h:335 [inline]\n kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]\n __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369\n __kernfs_remove fs/kernfs/dir.c:1356 [inline]\n kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589\n sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943\n __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335\n p9_client_create+0xd4d/0x1190 net/9p/client.c:993\n v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408\n v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126\n legacy_get_tree+0xf1/0x200 fs/fs_context.c:610\n vfs_get_tree+0x85/0x2e0 fs/super.c:1530\n do_new_mount fs/namespace.c:3040 [inline]\n path_mount+0x675/0x1d00 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __x64_sys_mount+0x282/0x300 fs/namespace.c:3568\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f725f983aed\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5\nRAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed\nRDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000\nRBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000\nR10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000\n \u003c/TASK\u003e\n\nAllocated by task 855:\n kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:45 [inline]\n set_alloc_info mm/kasan/common.c:437 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470\n kasan_slab_alloc include/linux/kasan.h:224 [inline]\n slab_post_alloc_hook mm/slab.h:7\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:10.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4dfd6a477a1525773469feaf3c514b2c0fef76b5"
},
{
"url": "https://git.kernel.org/stable/c/02eb35131050735332658029082f61515b7dfe38"
},
{
"url": "https://git.kernel.org/stable/c/028cf780743eea79abffa7206b9dcfc080ad3546"
},
{
"url": "https://git.kernel.org/stable/c/c78b0dc6fb7fb389d674e491fd376388cdfb1d53"
},
{
"url": "https://git.kernel.org/stable/c/6f72a3977ba9d0e5491a5c01315204272e7f9c44"
},
{
"url": "https://git.kernel.org/stable/c/94d2643df1e70a4c310ebb5e2c493eec33df1a06"
},
{
"url": "https://git.kernel.org/stable/c/af1b57cc39beca203559576b3046094fc9e5eb32"
},
{
"url": "https://git.kernel.org/stable/c/4abc99652812a2ddf932f137515d5c5a04723538"
}
],
"title": "kernfs: fix use-after-free in __kernfs_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50432",
"datePublished": "2025-10-01T11:42:10.573Z",
"dateReserved": "2025-09-17T14:53:07.009Z",
"dateUpdated": "2025-10-01T11:42:10.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53607 (GCVE-0-2023-53607)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ymfpci: Fix BUG_ON in probe function
The snd_dma_buffer.bytes field now contains the aligned size, which this
snd_BUG_ON() did not account for, resulting in the following:
[ 9.625915] ------------[ cut here ]------------
[ 9.633440] WARNING: CPU: 0 PID: 126 at sound/pci/ymfpci/ymfpci_main.c:2168 snd_ymfpci_create+0x681/0x698 [snd_ymfpci]
[ 9.648926] Modules linked in: snd_ymfpci(+) snd_intel_dspcfg kvm(+) snd_intel_sdw_acpi snd_ac97_codec snd_mpu401_uart snd_opl3_lib irqbypass snd_hda_codec gameport snd_rawmidi crct10dif_pclmul crc32_pclmul cfg80211 snd_hda_core polyval_clmulni polyval_generic gf128mul snd_seq_device ghash_clmulni_intel snd_hwdep ac97_bus sha512_ssse3 rfkill snd_pcm aesni_intel tg3 snd_timer crypto_simd snd mxm_wmi libphy cryptd k10temp fam15h_power pcspkr soundcore sp5100_tco wmi acpi_cpufreq mac_hid dm_multipath sg loop fuse dm_mod bpf_preload ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi firewire_ohci crc32c_intel firewire_core xhci_pci crc_itu_t pata_via xhci_pci_renesas floppy
[ 9.711849] CPU: 0 PID: 126 Comm: kworker/0:2 Not tainted 6.1.21-1-lts #1 08d2e5ece03136efa7c6aeea9a9c40916b1bd8da
[ 9.722200] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./990FX Extreme4, BIOS P2.70 06/05/2014
[ 9.732204] Workqueue: events work_for_cpu_fn
[ 9.736580] RIP: 0010:snd_ymfpci_create+0x681/0x698 [snd_ymfpci]
[ 9.742594] Code: 8c c0 4c 89 e2 48 89 df 48 c7 c6 92 c6 8c c0 e8 15 d0 e9 ff 48 83 c4 08 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f e9 d3 7a 33 e3 <0f> 0b e9 cb fd ff ff 41 bd fb ff ff ff eb db 41 bd f4 ff ff ff eb
[ 9.761358] RSP: 0018:ffffab64804e7da0 EFLAGS: 00010287
[ 9.766594] RAX: ffff8fa2df06c400 RBX: ffff8fa3073a8000 RCX: ffff8fa303fbc4a8
[ 9.773734] RDX: ffff8fa2df06d000 RSI: 0000000000000010 RDI: 0000000000000020
[ 9.780876] RBP: ffff8fa300b5d0d0 R08: ffff8fa3073a8e50 R09: 00000000df06bf00
[ 9.788018] R10: ffff8fa2df06bf00 R11: 00000000df068200 R12: ffff8fa3073a8918
[ 9.795159] R13: 0000000000000000 R14: 0000000000000080 R15: ffff8fa2df068200
[ 9.802317] FS: 0000000000000000(0000) GS:ffff8fa9fec00000(0000) knlGS:0000000000000000
[ 9.810414] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9.816158] CR2: 000055febaf66500 CR3: 0000000101a2e000 CR4: 00000000000406f0
[ 9.823301] Call Trace:
[ 9.825747] <TASK>
[ 9.827889] snd_card_ymfpci_probe+0x194/0x950 [snd_ymfpci b78a5fe64b5663a6390a909c67808567e3e73615]
[ 9.837030] ? finish_task_switch.isra.0+0x90/0x2d0
[ 9.841918] local_pci_probe+0x45/0x80
[ 9.845680] work_for_cpu_fn+0x1a/0x30
[ 9.849431] process_one_work+0x1c7/0x380
[ 9.853464] worker_thread+0x1af/0x390
[ 9.857225] ? rescuer_thread+0x3b0/0x3b0
[ 9.861254] kthread+0xde/0x110
[ 9.864414] ? kthread_complete_and_exit+0x20/0x20
[ 9.869210] ret_from_fork+0x22/0x30
[ 9.872792] </TASK>
[ 9.874985] ---[ end trace 0000000000000000 ]---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4faf4bbc2d600a921052ff45b1b5914d583d9046 Version: 5c1733e33c888a3cb7f576564d8ad543d5ad4a9e Version: 5c1733e33c888a3cb7f576564d8ad543d5ad4a9e Version: 5c1733e33c888a3cb7f576564d8ad543d5ad4a9e Version: 5c1733e33c888a3cb7f576564d8ad543d5ad4a9e Version: f52ac912c14c5bf426c0f9e0c6236dbcdf61664e Version: 19241a56c5d6e74b32b1fbb1bd3ba7edef421f16 Version: 05243cf88f7fa5e9dd5659399bc9307ff3fb675f Version: 015af30d373d33548c9afcffbbaaf266459731de |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/ymfpci/ymfpci_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96e34c88000febc83e41aa7db0b0a41676314818",
"status": "affected",
"version": "4faf4bbc2d600a921052ff45b1b5914d583d9046",
"versionType": "git"
},
{
"lessThan": "81d2a7e93c8322ca6b858f6736d7fc3d034e6c23",
"status": "affected",
"version": "5c1733e33c888a3cb7f576564d8ad543d5ad4a9e",
"versionType": "git"
},
{
"lessThan": "32b9bd7cfc2e2d92d595386add4e111b232b351f",
"status": "affected",
"version": "5c1733e33c888a3cb7f576564d8ad543d5ad4a9e",
"versionType": "git"
},
{
"lessThan": "d0217b09910c081b6471181345ea5b24025edf51",
"status": "affected",
"version": "5c1733e33c888a3cb7f576564d8ad543d5ad4a9e",
"versionType": "git"
},
{
"lessThan": "6be2e7522eb529b41c16d459f33bbdbcddbf5c15",
"status": "affected",
"version": "5c1733e33c888a3cb7f576564d8ad543d5ad4a9e",
"versionType": "git"
},
{
"status": "affected",
"version": "f52ac912c14c5bf426c0f9e0c6236dbcdf61664e",
"versionType": "git"
},
{
"status": "affected",
"version": "19241a56c5d6e74b32b1fbb1bd3ba7edef421f16",
"versionType": "git"
},
{
"status": "affected",
"version": "05243cf88f7fa5e9dd5659399bc9307ff3fb675f",
"versionType": "git"
},
{
"status": "affected",
"version": "015af30d373d33548c9afcffbbaaf266459731de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/ymfpci/ymfpci_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"versionStartIncluding": "5.10.134",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.106",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.290",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.254",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.208",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ymfpci: Fix BUG_ON in probe function\n\nThe snd_dma_buffer.bytes field now contains the aligned size, which this\nsnd_BUG_ON() did not account for, resulting in the following:\n\n[ 9.625915] ------------[ cut here ]------------\n[ 9.633440] WARNING: CPU: 0 PID: 126 at sound/pci/ymfpci/ymfpci_main.c:2168 snd_ymfpci_create+0x681/0x698 [snd_ymfpci]\n[ 9.648926] Modules linked in: snd_ymfpci(+) snd_intel_dspcfg kvm(+) snd_intel_sdw_acpi snd_ac97_codec snd_mpu401_uart snd_opl3_lib irqbypass snd_hda_codec gameport snd_rawmidi crct10dif_pclmul crc32_pclmul cfg80211 snd_hda_core polyval_clmulni polyval_generic gf128mul snd_seq_device ghash_clmulni_intel snd_hwdep ac97_bus sha512_ssse3 rfkill snd_pcm aesni_intel tg3 snd_timer crypto_simd snd mxm_wmi libphy cryptd k10temp fam15h_power pcspkr soundcore sp5100_tco wmi acpi_cpufreq mac_hid dm_multipath sg loop fuse dm_mod bpf_preload ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi firewire_ohci crc32c_intel firewire_core xhci_pci crc_itu_t pata_via xhci_pci_renesas floppy\n[ 9.711849] CPU: 0 PID: 126 Comm: kworker/0:2 Not tainted 6.1.21-1-lts #1 08d2e5ece03136efa7c6aeea9a9c40916b1bd8da\n[ 9.722200] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./990FX Extreme4, BIOS P2.70 06/05/2014\n[ 9.732204] Workqueue: events work_for_cpu_fn\n[ 9.736580] RIP: 0010:snd_ymfpci_create+0x681/0x698 [snd_ymfpci]\n[ 9.742594] Code: 8c c0 4c 89 e2 48 89 df 48 c7 c6 92 c6 8c c0 e8 15 d0 e9 ff 48 83 c4 08 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f e9 d3 7a 33 e3 \u003c0f\u003e 0b e9 cb fd ff ff 41 bd fb ff ff ff eb db 41 bd f4 ff ff ff eb\n[ 9.761358] RSP: 0018:ffffab64804e7da0 EFLAGS: 00010287\n[ 9.766594] RAX: ffff8fa2df06c400 RBX: ffff8fa3073a8000 RCX: ffff8fa303fbc4a8\n[ 9.773734] RDX: ffff8fa2df06d000 RSI: 0000000000000010 RDI: 0000000000000020\n[ 9.780876] RBP: ffff8fa300b5d0d0 R08: ffff8fa3073a8e50 R09: 00000000df06bf00\n[ 9.788018] R10: ffff8fa2df06bf00 R11: 00000000df068200 R12: ffff8fa3073a8918\n[ 9.795159] R13: 0000000000000000 R14: 0000000000000080 R15: ffff8fa2df068200\n[ 9.802317] FS: 0000000000000000(0000) GS:ffff8fa9fec00000(0000) knlGS:0000000000000000\n[ 9.810414] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9.816158] CR2: 000055febaf66500 CR3: 0000000101a2e000 CR4: 00000000000406f0\n[ 9.823301] Call Trace:\n[ 9.825747] \u003cTASK\u003e\n[ 9.827889] snd_card_ymfpci_probe+0x194/0x950 [snd_ymfpci b78a5fe64b5663a6390a909c67808567e3e73615]\n[ 9.837030] ? finish_task_switch.isra.0+0x90/0x2d0\n[ 9.841918] local_pci_probe+0x45/0x80\n[ 9.845680] work_for_cpu_fn+0x1a/0x30\n[ 9.849431] process_one_work+0x1c7/0x380\n[ 9.853464] worker_thread+0x1af/0x390\n[ 9.857225] ? rescuer_thread+0x3b0/0x3b0\n[ 9.861254] kthread+0xde/0x110\n[ 9.864414] ? kthread_complete_and_exit+0x20/0x20\n[ 9.869210] ret_from_fork+0x22/0x30\n[ 9.872792] \u003c/TASK\u003e\n[ 9.874985] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:16.598Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96e34c88000febc83e41aa7db0b0a41676314818"
},
{
"url": "https://git.kernel.org/stable/c/81d2a7e93c8322ca6b858f6736d7fc3d034e6c23"
},
{
"url": "https://git.kernel.org/stable/c/32b9bd7cfc2e2d92d595386add4e111b232b351f"
},
{
"url": "https://git.kernel.org/stable/c/d0217b09910c081b6471181345ea5b24025edf51"
},
{
"url": "https://git.kernel.org/stable/c/6be2e7522eb529b41c16d459f33bbdbcddbf5c15"
}
],
"title": "ALSA: ymfpci: Fix BUG_ON in probe function",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53607",
"datePublished": "2025-10-04T15:44:16.598Z",
"dateReserved": "2025-10-04T15:40:38.480Z",
"dateUpdated": "2025-10-04T15:44:16.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39876 (GCVE-0-2025-39876)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
The function of_phy_find_device may return NULL, so we need to take
care before dereferencing phy_dev.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9e70485b40c8306298adea8bdc867ca27f88955a Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: c068e505f229ca5f778f825f1401817ce818e917 Version: 8a6ab151443cd71e2aa5e8b7014e3453dbd51935 Version: ce88b5f42868ef4964c497d4dfcd25e88fd60c5b |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:21.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c60d12bba14dc655d2d948b1dbf390b3ae39cb8",
"status": "affected",
"version": "9e70485b40c8306298adea8bdc867ca27f88955a",
"versionType": "git"
},
{
"lessThan": "20a3433d31c2d2bf70ab0abec75f3136b42ae66c",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "93a699d6e92cfdfa9eb9dbb8c653b5322542ca4f",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "5f1bb554a131e59b28482abad21f691390651752",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "fe78891f296ac05bf4e5295c9829ef822f3c32e7",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "eb148d85e126c47d65be34f2a465d69432ca5541",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "03e79de4608bdd48ad6eec272e196124cefaf798",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"status": "affected",
"version": "c068e505f229ca5f778f825f1401817ce818e917",
"versionType": "git"
},
{
"status": "affected",
"version": "8a6ab151443cd71e2aa5e8b7014e3453dbd51935",
"versionType": "git"
},
{
"status": "affected",
"version": "ce88b5f42868ef4964c497d4dfcd25e88fd60c5b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()\n\nThe function of_phy_find_device may return NULL, so we need to take\ncare before dereferencing phy_dev."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:16.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c60d12bba14dc655d2d948b1dbf390b3ae39cb8"
},
{
"url": "https://git.kernel.org/stable/c/20a3433d31c2d2bf70ab0abec75f3136b42ae66c"
},
{
"url": "https://git.kernel.org/stable/c/93a699d6e92cfdfa9eb9dbb8c653b5322542ca4f"
},
{
"url": "https://git.kernel.org/stable/c/5f1bb554a131e59b28482abad21f691390651752"
},
{
"url": "https://git.kernel.org/stable/c/fe78891f296ac05bf4e5295c9829ef822f3c32e7"
},
{
"url": "https://git.kernel.org/stable/c/4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5"
},
{
"url": "https://git.kernel.org/stable/c/eb148d85e126c47d65be34f2a465d69432ca5541"
},
{
"url": "https://git.kernel.org/stable/c/03e79de4608bdd48ad6eec272e196124cefaf798"
}
],
"title": "net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39876",
"datePublished": "2025-09-23T06:00:47.731Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:21.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38539 (GCVE-0-2025-38539)
Vulnerability from cvelistv5
Published
2025-08-16 11:12
Modified
2025-11-03 17:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Add down_write(trace_event_sem) when adding trace event
When a module is loaded, it adds trace events defined by the module. It
may also need to modify the modules trace printk formats to replace enum
names with their values.
If two modules are loaded at the same time, the adding of the event to the
ftrace_events list can corrupt the walking of the list in the code that is
modifying the printk format strings and crash the kernel.
The addition of the event should take the trace_event_sem for write while
it adds the new event.
Also add a lockdep_assert_held() on that semaphore in
__trace_add_event_dirs() as it iterates the list.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 110bf2b764eb6026b868d84499263cb24b1bcc8d Version: 110bf2b764eb6026b868d84499263cb24b1bcc8d Version: 110bf2b764eb6026b868d84499263cb24b1bcc8d Version: 110bf2b764eb6026b868d84499263cb24b1bcc8d Version: 110bf2b764eb6026b868d84499263cb24b1bcc8d Version: 110bf2b764eb6026b868d84499263cb24b1bcc8d Version: 110bf2b764eb6026b868d84499263cb24b1bcc8d Version: 110bf2b764eb6026b868d84499263cb24b1bcc8d |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:34.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e70f5ee4c8824736332351b703c46f9469ed7f6c",
"status": "affected",
"version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
"versionType": "git"
},
{
"lessThan": "db45632479ceecb669612ed8dbce927e3c6279fc",
"status": "affected",
"version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
"versionType": "git"
},
{
"lessThan": "ca60064ea03f14e06c763de018403cb56ba3207d",
"status": "affected",
"version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
"versionType": "git"
},
{
"lessThan": "7803b28c9aa8d8bd4e19ebcf5f0db9612b0f333b",
"status": "affected",
"version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
"versionType": "git"
},
{
"lessThan": "6bc94f20a4c304997288f9a45278c9d0c06987d3",
"status": "affected",
"version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
"versionType": "git"
},
{
"lessThan": "33e20747b47ddc03569b6bc27a2d6894c1428182",
"status": "affected",
"version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
"versionType": "git"
},
{
"lessThan": "70fecd519caad0c1741c3379d5348c9000a5b29d",
"status": "affected",
"version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
"versionType": "git"
},
{
"lessThan": "b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df",
"status": "affected",
"version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add down_write(trace_event_sem) when adding trace event\n\nWhen a module is loaded, it adds trace events defined by the module. It\nmay also need to modify the modules trace printk formats to replace enum\nnames with their values.\n\nIf two modules are loaded at the same time, the adding of the event to the\nftrace_events list can corrupt the walking of the list in the code that is\nmodifying the printk format strings and crash the kernel.\n\nThe addition of the event should take the trace_event_sem for write while\nit adds the new event.\n\nAlso add a lockdep_assert_held() on that semaphore in\n__trace_add_event_dirs() as it iterates the list."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:41.142Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e70f5ee4c8824736332351b703c46f9469ed7f6c"
},
{
"url": "https://git.kernel.org/stable/c/db45632479ceecb669612ed8dbce927e3c6279fc"
},
{
"url": "https://git.kernel.org/stable/c/ca60064ea03f14e06c763de018403cb56ba3207d"
},
{
"url": "https://git.kernel.org/stable/c/7803b28c9aa8d8bd4e19ebcf5f0db9612b0f333b"
},
{
"url": "https://git.kernel.org/stable/c/6bc94f20a4c304997288f9a45278c9d0c06987d3"
},
{
"url": "https://git.kernel.org/stable/c/33e20747b47ddc03569b6bc27a2d6894c1428182"
},
{
"url": "https://git.kernel.org/stable/c/70fecd519caad0c1741c3379d5348c9000a5b29d"
},
{
"url": "https://git.kernel.org/stable/c/b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df"
}
],
"title": "tracing: Add down_write(trace_event_sem) when adding trace event",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38539",
"datePublished": "2025-08-16T11:12:31.678Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-11-03T17:39:34.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53604 (GCVE-0-2023-53604)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path
Otherwise the journal_io_cache will leak if dm_register_target() fails.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff4d6b5b38429a7731e5593680d2138bf74dd546",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "ca8b634fdf07dee3f6dfde57079c4511480b525e",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "6d126899b0747305c9d39a0bcf87e0df9c3f555b",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "44f29e93a55b544dc961b6f8b4e93abaeaafb9ee",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "a5d8c6bf58e5b2e70fbc15f3b08dfc1ba6f269ac",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "3877b5c1509b16eeb1f275228fd91789cd88cf17",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "c8c9c50268729bf35f6c9bb1205f490db920454e",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "e09a592fdd6c716506774bdbebb5f6c537b47767",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "6b79a428c02769f2a11f8ae76bf866226d134887",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm integrity: call kmem_cache_destroy() in dm_integrity_init() error path\n\nOtherwise the journal_io_cache will leak if dm_register_target() fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:36.153Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff4d6b5b38429a7731e5593680d2138bf74dd546"
},
{
"url": "https://git.kernel.org/stable/c/ca8b634fdf07dee3f6dfde57079c4511480b525e"
},
{
"url": "https://git.kernel.org/stable/c/6d126899b0747305c9d39a0bcf87e0df9c3f555b"
},
{
"url": "https://git.kernel.org/stable/c/44f29e93a55b544dc961b6f8b4e93abaeaafb9ee"
},
{
"url": "https://git.kernel.org/stable/c/a5d8c6bf58e5b2e70fbc15f3b08dfc1ba6f269ac"
},
{
"url": "https://git.kernel.org/stable/c/3877b5c1509b16eeb1f275228fd91789cd88cf17"
},
{
"url": "https://git.kernel.org/stable/c/c8c9c50268729bf35f6c9bb1205f490db920454e"
},
{
"url": "https://git.kernel.org/stable/c/e09a592fdd6c716506774bdbebb5f6c537b47767"
},
{
"url": "https://git.kernel.org/stable/c/6b79a428c02769f2a11f8ae76bf866226d134887"
}
],
"title": "dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53604",
"datePublished": "2025-10-04T15:44:14.568Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-29T10:50:36.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53260 (GCVE-0-2023-53260)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-15 14:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ovl: fix null pointer dereference in ovl_permission()
Following process:
P1 P2
path_lookupat
link_path_walk
inode_permission
ovl_permission
ovl_i_path_real(inode, &realpath)
path->dentry = ovl_i_dentry_upper(inode)
drop_cache
__dentry_kill(ovl_dentry)
iput(ovl_inode)
ovl_destroy_inode(ovl_inode)
dput(oi->__upperdentry)
dentry_kill(upperdentry)
dentry_unlink_inode
upperdentry->d_inode = NULL
realinode = d_inode(realpath.dentry) // return NULL
inode_permission(realinode)
inode->i_sb // NULL pointer dereference
, will trigger an null pointer dereference at realinode:
[ 335.664979] BUG: kernel NULL pointer dereference,
address: 0000000000000002
[ 335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0
[ 335.669956] RIP: 0010:inode_permission+0x33/0x2c0
[ 335.678939] Call Trace:
[ 335.679165] <TASK>
[ 335.679371] ovl_permission+0xde/0x320
[ 335.679723] inode_permission+0x15e/0x2c0
[ 335.680090] link_path_walk+0x115/0x550
[ 335.680771] path_lookupat.isra.0+0xb2/0x200
[ 335.681170] filename_lookup+0xda/0x240
[ 335.681922] vfs_statx+0xa6/0x1f0
[ 335.682233] vfs_fstatat+0x7b/0xb0
Fetch a reproducer in [Link].
Use the helper ovl_i_path_realinode() to get realinode and then do
non-nullptr checking.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53dd2ca2c02fdcfe3aad2345091d371063f97d17",
"status": "affected",
"version": "4b7791b2e95805eaa9568761741d33cf929c930c",
"versionType": "git"
},
{
"lessThan": "69f9ae7edf9ec0ff500429101923347fcba5c8c4",
"status": "affected",
"version": "4b7791b2e95805eaa9568761741d33cf929c930c",
"versionType": "git"
},
{
"lessThan": "1a73f5b8f079fd42a544c1600beface50c63af7c",
"status": "affected",
"version": "4b7791b2e95805eaa9568761741d33cf929c930c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix null pointer dereference in ovl_permission()\n\nFollowing process:\n P1 P2\n path_lookupat\n link_path_walk\n inode_permission\n ovl_permission\n ovl_i_path_real(inode, \u0026realpath)\n path-\u003edentry = ovl_i_dentry_upper(inode)\n drop_cache\n\t\t\t __dentry_kill(ovl_dentry)\n\t\t iput(ovl_inode)\n\t\t ovl_destroy_inode(ovl_inode)\n\t\t dput(oi-\u003e__upperdentry)\n\t\t dentry_kill(upperdentry)\n\t\t dentry_unlink_inode\n\t\t\t\t upperdentry-\u003ed_inode = NULL\n realinode = d_inode(realpath.dentry) // return NULL\n inode_permission(realinode)\n inode-\u003ei_sb // NULL pointer dereference\n, will trigger an null pointer dereference at realinode:\n [ 335.664979] BUG: kernel NULL pointer dereference,\n address: 0000000000000002\n [ 335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0\n [ 335.669956] RIP: 0010:inode_permission+0x33/0x2c0\n [ 335.678939] Call Trace:\n [ 335.679165] \u003cTASK\u003e\n [ 335.679371] ovl_permission+0xde/0x320\n [ 335.679723] inode_permission+0x15e/0x2c0\n [ 335.680090] link_path_walk+0x115/0x550\n [ 335.680771] path_lookupat.isra.0+0xb2/0x200\n [ 335.681170] filename_lookup+0xda/0x240\n [ 335.681922] vfs_statx+0xa6/0x1f0\n [ 335.682233] vfs_fstatat+0x7b/0xb0\n\nFetch a reproducer in [Link].\n\nUse the helper ovl_i_path_realinode() to get realinode and then do\nnon-nullptr checking."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:31.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53dd2ca2c02fdcfe3aad2345091d371063f97d17"
},
{
"url": "https://git.kernel.org/stable/c/69f9ae7edf9ec0ff500429101923347fcba5c8c4"
},
{
"url": "https://git.kernel.org/stable/c/1a73f5b8f079fd42a544c1600beface50c63af7c"
}
],
"title": "ovl: fix null pointer dereference in ovl_permission()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53260",
"datePublished": "2025-09-15T14:46:31.919Z",
"dateReserved": "2025-09-15T14:19:21.850Z",
"dateUpdated": "2025-09-15T14:46:31.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50527 (GCVE-0-2022-50527)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix size validation for non-exclusive domains (v4)
Fix amdgpu_bo_validate_size() to check whether the TTM domain manager for the
requested memory exists, else we get a kernel oops when dereferencing "man".
v2: Make the patch standalone, i.e. not dependent on local patches.
v3: Preserve old behaviour and just check that the manager pointer is not
NULL.
v4: Complain if GTT domain requested and it is uninitialized--most likely a
bug.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_object.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80546eef216854a7bd47e39e828f04b406c00599",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8ba7c55e112f4ffd2a95b99be1cb1c891ef08ba1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7554886daa31eacc8e7fac9e15bbce67d10b8f1f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_object.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix size validation for non-exclusive domains (v4)\n\nFix amdgpu_bo_validate_size() to check whether the TTM domain manager for the\nrequested memory exists, else we get a kernel oops when dereferencing \"man\".\n\nv2: Make the patch standalone, i.e. not dependent on local patches.\nv3: Preserve old behaviour and just check that the manager pointer is not\n NULL.\nv4: Complain if GTT domain requested and it is uninitialized--most likely a\n bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:19.238Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80546eef216854a7bd47e39e828f04b406c00599"
},
{
"url": "https://git.kernel.org/stable/c/8ba7c55e112f4ffd2a95b99be1cb1c891ef08ba1"
},
{
"url": "https://git.kernel.org/stable/c/7554886daa31eacc8e7fac9e15bbce67d10b8f1f"
}
],
"title": "drm/amdgpu: Fix size validation for non-exclusive domains (v4)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50527",
"datePublished": "2025-10-07T15:19:19.238Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:19.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50559 (GCVE-0-2022-50559)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: imx: scu: fix memleak on platform_device_add() fails
No error handling is performed when platform_device_add()
fails. Add error processing before return, and modified
the return value.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-scu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9209e6bab75d4008d9f4248c66008f3ffd24c931",
"status": "affected",
"version": "77d8f3068c63ee0983f0b5ba3207d3f7cce11be4",
"versionType": "git"
},
{
"lessThan": "43c589b7a187ef481b594317eaab8c8f269e4a68",
"status": "affected",
"version": "77d8f3068c63ee0983f0b5ba3207d3f7cce11be4",
"versionType": "git"
},
{
"lessThan": "05fe0b3d69b8e094db207648ab21cade56d71cd8",
"status": "affected",
"version": "77d8f3068c63ee0983f0b5ba3207d3f7cce11be4",
"versionType": "git"
},
{
"lessThan": "855ae87a2073ebf1b395e020de54fdf9ce7d166f",
"status": "affected",
"version": "77d8f3068c63ee0983f0b5ba3207d3f7cce11be4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-scu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: scu: fix memleak on platform_device_add() fails\n\nNo error handling is performed when platform_device_add()\nfails. Add error processing before return, and modified\nthe return value."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:19.290Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9209e6bab75d4008d9f4248c66008f3ffd24c931"
},
{
"url": "https://git.kernel.org/stable/c/43c589b7a187ef481b594317eaab8c8f269e4a68"
},
{
"url": "https://git.kernel.org/stable/c/05fe0b3d69b8e094db207648ab21cade56d71cd8"
},
{
"url": "https://git.kernel.org/stable/c/855ae87a2073ebf1b395e020de54fdf9ce7d166f"
}
],
"title": "clk: imx: scu: fix memleak on platform_device_add() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50559",
"datePublished": "2025-10-22T13:23:19.290Z",
"dateReserved": "2025-10-22T13:20:23.759Z",
"dateUpdated": "2025-10-22T13:23:19.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53247 (GCVE-0-2023-53247)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-15 14:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand
While trying to get the subpage blocksize tests running, I hit the
following panic on generic/476
assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229
kernel BUG at fs/btrfs/subpage.c:229!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
CPU: 1 PID: 1453 Comm: fsstress Not tainted 6.4.0-rc7+ #12
Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20230301gitf80f052277c8-26.fc38 03/01/2023
pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : btrfs_subpage_assert+0xbc/0xf0
lr : btrfs_subpage_assert+0xbc/0xf0
Call trace:
btrfs_subpage_assert+0xbc/0xf0
btrfs_subpage_clear_checked+0x38/0xc0
btrfs_page_clear_checked+0x48/0x98
btrfs_truncate_block+0x5d0/0x6a8
btrfs_cont_expand+0x5c/0x528
btrfs_write_check.isra.0+0xf8/0x150
btrfs_buffered_write+0xb4/0x760
btrfs_do_write_iter+0x2f8/0x4b0
btrfs_file_write_iter+0x1c/0x30
do_iter_readv_writev+0xc8/0x158
do_iter_write+0x9c/0x210
vfs_iter_write+0x24/0x40
iter_file_splice_write+0x224/0x390
direct_splice_actor+0x38/0x68
splice_direct_to_actor+0x12c/0x260
do_splice_direct+0x90/0xe8
generic_copy_file_range+0x50/0x90
vfs_copy_file_range+0x29c/0x470
__arm64_sys_copy_file_range+0xcc/0x498
invoke_syscall.constprop.0+0x80/0xd8
do_el0_svc+0x6c/0x168
el0_svc+0x50/0x1b0
el0t_64_sync_handler+0x114/0x120
el0t_64_sync+0x194/0x198
This happens because during btrfs_cont_expand we'll get a page, set it
as mapped, and if it's not Uptodate we'll read it. However between the
read and re-locking the page we could have called release_folio() on the
page, but left the page in the file mapping. release_folio() can clear
the page private, and thus further down we blow up when we go to modify
the subpage bits.
Fix this by putting the set_page_extent_mapped() after the read. This
is safe because read_folio() will call set_page_extent_mapped() before
it does the read, and then if we clear page private but leave it on the
mapping we're completely safe re-setting set_page_extent_mapped(). With
this patch I can now run generic/476 without panicing.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a5e0bc8e8618e32a6ca64450867628eb0a627bf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a5880e69cf7fe4a0bb1eabae02205352d1b59b7b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17b17fcd6d446b95904a6929c40012ee7f0afc0c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand\n\nWhile trying to get the subpage blocksize tests running, I hit the\nfollowing panic on generic/476\n\n assertion failed: PagePrivate(page) \u0026\u0026 page-\u003eprivate, in fs/btrfs/subpage.c:229\n kernel BUG at fs/btrfs/subpage.c:229!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 1 PID: 1453 Comm: fsstress Not tainted 6.4.0-rc7+ #12\n Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20230301gitf80f052277c8-26.fc38 03/01/2023\n pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : btrfs_subpage_assert+0xbc/0xf0\n lr : btrfs_subpage_assert+0xbc/0xf0\n Call trace:\n btrfs_subpage_assert+0xbc/0xf0\n btrfs_subpage_clear_checked+0x38/0xc0\n btrfs_page_clear_checked+0x48/0x98\n btrfs_truncate_block+0x5d0/0x6a8\n btrfs_cont_expand+0x5c/0x528\n btrfs_write_check.isra.0+0xf8/0x150\n btrfs_buffered_write+0xb4/0x760\n btrfs_do_write_iter+0x2f8/0x4b0\n btrfs_file_write_iter+0x1c/0x30\n do_iter_readv_writev+0xc8/0x158\n do_iter_write+0x9c/0x210\n vfs_iter_write+0x24/0x40\n iter_file_splice_write+0x224/0x390\n direct_splice_actor+0x38/0x68\n splice_direct_to_actor+0x12c/0x260\n do_splice_direct+0x90/0xe8\n generic_copy_file_range+0x50/0x90\n vfs_copy_file_range+0x29c/0x470\n __arm64_sys_copy_file_range+0xcc/0x498\n invoke_syscall.constprop.0+0x80/0xd8\n do_el0_svc+0x6c/0x168\n el0_svc+0x50/0x1b0\n el0t_64_sync_handler+0x114/0x120\n el0t_64_sync+0x194/0x198\n\nThis happens because during btrfs_cont_expand we\u0027ll get a page, set it\nas mapped, and if it\u0027s not Uptodate we\u0027ll read it. However between the\nread and re-locking the page we could have called release_folio() on the\npage, but left the page in the file mapping. release_folio() can clear\nthe page private, and thus further down we blow up when we go to modify\nthe subpage bits.\n\nFix this by putting the set_page_extent_mapped() after the read. This\nis safe because read_folio() will call set_page_extent_mapped() before\nit does the read, and then if we clear page private but leave it on the\nmapping we\u0027re completely safe re-setting set_page_extent_mapped(). With\nthis patch I can now run generic/476 without panicing."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:17.344Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a5e0bc8e8618e32a6ca64450867628eb0a627bf"
},
{
"url": "https://git.kernel.org/stable/c/a5880e69cf7fe4a0bb1eabae02205352d1b59b7b"
},
{
"url": "https://git.kernel.org/stable/c/17b17fcd6d446b95904a6929c40012ee7f0afc0c"
}
],
"title": "btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53247",
"datePublished": "2025-09-15T14:46:17.344Z",
"dateReserved": "2025-09-15T14:19:21.848Z",
"dateUpdated": "2025-09-15T14:46:17.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40013 (GCVE-0-2025-40013)
Vulnerability from cvelistv5
Published
2025-10-20 15:29
Modified
2025-10-20 15:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: audioreach: fix potential null pointer dereference
It is possible that the topology parsing function
audioreach_widget_load_module_common() could return NULL or an error
pointer. Add missing NULL check so that we do not dereference it.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 Version: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 Version: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 Version: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 Version: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 Version: 36ad9bf1d93d66b901342eab9f8ed6c1537655a6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/qcom/qdsp6/topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c1ad4192f3d2fc85339718a6252cb3337848f7b",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
},
{
"lessThan": "70e1e5fe9f7e05ff831b56ebc02543e7811b8e18",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
},
{
"lessThan": "4dda55d04caac3b4102c26e29b1c27fa35636be3",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
},
{
"lessThan": "8f9c9fafc0e7a73bbff58954d171c016ddee1734",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
},
{
"lessThan": "ef08ce6304d30b5778035d07b04514cb70839983",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
},
{
"lessThan": "8318e04ab2526b155773313b66a1542476ce1106",
"status": "affected",
"version": "36ad9bf1d93d66b901342eab9f8ed6c1537655a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/qcom/qdsp6/topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: audioreach: fix potential null pointer dereference\n\nIt is possible that the topology parsing function\naudioreach_widget_load_module_common() could return NULL or an error\npointer. Add missing NULL check so that we do not dereference it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:29:09.076Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c1ad4192f3d2fc85339718a6252cb3337848f7b"
},
{
"url": "https://git.kernel.org/stable/c/70e1e5fe9f7e05ff831b56ebc02543e7811b8e18"
},
{
"url": "https://git.kernel.org/stable/c/4dda55d04caac3b4102c26e29b1c27fa35636be3"
},
{
"url": "https://git.kernel.org/stable/c/8f9c9fafc0e7a73bbff58954d171c016ddee1734"
},
{
"url": "https://git.kernel.org/stable/c/ef08ce6304d30b5778035d07b04514cb70839983"
},
{
"url": "https://git.kernel.org/stable/c/8318e04ab2526b155773313b66a1542476ce1106"
}
],
"title": "ASoC: qcom: audioreach: fix potential null pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40013",
"datePublished": "2025-10-20T15:29:09.076Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:29:09.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39714 (GCVE-0-2025-39714)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: usbtv: Lock resolution while streaming
When an program is streaming (ffplay) and another program (qv4l2)
changes the TV standard from NTSC to PAL, the kernel crashes due to trying
to copy to unmapped memory.
Changing from NTSC to PAL increases the resolution in the usbtv struct,
but the video plane buffer isn't adjusted, so it overflows.
[hverkuil: call vb2_is_busy instead of vb2_is_streaming]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 Version: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 Version: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 Version: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 Version: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 Version: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 Version: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 Version: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:41.101Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/usbtv/usbtv-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c35e7c7a004ef379a1ae7c7486d4829419acad1d",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "ee7bade8b9244834229b12b6e1e724939bedd484",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "5427dda195d6baf23028196fd55a0c90f66ffa61",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "ef9b3c22405192afaa279077ddd45a51db90b83d",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "c3d75524e10021aa5c223d94da4996640aed46c0",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "9f886d21e235c4bd038cb20f6696084304197ab3",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
},
{
"lessThan": "7e40e0bb778907b2441bff68d73c3eb6b6cd319f",
"status": "affected",
"version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/usbtv/usbtv-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Lock resolution while streaming\n\nWhen an program is streaming (ffplay) and another program (qv4l2)\nchanges the TV standard from NTSC to PAL, the kernel crashes due to trying\nto copy to unmapped memory.\n\nChanging from NTSC to PAL increases the resolution in the usbtv struct,\nbut the video plane buffer isn\u0027t adjusted, so it overflows.\n\n[hverkuil: call vb2_is_busy instead of vb2_is_streaming]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:59.084Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c35e7c7a004ef379a1ae7c7486d4829419acad1d"
},
{
"url": "https://git.kernel.org/stable/c/ee7bade8b9244834229b12b6e1e724939bedd484"
},
{
"url": "https://git.kernel.org/stable/c/5427dda195d6baf23028196fd55a0c90f66ffa61"
},
{
"url": "https://git.kernel.org/stable/c/ef9b3c22405192afaa279077ddd45a51db90b83d"
},
{
"url": "https://git.kernel.org/stable/c/3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9"
},
{
"url": "https://git.kernel.org/stable/c/c3d75524e10021aa5c223d94da4996640aed46c0"
},
{
"url": "https://git.kernel.org/stable/c/9f886d21e235c4bd038cb20f6696084304197ab3"
},
{
"url": "https://git.kernel.org/stable/c/7e40e0bb778907b2441bff68d73c3eb6b6cd319f"
}
],
"title": "media: usbtv: Lock resolution while streaming",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39714",
"datePublished": "2025-09-05T17:21:21.435Z",
"dateReserved": "2025-04-16T07:20:57.117Z",
"dateUpdated": "2025-11-03T17:42:41.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53519 (GCVE-0-2023-53519)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-mem2mem: add lock to protect parameter num_rdy
Getting below error when using KCSAN to check the driver. Adding lock to
protect parameter num_rdy when getting the value with function:
v4l2_m2m_num_src_bufs_ready/v4l2_m2m_num_dst_bufs_ready.
kworker/u16:3: [name:report&]BUG: KCSAN: data-race in v4l2_m2m_buf_queue
kworker/u16:3: [name:report&]
kworker/u16:3: [name:report&]read-write to 0xffffff8105f35b94 of 1 bytes by task 20865 on cpu 7:
kworker/u16:3: v4l2_m2m_buf_queue+0xd8/0x10c
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/media/v4l2-mem2mem.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "690dd4780b3f4d755e4e7883e8c3d1b5052f6bf2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7fc7f87725805197388ba749a1801df33000fa50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef009fe2010ea2a3a7045ecb72729cf366e0967b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e52de26cb37459b16213438a2c82feb155dd3bbd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1676748aa29099fc0abd71e0fb092e76e835f25c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c71aa5f1cf961264690f2560503ea396b6e3c680",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e01ea1c4191ee08440b5f86db98dff695e9cedf9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "56b5c3e67b0f9af3f45cf393be048ee8d8a92694",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/media/v4l2-mem2mem.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-mem2mem: add lock to protect parameter num_rdy\n\nGetting below error when using KCSAN to check the driver. Adding lock to\nprotect parameter num_rdy when getting the value with function:\nv4l2_m2m_num_src_bufs_ready/v4l2_m2m_num_dst_bufs_ready.\n\nkworker/u16:3: [name:report\u0026]BUG: KCSAN: data-race in v4l2_m2m_buf_queue\nkworker/u16:3: [name:report\u0026]\n\nkworker/u16:3: [name:report\u0026]read-write to 0xffffff8105f35b94 of 1 bytes by task 20865 on cpu 7:\nkworker/u16:3:\u00a0 v4l2_m2m_buf_queue+0xd8/0x10c"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:06.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/690dd4780b3f4d755e4e7883e8c3d1b5052f6bf2"
},
{
"url": "https://git.kernel.org/stable/c/7fc7f87725805197388ba749a1801df33000fa50"
},
{
"url": "https://git.kernel.org/stable/c/ef009fe2010ea2a3a7045ecb72729cf366e0967b"
},
{
"url": "https://git.kernel.org/stable/c/e52de26cb37459b16213438a2c82feb155dd3bbd"
},
{
"url": "https://git.kernel.org/stable/c/1676748aa29099fc0abd71e0fb092e76e835f25c"
},
{
"url": "https://git.kernel.org/stable/c/c71aa5f1cf961264690f2560503ea396b6e3c680"
},
{
"url": "https://git.kernel.org/stable/c/e01ea1c4191ee08440b5f86db98dff695e9cedf9"
},
{
"url": "https://git.kernel.org/stable/c/56b5c3e67b0f9af3f45cf393be048ee8d8a92694"
}
],
"title": "media: v4l2-mem2mem: add lock to protect parameter num_rdy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53519",
"datePublished": "2025-10-01T11:46:06.419Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:06.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53391 (GCVE-0-2023-53391)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs
As the ramfs-based tmpfs uses ramfs_init_fs_context() for the
init_fs_context method, which allocates fc->s_fs_info, use ramfs_kill_sb()
to free it and avoid a memory leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ramfs/inode.c",
"include/linux/ramfs.h",
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5fada375113767b3b57f1b04f7a4fe64ffaa626f",
"status": "affected",
"version": "c3b1b1cbf002e65a3cabd479e68b5f35886a26db",
"versionType": "git"
},
{
"lessThan": "487f229efea80c00dd7397547ec4f25fb8999d99",
"status": "affected",
"version": "c3b1b1cbf002e65a3cabd479e68b5f35886a26db",
"versionType": "git"
},
{
"lessThan": "1f34bf8b442c6d720e7fa6f15e8702427e48aea9",
"status": "affected",
"version": "c3b1b1cbf002e65a3cabd479e68b5f35886a26db",
"versionType": "git"
},
{
"lessThan": "ebe07db840992a3886694ac3d303b06f4b70ce00",
"status": "affected",
"version": "c3b1b1cbf002e65a3cabd479e68b5f35886a26db",
"versionType": "git"
},
{
"lessThan": "36ce9d76b0a93bae799e27e4f5ac35478c676592",
"status": "affected",
"version": "c3b1b1cbf002e65a3cabd479e68b5f35886a26db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ramfs/inode.c",
"include/linux/ramfs.h",
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nshmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs\n\nAs the ramfs-based tmpfs uses ramfs_init_fs_context() for the\ninit_fs_context method, which allocates fc-\u003es_fs_info, use ramfs_kill_sb()\nto free it and avoid a memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:33.602Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5fada375113767b3b57f1b04f7a4fe64ffaa626f"
},
{
"url": "https://git.kernel.org/stable/c/487f229efea80c00dd7397547ec4f25fb8999d99"
},
{
"url": "https://git.kernel.org/stable/c/1f34bf8b442c6d720e7fa6f15e8702427e48aea9"
},
{
"url": "https://git.kernel.org/stable/c/ebe07db840992a3886694ac3d303b06f4b70ce00"
},
{
"url": "https://git.kernel.org/stable/c/36ce9d76b0a93bae799e27e4f5ac35478c676592"
}
],
"title": "shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53391",
"datePublished": "2025-09-18T13:33:33.602Z",
"dateReserved": "2025-09-17T14:54:09.737Z",
"dateUpdated": "2025-09-18T13:33:33.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53230 (GCVE-0-2023-53230)
Vulnerability from cvelistv5
Published
2025-09-15 14:22
Modified
2025-09-15 14:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix warning in cifs_smb3_do_mount()
This fixes the following warning reported by kernel test robot
fs/smb/client/cifsfs.c:982 cifs_smb3_do_mount() warn: possible
memory leak of 'cifs_sb'
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9850867042674361f455ea8901375cff5b800be5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "945f4a7aff84fde1f825d17a5050880345da3228",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eb79f8dfba343667f9a82a252743f4e8f67ce420",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "12c30f33cc6769bf411088a2872843c4f9ea32f9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix warning in cifs_smb3_do_mount()\n\nThis fixes the following warning reported by kernel test robot\n\n fs/smb/client/cifsfs.c:982 cifs_smb3_do_mount() warn: possible\n memory leak of \u0027cifs_sb\u0027"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:22:02.687Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9850867042674361f455ea8901375cff5b800be5"
},
{
"url": "https://git.kernel.org/stable/c/945f4a7aff84fde1f825d17a5050880345da3228"
},
{
"url": "https://git.kernel.org/stable/c/eb79f8dfba343667f9a82a252743f4e8f67ce420"
},
{
"url": "https://git.kernel.org/stable/c/12c30f33cc6769bf411088a2872843c4f9ea32f9"
}
],
"title": "smb: client: fix warning in cifs_smb3_do_mount()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53230",
"datePublished": "2025-09-15T14:22:02.687Z",
"dateReserved": "2025-09-15T14:19:21.846Z",
"dateUpdated": "2025-09-15T14:22:02.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39798 (GCVE-0-2025-39798)
Vulnerability from cvelistv5
Published
2025-09-12 15:59
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix the setting of capabilities when automounting a new filesystem
Capabilities cannot be inherited when we cross into a new filesystem.
They need to be reset to the minimal defaults, and then probed for
again.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 54ceac4515986030c2502960be620198dd8fe25b Version: 54ceac4515986030c2502960be620198dd8fe25b Version: 54ceac4515986030c2502960be620198dd8fe25b Version: 54ceac4515986030c2502960be620198dd8fe25b Version: 54ceac4515986030c2502960be620198dd8fe25b Version: 54ceac4515986030c2502960be620198dd8fe25b Version: 54ceac4515986030c2502960be620198dd8fe25b Version: 54ceac4515986030c2502960be620198dd8fe25b Version: 54ceac4515986030c2502960be620198dd8fe25b |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:29.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/client.c",
"fs/nfs/internal.h",
"fs/nfs/nfs4client.c",
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95eb0d97ab98a10e966125c1f274e7d0fc0992b3",
"status": "affected",
"version": "54ceac4515986030c2502960be620198dd8fe25b",
"versionType": "git"
},
{
"lessThan": "73fcb101bb3eb2a552d7856a476b2c0bc3b5ef9e",
"status": "affected",
"version": "54ceac4515986030c2502960be620198dd8fe25b",
"versionType": "git"
},
{
"lessThan": "3924dab90816d0c683a110628ef386f83a9d1e13",
"status": "affected",
"version": "54ceac4515986030c2502960be620198dd8fe25b",
"versionType": "git"
},
{
"lessThan": "175afda783e38c0660f2afc0602dd9c83d4e7ee1",
"status": "affected",
"version": "54ceac4515986030c2502960be620198dd8fe25b",
"versionType": "git"
},
{
"lessThan": "987c20428f067c1c7f29ed0a2bd8c63fa74b1c2c",
"status": "affected",
"version": "54ceac4515986030c2502960be620198dd8fe25b",
"versionType": "git"
},
{
"lessThan": "816a6f60c2c2b679a33fa4276442bafd11473651",
"status": "affected",
"version": "54ceac4515986030c2502960be620198dd8fe25b",
"versionType": "git"
},
{
"lessThan": "a8ffee4abd8ec9d7a64d394e0306ae64ba139fd2",
"status": "affected",
"version": "54ceac4515986030c2502960be620198dd8fe25b",
"versionType": "git"
},
{
"lessThan": "50e0fd0050e510e749e1fdd1d7158e419ff8f3b9",
"status": "affected",
"version": "54ceac4515986030c2502960be620198dd8fe25b",
"versionType": "git"
},
{
"lessThan": "b01f21cacde9f2878492cf318fee61bf4ccad323",
"status": "affected",
"version": "54ceac4515986030c2502960be620198dd8fe25b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/client.c",
"fs/nfs/internal.h",
"fs/nfs/nfs4client.c",
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix the setting of capabilities when automounting a new filesystem\n\nCapabilities cannot be inherited when we cross into a new filesystem.\nThey need to be reset to the minimal defaults, and then probed for\nagain."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:39.522Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95eb0d97ab98a10e966125c1f274e7d0fc0992b3"
},
{
"url": "https://git.kernel.org/stable/c/73fcb101bb3eb2a552d7856a476b2c0bc3b5ef9e"
},
{
"url": "https://git.kernel.org/stable/c/3924dab90816d0c683a110628ef386f83a9d1e13"
},
{
"url": "https://git.kernel.org/stable/c/175afda783e38c0660f2afc0602dd9c83d4e7ee1"
},
{
"url": "https://git.kernel.org/stable/c/987c20428f067c1c7f29ed0a2bd8c63fa74b1c2c"
},
{
"url": "https://git.kernel.org/stable/c/816a6f60c2c2b679a33fa4276442bafd11473651"
},
{
"url": "https://git.kernel.org/stable/c/a8ffee4abd8ec9d7a64d394e0306ae64ba139fd2"
},
{
"url": "https://git.kernel.org/stable/c/50e0fd0050e510e749e1fdd1d7158e419ff8f3b9"
},
{
"url": "https://git.kernel.org/stable/c/b01f21cacde9f2878492cf318fee61bf4ccad323"
}
],
"title": "NFS: Fix the setting of capabilities when automounting a new filesystem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39798",
"datePublished": "2025-09-12T15:59:34.386Z",
"dateReserved": "2025-04-16T07:20:57.133Z",
"dateUpdated": "2025-11-03T17:43:29.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53323 (GCVE-0-2023-53323)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext2/dax: Fix ext2_setsize when len is page aligned
PAGE_ALIGN(x) macro gives the next highest value which is multiple of
pagesize. But if x is already page aligned then it simply returns x.
So, if x passed is 0 in dax_zero_range() function, that means the
length gets passed as 0 to ->iomap_begin().
In ext2 it then calls ext2_get_blocks -> max_blocks as 0 and hits bug_on
here in ext2_get_blocks().
BUG_ON(maxblocks == 0);
Instead we should be calling dax_truncate_page() here which takes
care of it. i.e. it only calls dax_zero_range if the offset is not
page/block aligned.
This can be easily triggered with following on fsdax mounted pmem
device.
dd if=/dev/zero of=file count=1 bs=512
truncate -s 0 file
[79.525838] EXT2-fs (pmem0): DAX enabled. Warning: EXPERIMENTAL, use at your own risk
[79.529376] ext2 filesystem being mounted at /mnt1/test supports timestamps until 2038 (0x7fffffff)
[93.793207] ------------[ cut here ]------------
[93.795102] kernel BUG at fs/ext2/inode.c:637!
[93.796904] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[93.798659] CPU: 0 PID: 1192 Comm: truncate Not tainted 6.3.0-rc2-xfstests-00056-g131086faa369 #139
[93.806459] RIP: 0010:ext2_get_blocks.constprop.0+0x524/0x610
<...>
[93.835298] Call Trace:
[93.836253] <TASK>
[93.837103] ? lock_acquire+0xf8/0x110
[93.838479] ? d_lookup+0x69/0xd0
[93.839779] ext2_iomap_begin+0xa7/0x1c0
[93.841154] iomap_iter+0xc7/0x150
[93.842425] dax_zero_range+0x6e/0xa0
[93.843813] ext2_setsize+0x176/0x1b0
[93.845164] ext2_setattr+0x151/0x200
[93.846467] notify_change+0x341/0x4e0
[93.847805] ? lock_acquire+0xf8/0x110
[93.849143] ? do_truncate+0x74/0xe0
[93.850452] ? do_truncate+0x84/0xe0
[93.851739] do_truncate+0x84/0xe0
[93.852974] do_sys_ftruncate+0x2b4/0x2f0
[93.854404] do_syscall_64+0x3f/0x90
[93.855789] entry_SYSCALL_64_after_hwframe+0x72/0xdc
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9e54fd14bd143c261e52fde74355e85e9526c58c",
"status": "affected",
"version": "2aa3048e03d38d5358be2553d4b638c1a018498c",
"versionType": "git"
},
{
"lessThan": "5cee8bfb8cbd99c97aff85d2bf066b6a496e13ab",
"status": "affected",
"version": "2aa3048e03d38d5358be2553d4b638c1a018498c",
"versionType": "git"
},
{
"lessThan": "fcced95b6ba2a507a83b8b3e0358a8ac16b13e35",
"status": "affected",
"version": "2aa3048e03d38d5358be2553d4b638c1a018498c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next2/dax: Fix ext2_setsize when len is page aligned\n\nPAGE_ALIGN(x) macro gives the next highest value which is multiple of\npagesize. But if x is already page aligned then it simply returns x.\nSo, if x passed is 0 in dax_zero_range() function, that means the\nlength gets passed as 0 to -\u003eiomap_begin().\n\nIn ext2 it then calls ext2_get_blocks -\u003e max_blocks as 0 and hits bug_on\nhere in ext2_get_blocks().\n\tBUG_ON(maxblocks == 0);\n\nInstead we should be calling dax_truncate_page() here which takes\ncare of it. i.e. it only calls dax_zero_range if the offset is not\npage/block aligned.\n\nThis can be easily triggered with following on fsdax mounted pmem\ndevice.\n\ndd if=/dev/zero of=file count=1 bs=512\ntruncate -s 0 file\n\n[79.525838] EXT2-fs (pmem0): DAX enabled. Warning: EXPERIMENTAL, use at your own risk\n[79.529376] ext2 filesystem being mounted at /mnt1/test supports timestamps until 2038 (0x7fffffff)\n[93.793207] ------------[ cut here ]------------\n[93.795102] kernel BUG at fs/ext2/inode.c:637!\n[93.796904] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[93.798659] CPU: 0 PID: 1192 Comm: truncate Not tainted 6.3.0-rc2-xfstests-00056-g131086faa369 #139\n[93.806459] RIP: 0010:ext2_get_blocks.constprop.0+0x524/0x610\n\u003c...\u003e\n[93.835298] Call Trace:\n[93.836253] \u003cTASK\u003e\n[93.837103] ? lock_acquire+0xf8/0x110\n[93.838479] ? d_lookup+0x69/0xd0\n[93.839779] ext2_iomap_begin+0xa7/0x1c0\n[93.841154] iomap_iter+0xc7/0x150\n[93.842425] dax_zero_range+0x6e/0xa0\n[93.843813] ext2_setsize+0x176/0x1b0\n[93.845164] ext2_setattr+0x151/0x200\n[93.846467] notify_change+0x341/0x4e0\n[93.847805] ? lock_acquire+0xf8/0x110\n[93.849143] ? do_truncate+0x74/0xe0\n[93.850452] ? do_truncate+0x84/0xe0\n[93.851739] do_truncate+0x84/0xe0\n[93.852974] do_sys_ftruncate+0x2b4/0x2f0\n[93.854404] do_syscall_64+0x3f/0x90\n[93.855789] entry_SYSCALL_64_after_hwframe+0x72/0xdc"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:58.877Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e54fd14bd143c261e52fde74355e85e9526c58c"
},
{
"url": "https://git.kernel.org/stable/c/5cee8bfb8cbd99c97aff85d2bf066b6a496e13ab"
},
{
"url": "https://git.kernel.org/stable/c/fcced95b6ba2a507a83b8b3e0358a8ac16b13e35"
}
],
"title": "ext2/dax: Fix ext2_setsize when len is page aligned",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53323",
"datePublished": "2025-09-16T16:11:58.877Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:58.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53646 (GCVE-0-2023-53646)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/perf: add sentinel to xehp_oa_b_counters
Arrays passed to reg_in_range_table should end with empty record.
The patch solves KASAN detected bug with signature:
BUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]
Read of size 4 at addr ffffffffa1555d90 by task perf/1518
CPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1
Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023
Call Trace:
<TASK>
...
xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]
(cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_perf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21d92025e80629fd5c25cd6751f8cf38c784dd4a",
"status": "affected",
"version": "0fa9349dda030fa847b36f880a5eea25c3202b66",
"versionType": "git"
},
{
"lessThan": "785b3f667b4bf98804cad135005e964df0c750de",
"status": "affected",
"version": "0fa9349dda030fa847b36f880a5eea25c3202b66",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_perf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/perf: add sentinel to xehp_oa_b_counters\n\nArrays passed to reg_in_range_table should end with empty record.\n\nThe patch solves KASAN detected bug with signature:\nBUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]\nRead of size 4 at addr ffffffffa1555d90 by task perf/1518\n\nCPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1\nHardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023\nCall Trace:\n\u003cTASK\u003e\n...\nxehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]\n\n(cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:44.412Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21d92025e80629fd5c25cd6751f8cf38c784dd4a"
},
{
"url": "https://git.kernel.org/stable/c/785b3f667b4bf98804cad135005e964df0c750de"
}
],
"title": "drm/i915/perf: add sentinel to xehp_oa_b_counters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53646",
"datePublished": "2025-10-07T15:19:44.412Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:44.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53338 (GCVE-0-2023-53338)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
lwt: Fix return values of BPF xmit ops
BPF encap ops can return different types of positive values, such like
NET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function
skb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return
values would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in
ip(6)_finish_output2. When this happens, skbs that have been freed would
continue to the neighbor subsystem, causing use-after-free bug and
kernel crashes.
To fix the incorrect behavior, skb_do_redirect return values can be
simply discarded, the same as tc-egress behavior. On the other hand,
bpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU
information. Thus convert its return values to avoid the conflict with
LWTUNNEL_XMIT_CONTINUE.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2 Version: 3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2 Version: 3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2 Version: 3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2 Version: 3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2 Version: 3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2 Version: 3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/lwt_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "67f8f2bae8e7ac72e09def2b667e44704c4d1ee1",
"status": "affected",
"version": "3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2",
"versionType": "git"
},
{
"lessThan": "a97f221651fcdc891166e9bc270e3d9bfa5a0080",
"status": "affected",
"version": "3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2",
"versionType": "git"
},
{
"lessThan": "e3f647e4b642f9f6d32795a16f92c116c138d2af",
"status": "affected",
"version": "3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2",
"versionType": "git"
},
{
"lessThan": "065d5f17096ec9161180e2c890afdff4dc6125f2",
"status": "affected",
"version": "3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2",
"versionType": "git"
},
{
"lessThan": "d68c17402442f5f494a2c3ebde5cb82f6aa9160a",
"status": "affected",
"version": "3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2",
"versionType": "git"
},
{
"lessThan": "65583f9e070db7bece20710cfa2e3daeb0b831d9",
"status": "affected",
"version": "3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2",
"versionType": "git"
},
{
"lessThan": "29b22badb7a84b783e3a4fffca16f7768fb31205",
"status": "affected",
"version": "3a0af8fd61f90920f6fa04e4f1e9a6a73c1b4fd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/lwt_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlwt: Fix return values of BPF xmit ops\n\nBPF encap ops can return different types of positive values, such like\nNET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function\nskb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return\nvalues would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in\nip(6)_finish_output2. When this happens, skbs that have been freed would\ncontinue to the neighbor subsystem, causing use-after-free bug and\nkernel crashes.\n\nTo fix the incorrect behavior, skb_do_redirect return values can be\nsimply discarded, the same as tc-egress behavior. On the other hand,\nbpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU\ninformation. Thus convert its return values to avoid the conflict with\nLWTUNNEL_XMIT_CONTINUE."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:32.302Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/67f8f2bae8e7ac72e09def2b667e44704c4d1ee1"
},
{
"url": "https://git.kernel.org/stable/c/a97f221651fcdc891166e9bc270e3d9bfa5a0080"
},
{
"url": "https://git.kernel.org/stable/c/e3f647e4b642f9f6d32795a16f92c116c138d2af"
},
{
"url": "https://git.kernel.org/stable/c/065d5f17096ec9161180e2c890afdff4dc6125f2"
},
{
"url": "https://git.kernel.org/stable/c/d68c17402442f5f494a2c3ebde5cb82f6aa9160a"
},
{
"url": "https://git.kernel.org/stable/c/65583f9e070db7bece20710cfa2e3daeb0b831d9"
},
{
"url": "https://git.kernel.org/stable/c/29b22badb7a84b783e3a4fffca16f7768fb31205"
}
],
"title": "lwt: Fix return values of BPF xmit ops",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53338",
"datePublished": "2025-09-17T14:56:32.302Z",
"dateReserved": "2025-09-16T16:08:59.565Z",
"dateUpdated": "2025-09-17T14:56:32.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50513 (GCVE-0-2022-50513)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()
In rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated
in failure, then `pcmdpriv->cmd_allocated_buf` will be not properly
released. Besides, considering there are only two error paths and the
first one can directly return, so we do not need implicitly jump to the
`exit` tag to execute the error handler.
So this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error
path to release the resource and simplified the return logic of
rtw_init_cmd_priv(). As there is no proper device to test with, no runtime
testing was performed.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_cmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5d8f05edb36fc4ab15beec62cb6ab62f5a60fe2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6cc39db24a63f68314473621020ed8cad7be423",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39bef9c6a91bbb790d04c1347cfeae584541fb6a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a5be64ff6d21f7805a91e6d81f53fc19cd9f0fae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8db6ca84eee0ac258706f3fca54f7c021cb159ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "708056fba733a73d926772ea4ce9a42d240345da",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_cmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()\n\nIn rtw_init_cmd_priv(), if `pcmdpriv-\u003ersp_allocated_buf` is allocated\nin failure, then `pcmdpriv-\u003ecmd_allocated_buf` will be not properly\nreleased. Besides, considering there are only two error paths and the\nfirst one can directly return, so we do not need implicitly jump to the\n`exit` tag to execute the error handler.\n\nSo this patch added `kfree(pcmdpriv-\u003ecmd_allocated_buf);` on the error\npath to release the resource and simplified the return logic of\nrtw_init_cmd_priv(). As there is no proper device to test with, no runtime\ntesting was performed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:09.547Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5d8f05edb36fc4ab15beec62cb6ab62f5a60fe2"
},
{
"url": "https://git.kernel.org/stable/c/e6cc39db24a63f68314473621020ed8cad7be423"
},
{
"url": "https://git.kernel.org/stable/c/39bef9c6a91bbb790d04c1347cfeae584541fb6a"
},
{
"url": "https://git.kernel.org/stable/c/a5be64ff6d21f7805a91e6d81f53fc19cd9f0fae"
},
{
"url": "https://git.kernel.org/stable/c/8db6ca84eee0ac258706f3fca54f7c021cb159ef"
},
{
"url": "https://git.kernel.org/stable/c/708056fba733a73d926772ea4ce9a42d240345da"
}
],
"title": "staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50513",
"datePublished": "2025-10-07T15:19:09.547Z",
"dateReserved": "2025-10-07T15:14:58.492Z",
"dateUpdated": "2025-10-07T15:19:09.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53397 (GCVE-0-2023-53397)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
modpost: fix off by one in is_executable_section()
The > comparison should be >= to prevent an out of bounds array
access.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 52dc0595d540155436d91811f929bdc8afd6a2a1 Version: 52dc0595d540155436d91811f929bdc8afd6a2a1 Version: 52dc0595d540155436d91811f929bdc8afd6a2a1 Version: 52dc0595d540155436d91811f929bdc8afd6a2a1 Version: 52dc0595d540155436d91811f929bdc8afd6a2a1 Version: 52dc0595d540155436d91811f929bdc8afd6a2a1 Version: 52dc0595d540155436d91811f929bdc8afd6a2a1 Version: 52dc0595d540155436d91811f929bdc8afd6a2a1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"scripts/mod/modpost.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ee557590bac154d324de446d1cd0444988bd511",
"status": "affected",
"version": "52dc0595d540155436d91811f929bdc8afd6a2a1",
"versionType": "git"
},
{
"lessThan": "02dc8e8bdbe4412cfcf17ee3873e63fa5a55b957",
"status": "affected",
"version": "52dc0595d540155436d91811f929bdc8afd6a2a1",
"versionType": "git"
},
{
"lessThan": "cb0cdca5c979bc34c27602e2039562932c2591a4",
"status": "affected",
"version": "52dc0595d540155436d91811f929bdc8afd6a2a1",
"versionType": "git"
},
{
"lessThan": "5e0424cd8a44b5f480feb06753cdf4e1f248d148",
"status": "affected",
"version": "52dc0595d540155436d91811f929bdc8afd6a2a1",
"versionType": "git"
},
{
"lessThan": "dd872d5576cc94528f427c7264c2c438928cc6d2",
"status": "affected",
"version": "52dc0595d540155436d91811f929bdc8afd6a2a1",
"versionType": "git"
},
{
"lessThan": "cade370efe2f9e2a79ea8587506ffe2b51ac6d2b",
"status": "affected",
"version": "52dc0595d540155436d91811f929bdc8afd6a2a1",
"versionType": "git"
},
{
"lessThan": "8b2e77050b91199453bf19d0517b047b7339a9e3",
"status": "affected",
"version": "52dc0595d540155436d91811f929bdc8afd6a2a1",
"versionType": "git"
},
{
"lessThan": "3a3f1e573a105328a2cca45a7cfbebabbf5e3192",
"status": "affected",
"version": "52dc0595d540155436d91811f929bdc8afd6a2a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"scripts/mod/modpost.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodpost: fix off by one in is_executable_section()\n\nThe \u003e comparison should be \u003e= to prevent an out of bounds array\naccess."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:38.093Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ee557590bac154d324de446d1cd0444988bd511"
},
{
"url": "https://git.kernel.org/stable/c/02dc8e8bdbe4412cfcf17ee3873e63fa5a55b957"
},
{
"url": "https://git.kernel.org/stable/c/cb0cdca5c979bc34c27602e2039562932c2591a4"
},
{
"url": "https://git.kernel.org/stable/c/5e0424cd8a44b5f480feb06753cdf4e1f248d148"
},
{
"url": "https://git.kernel.org/stable/c/dd872d5576cc94528f427c7264c2c438928cc6d2"
},
{
"url": "https://git.kernel.org/stable/c/cade370efe2f9e2a79ea8587506ffe2b51ac6d2b"
},
{
"url": "https://git.kernel.org/stable/c/8b2e77050b91199453bf19d0517b047b7339a9e3"
},
{
"url": "https://git.kernel.org/stable/c/3a3f1e573a105328a2cca45a7cfbebabbf5e3192"
}
],
"title": "modpost: fix off by one in is_executable_section()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53397",
"datePublished": "2025-09-18T13:33:38.093Z",
"dateReserved": "2025-09-17T14:54:09.738Z",
"dateUpdated": "2025-09-18T13:33:38.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53596 (GCVE-0-2023-53596)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: base: Free devm resources when unregistering a device
In the current code, devres_release_all() only gets called if the device
has a bus and has been probed.
This leads to issues when using bus-less or driver-less devices where
the device might never get freed if a managed resource holds a reference
to the device. This is happening in the DRM framework for example.
We should thus call devres_release_all() in the device_del() function to
make sure that the device-managed actions are properly executed when the
device is unregistered, even if it has neither a bus nor a driver.
This is effectively the same change than commit 2f8d16a996da ("devres:
release resources on device_del()") that got reverted by commit
a525a3ddeaca ("driver core: free devres in device_release") over
memory leaks concerns.
This patch effectively combines the two commits mentioned above to
release the resources both on device_del() and device_release() and get
the best of both worlds.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/core.c",
"drivers/base/test/platform-device-test.c",
"drivers/base/test/root-device-test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "297992e5c63528e603666e36081836204fc36ec9",
"status": "affected",
"version": "a525a3ddeaca69f405d98442ab3c0746e53168dc",
"versionType": "git"
},
{
"lessThan": "3bcc4c2a096e8342c8c719e595ce15de212694dd",
"status": "affected",
"version": "a525a3ddeaca69f405d98442ab3c0746e53168dc",
"versionType": "git"
},
{
"lessThan": "c8c426fae26086a0ca8ab6cc6da2de79810ec038",
"status": "affected",
"version": "a525a3ddeaca69f405d98442ab3c0746e53168dc",
"versionType": "git"
},
{
"lessThan": "699fb50d99039a50e7494de644f96c889279aca3",
"status": "affected",
"version": "a525a3ddeaca69f405d98442ab3c0746e53168dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/core.c",
"drivers/base/test/platform-device-test.c",
"drivers/base/test/root-device-test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: base: Free devm resources when unregistering a device\n\nIn the current code, devres_release_all() only gets called if the device\nhas a bus and has been probed.\n\nThis leads to issues when using bus-less or driver-less devices where\nthe device might never get freed if a managed resource holds a reference\nto the device. This is happening in the DRM framework for example.\n\nWe should thus call devres_release_all() in the device_del() function to\nmake sure that the device-managed actions are properly executed when the\ndevice is unregistered, even if it has neither a bus nor a driver.\n\nThis is effectively the same change than commit 2f8d16a996da (\"devres:\nrelease resources on device_del()\") that got reverted by commit\na525a3ddeaca (\"driver core: free devres in device_release\") over\nmemory leaks concerns.\n\nThis patch effectively combines the two commits mentioned above to\nrelease the resources both on device_del() and device_release() and get\nthe best of both worlds."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:08.942Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/297992e5c63528e603666e36081836204fc36ec9"
},
{
"url": "https://git.kernel.org/stable/c/3bcc4c2a096e8342c8c719e595ce15de212694dd"
},
{
"url": "https://git.kernel.org/stable/c/c8c426fae26086a0ca8ab6cc6da2de79810ec038"
},
{
"url": "https://git.kernel.org/stable/c/699fb50d99039a50e7494de644f96c889279aca3"
}
],
"title": "drivers: base: Free devm resources when unregistering a device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53596",
"datePublished": "2025-10-04T15:44:08.942Z",
"dateReserved": "2025-10-04T15:40:38.478Z",
"dateUpdated": "2025-10-04T15:44:08.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38695 (GCVE-0-2025-38695)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the
resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may
occur before sli4_hba.hdwqs are allocated. This may result in a null
pointer dereference when attempting to take the abts_io_buf_list_lock for
the first hardware queue. Fix by adding a null ptr check on
phba->sli4_hba.hdwq and early return because this situation means there
must have been an error during port initialization.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:22.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_scsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6711ce7e9de4eb1a541ef30638df1294ea4267f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "74bdf54a847dab209d2a8f65852f59b7fa156175",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5e25ee1ecec91c61a8acf938ad338399cad464de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "add68606a01dcccf18837a53e85b85caf0693b4b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7925dd68807cc8fd755b04ca99e7e6f1c04392e8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "571617f171f723b05f02d154a2e549a17eab4935",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d3f55f46bb37a8ec73bfe3cfe36e3ecfa2945dfa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "46a0602c24d7d425dd8e00c749cd64a934aac7ec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6698796282e828733cde3329c887b4ae9e5545e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_scsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure\n\nIf a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the\nresultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may\noccur before sli4_hba.hdwqs are allocated. This may result in a null\npointer dereference when attempting to take the abts_io_buf_list_lock for\nthe first hardware queue. Fix by adding a null ptr check on\nphba-\u003esli4_hba.hdwq and early return because this situation means there\nmust have been an error during port initialization."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:12.149Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6711ce7e9de4eb1a541ef30638df1294ea4267f8"
},
{
"url": "https://git.kernel.org/stable/c/74bdf54a847dab209d2a8f65852f59b7fa156175"
},
{
"url": "https://git.kernel.org/stable/c/5e25ee1ecec91c61a8acf938ad338399cad464de"
},
{
"url": "https://git.kernel.org/stable/c/add68606a01dcccf18837a53e85b85caf0693b4b"
},
{
"url": "https://git.kernel.org/stable/c/7925dd68807cc8fd755b04ca99e7e6f1c04392e8"
},
{
"url": "https://git.kernel.org/stable/c/571617f171f723b05f02d154a2e549a17eab4935"
},
{
"url": "https://git.kernel.org/stable/c/d3f55f46bb37a8ec73bfe3cfe36e3ecfa2945dfa"
},
{
"url": "https://git.kernel.org/stable/c/46a0602c24d7d425dd8e00c749cd64a934aac7ec"
},
{
"url": "https://git.kernel.org/stable/c/6698796282e828733cde3329c887b4ae9e5545e9"
}
],
"title": "scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38695",
"datePublished": "2025-09-04T15:32:48.168Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:22.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53386 (GCVE-0-2023-53386)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix potential use-after-free when clear keys
Similar to commit c5d2b6fa26b5 ("Bluetooth: Fix use-after-free in
hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu()
call.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d7d41682efc25d58b5bd8b80e85e3c9ce586635c Version: d7d41682efc25d58b5bd8b80e85e3c9ce586635c Version: d7d41682efc25d58b5bd8b80e85e3c9ce586635c Version: d7d41682efc25d58b5bd8b80e85e3c9ce586635c Version: d7d41682efc25d58b5bd8b80e85e3c9ce586635c Version: d7d41682efc25d58b5bd8b80e85e3c9ce586635c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e87da6a0ac6e631454e7da53a76aa9fe44aaa5dd",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
},
{
"lessThan": "942d8cefb022f384d5424f8b90c7878f3f93726f",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
},
{
"lessThan": "94617b736c25091b60e514e2e7aeafcbbee6b700",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
},
{
"lessThan": "da19f35868dfbecfff4f81166c054d2656cb1be4",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
},
{
"lessThan": "35cc42f04bc49f0656f6840cb7451b3df6049649",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
},
{
"lessThan": "3673952cf0c6cf81b06c66a0b788abeeb02ff3ae",
"status": "affected",
"version": "d7d41682efc25d58b5bd8b80e85e3c9ce586635c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix potential use-after-free when clear keys\n\nSimilar to commit c5d2b6fa26b5 (\"Bluetooth: Fix use-after-free in\nhci_remove_ltk/hci_remove_irk\"). We can not access k after kfree_rcu()\ncall."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:29.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e87da6a0ac6e631454e7da53a76aa9fe44aaa5dd"
},
{
"url": "https://git.kernel.org/stable/c/942d8cefb022f384d5424f8b90c7878f3f93726f"
},
{
"url": "https://git.kernel.org/stable/c/94617b736c25091b60e514e2e7aeafcbbee6b700"
},
{
"url": "https://git.kernel.org/stable/c/da19f35868dfbecfff4f81166c054d2656cb1be4"
},
{
"url": "https://git.kernel.org/stable/c/35cc42f04bc49f0656f6840cb7451b3df6049649"
},
{
"url": "https://git.kernel.org/stable/c/3673952cf0c6cf81b06c66a0b788abeeb02ff3ae"
}
],
"title": "Bluetooth: Fix potential use-after-free when clear keys",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53386",
"datePublished": "2025-09-18T13:33:29.897Z",
"dateReserved": "2025-09-17T14:54:09.737Z",
"dateUpdated": "2025-09-18T13:33:29.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53195 (GCVE-0-2023-53195)
Vulnerability from cvelistv5
Published
2025-09-15 14:06
Modified
2025-09-15 14:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: minimal: fix potential memory leak in mlxsw_m_linecards_init
The line cards array is not freed in the error path of
mlxsw_m_linecards_init(), which can lead to a memory leak. Fix by
freeing the array in the error path, thereby making the error path
identical to mlxsw_m_linecards_fini().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/minimal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d4f5b1dd816dccd4ee6bb60b2a81a3d4373636a9",
"status": "affected",
"version": "01328e23a476a47179b07125eabac439bc1d5fd3",
"versionType": "git"
},
{
"lessThan": "cd716022c968bc6748f23708b986f845b45791b7",
"status": "affected",
"version": "01328e23a476a47179b07125eabac439bc1d5fd3",
"versionType": "git"
},
{
"lessThan": "08fc75735fda3be97194bfbf3c899c87abb3d0fe",
"status": "affected",
"version": "01328e23a476a47179b07125eabac439bc1d5fd3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/minimal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: minimal: fix potential memory leak in mlxsw_m_linecards_init\n\nThe line cards array is not freed in the error path of\nmlxsw_m_linecards_init(), which can lead to a memory leak. Fix by\nfreeing the array in the error path, thereby making the error path\nidentical to mlxsw_m_linecards_fini()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:06:42.224Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d4f5b1dd816dccd4ee6bb60b2a81a3d4373636a9"
},
{
"url": "https://git.kernel.org/stable/c/cd716022c968bc6748f23708b986f845b45791b7"
},
{
"url": "https://git.kernel.org/stable/c/08fc75735fda3be97194bfbf3c899c87abb3d0fe"
}
],
"title": "mlxsw: minimal: fix potential memory leak in mlxsw_m_linecards_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53195",
"datePublished": "2025-09-15T14:06:42.224Z",
"dateReserved": "2025-09-15T13:59:19.067Z",
"dateUpdated": "2025-09-15T14:06:42.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38693 (GCVE-0-2025-38693)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar
In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add
check on msg[0].len to prevent crash.
Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:18.481Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/dib7000p.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a41ecfc3415ebe3b4c44f96b3337691dcf431a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b3d77a3fc71c084575d3df4ec6544b3fb6ce587d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17b30e5ded062bd74f8ca6f317e1d415a8680665",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "454a443eaa792c8865c861a282fe6d4f596abc3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6bbaec6a036940e22318f0454b50b8000845ab59",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f98132a59ccc59a8b97987363bc99c8968934756",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "99690a494d91a0dc86cebd628da4c62c40552bcb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39b06b93f24dff923c4183d564ed28c039150554",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed0234c8458b3149f15e496b48a1c9874dd24a1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/dib7000p.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar\n\nIn w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add\ncheck on msg[0].len to prevent crash.\n\nSimilar commit: commit 0ed554fd769a (\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:09.550Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a41ecfc3415ebe3b4c44f96b3337691dcf431a3"
},
{
"url": "https://git.kernel.org/stable/c/b3d77a3fc71c084575d3df4ec6544b3fb6ce587d"
},
{
"url": "https://git.kernel.org/stable/c/17b30e5ded062bd74f8ca6f317e1d415a8680665"
},
{
"url": "https://git.kernel.org/stable/c/454a443eaa792c8865c861a282fe6d4f596abc3a"
},
{
"url": "https://git.kernel.org/stable/c/6bbaec6a036940e22318f0454b50b8000845ab59"
},
{
"url": "https://git.kernel.org/stable/c/f98132a59ccc59a8b97987363bc99c8968934756"
},
{
"url": "https://git.kernel.org/stable/c/99690a494d91a0dc86cebd628da4c62c40552bcb"
},
{
"url": "https://git.kernel.org/stable/c/39b06b93f24dff923c4183d564ed28c039150554"
},
{
"url": "https://git.kernel.org/stable/c/ed0234c8458b3149f15e496b48a1c9874dd24a1b"
}
],
"title": "media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38693",
"datePublished": "2025-09-04T15:32:46.726Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:18.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38729 (GCVE-0-2025-38729)
Vulnerability from cvelistv5
Published
2025-09-04 15:33
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Validate UAC3 power domain descriptors, too
UAC3 power domain descriptors need to be verified with its variable
bLength for avoiding the unexpected OOB accesses by malicious
firmware, too.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:59.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/validate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1666207ba0a5973735ef010812536adde6174e81",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "ebc9e06b6ea978a20abf9b87d41afc51b2d745ac",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "f03418bb9d542f44df78eec2eff4ac83c0a8ac0d",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "40714daf4d0448e1692c78563faf0ed0f9d9b5c7",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "07c8d78dbb5e0ff8b23f7fd69cd1d4e2ba22b3dc",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "cd08d390d15b204cac1d3174f5f149a20c52e61a",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "29b415ec09f5b9d1dfa2423b826725a8c8796b9a",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "452ad54f432675982cc0d6eb6c40a6c86ac61dbd",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
},
{
"lessThan": "d832ccbc301fbd9e5a1d691bdcf461cdb514595f",
"status": "affected",
"version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/validate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Validate UAC3 power domain descriptors, too\n\nUAC3 power domain descriptors need to be verified with its variable\nbLength for avoiding the unexpected OOB accesses by malicious\nfirmware, too."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:56.125Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1666207ba0a5973735ef010812536adde6174e81"
},
{
"url": "https://git.kernel.org/stable/c/ebc9e06b6ea978a20abf9b87d41afc51b2d745ac"
},
{
"url": "https://git.kernel.org/stable/c/f03418bb9d542f44df78eec2eff4ac83c0a8ac0d"
},
{
"url": "https://git.kernel.org/stable/c/40714daf4d0448e1692c78563faf0ed0f9d9b5c7"
},
{
"url": "https://git.kernel.org/stable/c/07c8d78dbb5e0ff8b23f7fd69cd1d4e2ba22b3dc"
},
{
"url": "https://git.kernel.org/stable/c/cd08d390d15b204cac1d3174f5f149a20c52e61a"
},
{
"url": "https://git.kernel.org/stable/c/29b415ec09f5b9d1dfa2423b826725a8c8796b9a"
},
{
"url": "https://git.kernel.org/stable/c/452ad54f432675982cc0d6eb6c40a6c86ac61dbd"
},
{
"url": "https://git.kernel.org/stable/c/d832ccbc301fbd9e5a1d691bdcf461cdb514595f"
}
],
"title": "ALSA: usb-audio: Validate UAC3 power domain descriptors, too",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38729",
"datePublished": "2025-09-04T15:33:26.896Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:59.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53626 (GCVE-0-2023-53626)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix possible double unlock when moving a directory
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8dac5a63cf79707b547ea3d425fead5f4482198f Version: 0c440f14558bfacd22c6935ae1fd4b2a09e96b5d Version: c50fc503ee1b97f12c98e26afc39fdaebebcf04f Version: b0bb13612292ca90fa4c2a7e425375649bc50d3e Version: 291cd19d107e197306869cb3237c1bba62d13182 Version: 0813299c586b175d7edb25f56412c54b812d0379 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c16cbd8233d6c58fc488545393e49b5d55729990",
"status": "affected",
"version": "8dac5a63cf79707b547ea3d425fead5f4482198f",
"versionType": "git"
},
{
"lessThan": "020166bc6669ca9fb267ebd96bd88c4fb64a5d46",
"status": "affected",
"version": "0c440f14558bfacd22c6935ae1fd4b2a09e96b5d",
"versionType": "git"
},
{
"lessThan": "1c93c42c7bb23057bde8a0a2ab834927ff64d20c",
"status": "affected",
"version": "c50fc503ee1b97f12c98e26afc39fdaebebcf04f",
"versionType": "git"
},
{
"lessThan": "e71eb4dca41f0f36823724ced0406bb2dbdd5506",
"status": "affected",
"version": "b0bb13612292ca90fa4c2a7e425375649bc50d3e",
"versionType": "git"
},
{
"lessThan": "43ce288ab5d7274a4a141d7f5e3ed2ab7b41f8a2",
"status": "affected",
"version": "291cd19d107e197306869cb3237c1bba62d13182",
"versionType": "git"
},
{
"lessThan": "70e42feab2e20618ddd0cbfc4ab4b08628236ecd",
"status": "affected",
"version": "0813299c586b175d7edb25f56412c54b812d0379",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.4.238",
"status": "affected",
"version": "5.4.237",
"versionType": "semver"
},
{
"lessThan": "5.10.176",
"status": "affected",
"version": "5.10.175",
"versionType": "semver"
},
{
"lessThan": "5.15.104",
"status": "affected",
"version": "5.15.103",
"versionType": "semver"
},
{
"lessThan": "6.1.21",
"status": "affected",
"version": "6.1.20",
"versionType": "semver"
},
{
"lessThan": "6.2.8",
"status": "affected",
"version": "6.2.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.238",
"versionStartIncluding": "5.4.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.176",
"versionStartIncluding": "5.10.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.104",
"versionStartIncluding": "5.15.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.21",
"versionStartIncluding": "6.1.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.8",
"versionStartIncluding": "6.2.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix possible double unlock when moving a directory"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:30.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c16cbd8233d6c58fc488545393e49b5d55729990"
},
{
"url": "https://git.kernel.org/stable/c/020166bc6669ca9fb267ebd96bd88c4fb64a5d46"
},
{
"url": "https://git.kernel.org/stable/c/1c93c42c7bb23057bde8a0a2ab834927ff64d20c"
},
{
"url": "https://git.kernel.org/stable/c/e71eb4dca41f0f36823724ced0406bb2dbdd5506"
},
{
"url": "https://git.kernel.org/stable/c/43ce288ab5d7274a4a141d7f5e3ed2ab7b41f8a2"
},
{
"url": "https://git.kernel.org/stable/c/70e42feab2e20618ddd0cbfc4ab4b08628236ecd"
}
],
"title": "ext4: fix possible double unlock when moving a directory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53626",
"datePublished": "2025-10-07T15:19:30.895Z",
"dateReserved": "2025-10-07T15:16:59.656Z",
"dateUpdated": "2025-10-07T15:19:30.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56650 (GCVE-0-2024-56650)
Vulnerability from cvelistv5
Published
2024-12-27 15:02
Modified
2025-11-03 20:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: fix LED ID check in led_tg_check()
Syzbot has reported the following BUG detected by KASAN:
BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70
Read of size 1 at addr ffff8881022da0c8 by task repro/5879
...
Call Trace:
<TASK>
dump_stack_lvl+0x241/0x360
? __pfx_dump_stack_lvl+0x10/0x10
? __pfx__printk+0x10/0x10
? _printk+0xd5/0x120
? __virt_addr_valid+0x183/0x530
? __virt_addr_valid+0x183/0x530
print_report+0x169/0x550
? __virt_addr_valid+0x183/0x530
? __virt_addr_valid+0x183/0x530
? __virt_addr_valid+0x45f/0x530
? __phys_addr+0xba/0x170
? strlen+0x58/0x70
kasan_report+0x143/0x180
? strlen+0x58/0x70
strlen+0x58/0x70
kstrdup+0x20/0x80
led_tg_check+0x18b/0x3c0
xt_check_target+0x3bb/0xa40
? __pfx_xt_check_target+0x10/0x10
? stack_depot_save_flags+0x6e4/0x830
? nft_target_init+0x174/0xc30
nft_target_init+0x82d/0xc30
? __pfx_nft_target_init+0x10/0x10
? nf_tables_newrule+0x1609/0x2980
? nf_tables_newrule+0x1609/0x2980
? rcu_is_watching+0x15/0xb0
? nf_tables_newrule+0x1609/0x2980
? nf_tables_newrule+0x1609/0x2980
? __kmalloc_noprof+0x21a/0x400
nf_tables_newrule+0x1860/0x2980
? __pfx_nf_tables_newrule+0x10/0x10
? __nla_parse+0x40/0x60
nfnetlink_rcv+0x14e5/0x2ab0
? __pfx_validate_chain+0x10/0x10
? __pfx_nfnetlink_rcv+0x10/0x10
? __lock_acquire+0x1384/0x2050
? netlink_deliver_tap+0x2e/0x1b0
? __pfx_lock_release+0x10/0x10
? netlink_deliver_tap+0x2e/0x1b0
netlink_unicast+0x7f8/0x990
? __pfx_netlink_unicast+0x10/0x10
? __virt_addr_valid+0x183/0x530
? __check_object_size+0x48e/0x900
netlink_sendmsg+0x8e4/0xcb0
? __pfx_netlink_sendmsg+0x10/0x10
? aa_sock_msg_perm+0x91/0x160
? __pfx_netlink_sendmsg+0x10/0x10
__sock_sendmsg+0x223/0x270
____sys_sendmsg+0x52a/0x7e0
? __pfx_____sys_sendmsg+0x10/0x10
__sys_sendmsg+0x292/0x380
? __pfx___sys_sendmsg+0x10/0x10
? lockdep_hardirqs_on_prepare+0x43d/0x780
? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
? exc_page_fault+0x590/0x8c0
? do_syscall_64+0xb6/0x230
do_syscall_64+0xf3/0x230
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
</TASK>
Since an invalid (without '\0' byte at all) byte sequence may be passed
from userspace, add an extra check to ensure that such a sequence is
rejected as possible ID and so never passed to 'kstrdup()' and further.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 268cb38e1802db560c73167e643f14a3dcb4b07c Version: 268cb38e1802db560c73167e643f14a3dcb4b07c Version: 268cb38e1802db560c73167e643f14a3dcb4b07c Version: 268cb38e1802db560c73167e643f14a3dcb4b07c Version: 268cb38e1802db560c73167e643f14a3dcb4b07c Version: 268cb38e1802db560c73167e643f14a3dcb4b07c Version: 268cb38e1802db560c73167e643f14a3dcb4b07c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:00:22.683789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:07:11.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:51:56.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_LED.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "147a42bb02de8735cb08476be6d0917987d022c2",
"status": "affected",
"version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
"versionType": "git"
},
{
"lessThan": "ad28612ebae1fcc1104bd432e99e99d87f6bfe09",
"status": "affected",
"version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
"versionType": "git"
},
{
"lessThan": "36a9d94dac28beef6b8abba46ba8874320d3e800",
"status": "affected",
"version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
"versionType": "git"
},
{
"lessThan": "ab9916321c95f5280b72b4c5055e269f98627efe",
"status": "affected",
"version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
"versionType": "git"
},
{
"lessThan": "a9bcc0b70d9baf3ff005874489a0dc9d023b54c3",
"status": "affected",
"version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
"versionType": "git"
},
{
"lessThan": "c40c96d98e536fc1daaa125c2332b988615e30a4",
"status": "affected",
"version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
"versionType": "git"
},
{
"lessThan": "04317f4eb2aad312ad85c1a17ad81fe75f1f9bc7",
"status": "affected",
"version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_LED.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: fix LED ID check in led_tg_check()\n\nSyzbot has reported the following BUG detected by KASAN:\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70\nRead of size 1 at addr ffff8881022da0c8 by task repro/5879\n...\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x241/0x360\n ? __pfx_dump_stack_lvl+0x10/0x10\n ? __pfx__printk+0x10/0x10\n ? _printk+0xd5/0x120\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x183/0x530\n print_report+0x169/0x550\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x45f/0x530\n ? __phys_addr+0xba/0x170\n ? strlen+0x58/0x70\n kasan_report+0x143/0x180\n ? strlen+0x58/0x70\n strlen+0x58/0x70\n kstrdup+0x20/0x80\n led_tg_check+0x18b/0x3c0\n xt_check_target+0x3bb/0xa40\n ? __pfx_xt_check_target+0x10/0x10\n ? stack_depot_save_flags+0x6e4/0x830\n ? nft_target_init+0x174/0xc30\n nft_target_init+0x82d/0xc30\n ? __pfx_nft_target_init+0x10/0x10\n ? nf_tables_newrule+0x1609/0x2980\n ? nf_tables_newrule+0x1609/0x2980\n ? rcu_is_watching+0x15/0xb0\n ? nf_tables_newrule+0x1609/0x2980\n ? nf_tables_newrule+0x1609/0x2980\n ? __kmalloc_noprof+0x21a/0x400\n nf_tables_newrule+0x1860/0x2980\n ? __pfx_nf_tables_newrule+0x10/0x10\n ? __nla_parse+0x40/0x60\n nfnetlink_rcv+0x14e5/0x2ab0\n ? __pfx_validate_chain+0x10/0x10\n ? __pfx_nfnetlink_rcv+0x10/0x10\n ? __lock_acquire+0x1384/0x2050\n ? netlink_deliver_tap+0x2e/0x1b0\n ? __pfx_lock_release+0x10/0x10\n ? netlink_deliver_tap+0x2e/0x1b0\n netlink_unicast+0x7f8/0x990\n ? __pfx_netlink_unicast+0x10/0x10\n ? __virt_addr_valid+0x183/0x530\n ? __check_object_size+0x48e/0x900\n netlink_sendmsg+0x8e4/0xcb0\n ? __pfx_netlink_sendmsg+0x10/0x10\n ? aa_sock_msg_perm+0x91/0x160\n ? __pfx_netlink_sendmsg+0x10/0x10\n __sock_sendmsg+0x223/0x270\n ____sys_sendmsg+0x52a/0x7e0\n ? __pfx_____sys_sendmsg+0x10/0x10\n __sys_sendmsg+0x292/0x380\n ? __pfx___sys_sendmsg+0x10/0x10\n ? lockdep_hardirqs_on_prepare+0x43d/0x780\n ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10\n ? exc_page_fault+0x590/0x8c0\n ? do_syscall_64+0xb6/0x230\n do_syscall_64+0xf3/0x230\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n \u003c/TASK\u003e\n\nSince an invalid (without \u0027\\0\u0027 byte at all) byte sequence may be passed\nfrom userspace, add an extra check to ensure that such a sequence is\nrejected as possible ID and so never passed to \u0027kstrdup()\u0027 and further."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:01:03.454Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/147a42bb02de8735cb08476be6d0917987d022c2"
},
{
"url": "https://git.kernel.org/stable/c/ad28612ebae1fcc1104bd432e99e99d87f6bfe09"
},
{
"url": "https://git.kernel.org/stable/c/36a9d94dac28beef6b8abba46ba8874320d3e800"
},
{
"url": "https://git.kernel.org/stable/c/ab9916321c95f5280b72b4c5055e269f98627efe"
},
{
"url": "https://git.kernel.org/stable/c/a9bcc0b70d9baf3ff005874489a0dc9d023b54c3"
},
{
"url": "https://git.kernel.org/stable/c/c40c96d98e536fc1daaa125c2332b988615e30a4"
},
{
"url": "https://git.kernel.org/stable/c/04317f4eb2aad312ad85c1a17ad81fe75f1f9bc7"
}
],
"title": "netfilter: x_tables: fix LED ID check in led_tg_check()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56650",
"datePublished": "2024-12-27T15:02:50.098Z",
"dateReserved": "2024-12-27T15:00:39.840Z",
"dateUpdated": "2025-11-03T20:51:56.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38465 (GCVE-0-2025-38465)
Vulnerability from cvelistv5
Published
2025-07-25 15:27
Modified
2025-11-03 17:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: Fix wraparounds of sk->sk_rmem_alloc.
Netlink has this pattern in some places
if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
atomic_add(skb->truesize, &sk->sk_rmem_alloc);
, which has the same problem fixed by commit 5a465a0da13e ("udp:
Fix multiple wraparounds of sk->sk_rmem_alloc.").
For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition
is always false as the two operands are of int.
Then, a single socket can eat as many skb as possible until OOM
happens, and we can see multiple wraparounds of sk->sk_rmem_alloc.
Let's fix it by using atomic_add_return() and comparing the two
variables as unsigned int.
Before:
[root@fedora ~]# ss -f netlink
Recv-Q Send-Q Local Address:Port Peer Address:Port
-1668710080 0 rtnl:nl_wraparound/293 *
After:
[root@fedora ~]# ss -f netlink
Recv-Q Send-Q Local Address:Port Peer Address:Port
2147483072 0 rtnl:nl_wraparound/290 *
^
`--- INT_MAX - 576
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:38:27.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9da025150b7c14a8390fc06aea314c0a4011e82c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd69af06101090eaa60b3d216ae715f9c0a58e5b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "76602d8e13864524382b0687dc32cd8f19164d5a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "55baecb9eb90238f60a8350660d6762046ebd3bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b8e18af7bea92f8b7fb92d40aeae729209db250",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cd7ff61bfffd7000143c42bbffb85eeb792466d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix wraparounds of sk-\u003esk_rmem_alloc.\n\nNetlink has this pattern in some places\n\n if (atomic_read(\u0026sk-\u003esk_rmem_alloc) \u003e sk-\u003esk_rcvbuf)\n \tatomic_add(skb-\u003etruesize, \u0026sk-\u003esk_rmem_alloc);\n\n, which has the same problem fixed by commit 5a465a0da13e (\"udp:\nFix multiple wraparounds of sk-\u003esk_rmem_alloc.\").\n\nFor example, if we set INT_MAX to SO_RCVBUFFORCE, the condition\nis always false as the two operands are of int.\n\nThen, a single socket can eat as many skb as possible until OOM\nhappens, and we can see multiple wraparounds of sk-\u003esk_rmem_alloc.\n\nLet\u0027s fix it by using atomic_add_return() and comparing the two\nvariables as unsigned int.\n\nBefore:\n [root@fedora ~]# ss -f netlink\n Recv-Q Send-Q Local Address:Port Peer Address:Port\n -1668710080 0 rtnl:nl_wraparound/293 *\n\nAfter:\n [root@fedora ~]# ss -f netlink\n Recv-Q Send-Q Local Address:Port Peer Address:Port\n 2147483072 0 rtnl:nl_wraparound/290 *\n ^\n `--- INT_MAX - 576"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:23:13.790Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c"
},
{
"url": "https://git.kernel.org/stable/c/c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98"
},
{
"url": "https://git.kernel.org/stable/c/fd69af06101090eaa60b3d216ae715f9c0a58e5b"
},
{
"url": "https://git.kernel.org/stable/c/76602d8e13864524382b0687dc32cd8f19164d5a"
},
{
"url": "https://git.kernel.org/stable/c/55baecb9eb90238f60a8350660d6762046ebd3bd"
},
{
"url": "https://git.kernel.org/stable/c/4b8e18af7bea92f8b7fb92d40aeae729209db250"
},
{
"url": "https://git.kernel.org/stable/c/cd7ff61bfffd7000143c42bbffb85eeb792466d6"
},
{
"url": "https://git.kernel.org/stable/c/ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc"
}
],
"title": "netlink: Fix wraparounds of sk-\u003esk_rmem_alloc.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38465",
"datePublished": "2025-07-25T15:27:47.510Z",
"dateReserved": "2025-04-16T04:51:24.020Z",
"dateUpdated": "2025-11-03T17:38:27.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53180 (GCVE-0-2023-53180)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-16 08:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Avoid NULL pointer access during management transmit cleanup
Currently 'ar' reference is not added in skb_cb.
Though this is generally not used during transmit completion
callbacks, on interface removal the remaining idr cleanup callback
uses the ar pointer from skb_cb from management txmgmt_idr. Hence fill them
during transmit call for proper usage to avoid NULL pointer dereference.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7382d02160ef93c806fe1c1d4ef1fec445266747",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "054b5580a36e435692c203c19abdcb9f7734320e",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Avoid NULL pointer access during management transmit cleanup\n\nCurrently \u0027ar\u0027 reference is not added in skb_cb.\nThough this is generally not used during transmit completion\ncallbacks, on interface removal the remaining idr cleanup callback\nuses the ar pointer from skb_cb from management txmgmt_idr. Hence fill them\nduring transmit call for proper usage to avoid NULL pointer dereference.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:22.024Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7382d02160ef93c806fe1c1d4ef1fec445266747"
},
{
"url": "https://git.kernel.org/stable/c/054b5580a36e435692c203c19abdcb9f7734320e"
}
],
"title": "wifi: ath12k: Avoid NULL pointer access during management transmit cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53180",
"datePublished": "2025-09-15T14:04:31.143Z",
"dateReserved": "2025-09-15T13:59:19.065Z",
"dateUpdated": "2025-09-16T08:02:22.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50524 (GCVE-0-2022-50524)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/mediatek: Check return value after calling platform_get_resource()
platform_get_resource() may return NULL pointer, we need check its
return value to avoid null-ptr-deref in resource_size().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bfebf05883cdcf9ac983033987fae869bd59ca53",
"status": "affected",
"version": "42d57fc58aebc5801804424082028f43bad1b73c",
"versionType": "git"
},
{
"lessThan": "feca904412483b2e0a903dd1f2e2843afd445f8c",
"status": "affected",
"version": "42d57fc58aebc5801804424082028f43bad1b73c",
"versionType": "git"
},
{
"lessThan": "73b6924cdebc899de9b719e1319aa86c6bed4acf",
"status": "affected",
"version": "42d57fc58aebc5801804424082028f43bad1b73c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Check return value after calling platform_get_resource()\n\nplatform_get_resource() may return NULL pointer, we need check its\nreturn value to avoid null-ptr-deref in resource_size()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:17.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bfebf05883cdcf9ac983033987fae869bd59ca53"
},
{
"url": "https://git.kernel.org/stable/c/feca904412483b2e0a903dd1f2e2843afd445f8c"
},
{
"url": "https://git.kernel.org/stable/c/73b6924cdebc899de9b719e1319aa86c6bed4acf"
}
],
"title": "iommu/mediatek: Check return value after calling platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50524",
"datePublished": "2025-10-07T15:19:17.251Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:17.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38715 (GCVE-0-2025-38715)
Vulnerability from cvelistv5
Published
2025-09-04 15:33
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: fix slab-out-of-bounds in hfs_bnode_read()
This patch introduces is_bnode_offset_valid() method that checks
the requested offset value. Also, it introduces
check_and_correct_requested_length() method that checks and
correct the requested length (if it is necessary). These methods
are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(),
hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent
the access out of allocated memory and triggering the crash.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:47.773Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7d2dc2421e821e4045775e6dc226378328de6f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "67ecc81f6492275c9c54280532f558483c99c90e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a1a60e79502279f996e55052f50cc14919020475",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fe2891a9c43ab87d1a210d61e6438ca6936e2f62",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "384a66b89f9540a9a8cb0f48807697dfabaece4c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efc095b35b23297e419c2ab4fc1ed1a8f0781a29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fc7f732984ec91f30be3e574e0644066d07f2b78",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eec522fd0d28106b14a59ab2d658605febe4a3bb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a431930c9bac518bf99d6b1da526a7f37ddee8d8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix slab-out-of-bounds in hfs_bnode_read()\n\nThis patch introduces is_bnode_offset_valid() method that checks\nthe requested offset value. Also, it introduces\ncheck_and_correct_requested_length() method that checks and\ncorrect the requested length (if it is necessary). These methods\nare used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(),\nhfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent\nthe access out of allocated memory and triggering the crash."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:38.351Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7d2dc2421e821e4045775e6dc226378328de6f6"
},
{
"url": "https://git.kernel.org/stable/c/67ecc81f6492275c9c54280532f558483c99c90e"
},
{
"url": "https://git.kernel.org/stable/c/a1a60e79502279f996e55052f50cc14919020475"
},
{
"url": "https://git.kernel.org/stable/c/fe2891a9c43ab87d1a210d61e6438ca6936e2f62"
},
{
"url": "https://git.kernel.org/stable/c/384a66b89f9540a9a8cb0f48807697dfabaece4c"
},
{
"url": "https://git.kernel.org/stable/c/efc095b35b23297e419c2ab4fc1ed1a8f0781a29"
},
{
"url": "https://git.kernel.org/stable/c/fc7f732984ec91f30be3e574e0644066d07f2b78"
},
{
"url": "https://git.kernel.org/stable/c/eec522fd0d28106b14a59ab2d658605febe4a3bb"
},
{
"url": "https://git.kernel.org/stable/c/a431930c9bac518bf99d6b1da526a7f37ddee8d8"
}
],
"title": "hfs: fix slab-out-of-bounds in hfs_bnode_read()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38715",
"datePublished": "2025-09-04T15:33:09.954Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:47.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53206 (GCVE-0-2023-53206)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (pmbus_core) Fix NULL pointer dereference
Pass i2c_client to _pmbus_is_enabled to drop the assumption
that a regulator device is passed in.
This will fix the issue of a NULL pointer dereference when called from
_pmbus_get_flags.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/pmbus/pmbus_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7444253cacd92412bc8d33d1c9b5401f52cdf0e2",
"status": "affected",
"version": "df5f6b6af01ca326dd4babb287c9580fed0ad3d6",
"versionType": "git"
},
{
"lessThan": "0bd66784274a287beada2933c2c0fa3a0ddae0d7",
"status": "affected",
"version": "df5f6b6af01ca326dd4babb287c9580fed0ad3d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/pmbus/pmbus_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus_core) Fix NULL pointer dereference\n\nPass i2c_client to _pmbus_is_enabled to drop the assumption\nthat a regulator device is passed in.\n\nThis will fix the issue of a NULL pointer dereference when called from\n_pmbus_get_flags."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:34.551Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7444253cacd92412bc8d33d1c9b5401f52cdf0e2"
},
{
"url": "https://git.kernel.org/stable/c/0bd66784274a287beada2933c2c0fa3a0ddae0d7"
}
],
"title": "hwmon: (pmbus_core) Fix NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53206",
"datePublished": "2025-09-15T14:21:34.551Z",
"dateReserved": "2025-09-15T13:59:19.068Z",
"dateUpdated": "2025-09-15T14:21:34.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39701 (GCVE-0-2025-39701)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: pfr_update: Fix the driver update version check
The security-version-number check should be used rather
than the runtime version check for driver updates.
Otherwise, the firmware update would fail when the update binary had
a lower runtime version number than the current one.
[ rjw: Changelog edits ]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:29.730Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/pfr_update.c",
"include/uapi/linux/pfrut.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79300ff532bccbbf654992c7c0863b49a6c3973c",
"status": "affected",
"version": "0db89fa243e5edc5de38c88b369e4c3755c5fb74",
"versionType": "git"
},
{
"lessThan": "cf0a88124e357bffda487cbf3cb612bb97eb97e4",
"status": "affected",
"version": "0db89fa243e5edc5de38c88b369e4c3755c5fb74",
"versionType": "git"
},
{
"lessThan": "b00219888c11519ef75d988fa8a780da68ff568e",
"status": "affected",
"version": "0db89fa243e5edc5de38c88b369e4c3755c5fb74",
"versionType": "git"
},
{
"lessThan": "908094681f645d3a78e18ef90561a97029e2df7b",
"status": "affected",
"version": "0db89fa243e5edc5de38c88b369e4c3755c5fb74",
"versionType": "git"
},
{
"lessThan": "8151320c747efb22d30b035af989fed0d502176e",
"status": "affected",
"version": "0db89fa243e5edc5de38c88b369e4c3755c5fb74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/pfr_update.c",
"include/uapi/linux/pfrut.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: pfr_update: Fix the driver update version check\n\nThe security-version-number check should be used rather\nthan the runtime version check for driver updates.\n\nOtherwise, the firmware update would fail when the update binary had\na lower runtime version number than the current one.\n\n[ rjw: Changelog edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:42.703Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79300ff532bccbbf654992c7c0863b49a6c3973c"
},
{
"url": "https://git.kernel.org/stable/c/cf0a88124e357bffda487cbf3cb612bb97eb97e4"
},
{
"url": "https://git.kernel.org/stable/c/b00219888c11519ef75d988fa8a780da68ff568e"
},
{
"url": "https://git.kernel.org/stable/c/908094681f645d3a78e18ef90561a97029e2df7b"
},
{
"url": "https://git.kernel.org/stable/c/8151320c747efb22d30b035af989fed0d502176e"
}
],
"title": "ACPI: pfr_update: Fix the driver update version check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39701",
"datePublished": "2025-09-05T17:21:07.580Z",
"dateReserved": "2025-04-16T07:20:57.115Z",
"dateUpdated": "2025-11-03T17:42:29.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39985 (GCVE-0-2025-39985)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the mcba_usb driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, mcba_usb_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN frame.
This can result in a buffer overflow. The driver will consume cf->len
as-is with no further checks on these lines:
usb_msg.dlc = cf->len;
memcpy(usb_msg.data, cf->data, usb_msg.dlc);
Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs!
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0fa9303c4b9493727e0d3a6ac3729300e3013930",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "37aed407496bf6de8910e588edb04d2435fa7011",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "6eec67bfb25637f9b51e584cf59ddace59925bc8",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "ca4e51359608e1f29bf1f2c33c3ddf775b6b7ed1",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "3664ae91b26d1fd7e4cee9cde17301361f4c89d5",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "6b9fb82df8868dbe9ffea5874b8d35f951faedbb",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "b638c3fb0f163e69785ceddb3b434a9437878bec",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "17c8d794527f01def0d1c8b7dc2d7b8d34fed0e6",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the mcba_usb driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, mcba_usb_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN frame.\n\nThis can result in a buffer overflow. The driver will consume cf-\u003elen\nas-is with no further checks on these lines:\n\n\tusb_msg.dlc = cf-\u003elen;\n\n\tmemcpy(usb_msg.data, cf-\u003edata, usb_msg.dlc);\n\nHere, cf-\u003elen corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame-\u003eflags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs!\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:04.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fa9303c4b9493727e0d3a6ac3729300e3013930"
},
{
"url": "https://git.kernel.org/stable/c/37aed407496bf6de8910e588edb04d2435fa7011"
},
{
"url": "https://git.kernel.org/stable/c/6eec67bfb25637f9b51e584cf59ddace59925bc8"
},
{
"url": "https://git.kernel.org/stable/c/ca4e51359608e1f29bf1f2c33c3ddf775b6b7ed1"
},
{
"url": "https://git.kernel.org/stable/c/3664ae91b26d1fd7e4cee9cde17301361f4c89d5"
},
{
"url": "https://git.kernel.org/stable/c/6b9fb82df8868dbe9ffea5874b8d35f951faedbb"
},
{
"url": "https://git.kernel.org/stable/c/b638c3fb0f163e69785ceddb3b434a9437878bec"
},
{
"url": "https://git.kernel.org/stable/c/17c8d794527f01def0d1c8b7dc2d7b8d34fed0e6"
}
],
"title": "can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39985",
"datePublished": "2025-10-15T07:56:04.439Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:04.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53639 (GCVE-0-2023-53639)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath6kl: reduce WARN to dev_dbg() in callback
The warn is triggered on a known race condition, documented in the code above
the test, that is correctly handled. Using WARN() hinders automated testing.
Reducing severity.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b Version: de2070fc4aa7c0205348010f500f5abce012e67b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath6kl/htc_pipe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2a429e6da37e32438a9adc250cc176a889c16a4",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "e7865f84adaf75cee1a4bbf79680329eca92b4e1",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "0d1792c98351b7c8ebdc53d052918e77d1e512c3",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "1300517e371e4d0acdb0f1237477e1ed223c3a9a",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "484d95c69fc1143f09e4c2e3b89019d68d190a92",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "644df7e865e76ab7a62c67c25cbbc093c944d0ef",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "6f93154d61b345acbc405c6dee16afb845eb298e",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "cbec770521ebc455c9811a23222faf8911422d4a",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
},
{
"lessThan": "75c4a8154cb6c7239fb55d5550f481f6765fb83c",
"status": "affected",
"version": "de2070fc4aa7c0205348010f500f5abce012e67b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath6kl/htc_pipe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath6kl: reduce WARN to dev_dbg() in callback\n\nThe warn is triggered on a known race condition, documented in the code above\nthe test, that is correctly handled. Using WARN() hinders automated testing.\nReducing severity."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:39.664Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2a429e6da37e32438a9adc250cc176a889c16a4"
},
{
"url": "https://git.kernel.org/stable/c/e7865f84adaf75cee1a4bbf79680329eca92b4e1"
},
{
"url": "https://git.kernel.org/stable/c/0d1792c98351b7c8ebdc53d052918e77d1e512c3"
},
{
"url": "https://git.kernel.org/stable/c/1300517e371e4d0acdb0f1237477e1ed223c3a9a"
},
{
"url": "https://git.kernel.org/stable/c/484d95c69fc1143f09e4c2e3b89019d68d190a92"
},
{
"url": "https://git.kernel.org/stable/c/644df7e865e76ab7a62c67c25cbbc093c944d0ef"
},
{
"url": "https://git.kernel.org/stable/c/6f93154d61b345acbc405c6dee16afb845eb298e"
},
{
"url": "https://git.kernel.org/stable/c/cbec770521ebc455c9811a23222faf8911422d4a"
},
{
"url": "https://git.kernel.org/stable/c/75c4a8154cb6c7239fb55d5550f481f6765fb83c"
}
],
"title": "wifi: ath6kl: reduce WARN to dev_dbg() in callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53639",
"datePublished": "2025-10-07T15:19:39.664Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-07T15:19:39.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50479 (GCVE-0-2022-50479)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-06 09:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd: fix potential memory leak
This patch fix potential memory leak (clk_src) when function run
into last return NULL.
s/free/kfree/ - Alex
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6e6ab9caeac96b277a3fe7da1dfa8f69a591759",
"status": "affected",
"version": "3a83e4e64bb1522ddac67ffc787d1c38291e1a65",
"versionType": "git"
},
{
"lessThan": "6160216fd2c97107e8a9ab39863b056d677fcd85",
"status": "affected",
"version": "3a83e4e64bb1522ddac67ffc787d1c38291e1a65",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: fix potential memory leak\n\nThis patch fix potential memory leak (clk_src) when function run\ninto last return NULL.\n\ns/free/kfree/ - Alex"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T09:07:15.985Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6e6ab9caeac96b277a3fe7da1dfa8f69a591759"
},
{
"url": "https://git.kernel.org/stable/c/6160216fd2c97107e8a9ab39863b056d677fcd85"
}
],
"title": "drm/amd: fix potential memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50479",
"datePublished": "2025-10-04T15:16:39.021Z",
"dateReserved": "2025-10-04T15:13:33.467Z",
"dateUpdated": "2025-10-06T09:07:15.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53693 (GCVE-0-2023-53693)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-30 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: Fix the memory leak in raw_gadget driver
Currently, increasing raw_dev->count happens before invoke the
raw_queue_event(), if the raw_queue_event() return error, invoke
raw_release() will not trigger the dev_free() to be called.
[ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event
[ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget: -12
[ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with error -12
[ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
[ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_driver returned -16
BUG: memory leak
[<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
[<ffffffff8347eb55>] kmalloc include/linux/slab.h:582 [inline]
[<ffffffff8347eb55>] kzalloc include/linux/slab.h:703 [inline]
[<ffffffff8347eb55>] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191 [inline]
[<ffffffff8347eb55>] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_gadget.c:385
[<ffffffff827d1d09>] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165
[<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
[<ffffffff8347cd2f>] kmalloc include/linux/slab.h:582 [inline]
[<ffffffff8347cd2f>] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legacy/raw_gadget.c:460
[<ffffffff8347dfe9>] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/raw_gadget.c:1250
[<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
[<ffffffff833ecc6a>] kmalloc include/linux/slab.h:582 [inline]
[<ffffffff833ecc6a>] kzalloc include/linux/slab.h:703 [inline]
[<ffffffff833ecc6a>] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/udc/dummy_hcd.c:665
[<ffffffff833e9132>] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/udc/core.c:196
[<ffffffff8347f13d>] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/raw_gadget.c:292
This commit therefore invoke kref_get() under the condition that
raw_queue_event() return success.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/legacy/raw_gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "68e6287ac61dc22513cd39f02b9ac1fef28513e4",
"status": "affected",
"version": "f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10",
"versionType": "git"
},
{
"lessThan": "0f7a2b567197798da7bfa2252f4485c0ca6c6266",
"status": "affected",
"version": "f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10",
"versionType": "git"
},
{
"lessThan": "de77000c1923d7942f9b4f08447c8feeae1c0f33",
"status": "affected",
"version": "f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10",
"versionType": "git"
},
{
"lessThan": "9934e5d07c0dc294169a7d52f6309f35cd6d7755",
"status": "affected",
"version": "f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10",
"versionType": "git"
},
{
"lessThan": "83e30f2bf86ef7c38fbd476ed81a88522b620628",
"status": "affected",
"version": "f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/legacy/raw_gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix the memory leak in raw_gadget driver\n\nCurrently, increasing raw_dev-\u003ecount happens before invoke the\nraw_queue_event(), if the raw_queue_event() return error, invoke\nraw_release() will not trigger the dev_free() to be called.\n\n[ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event\n[ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget: -12\n[ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with error -12\n[ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn\u0027t find an available UDC or it\u0027s busy\n[ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_driver returned -16\n\nBUG: memory leak\n\n[\u003cffffffff8154bf94\u003e] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076\n[\u003cffffffff8347eb55\u003e] kmalloc include/linux/slab.h:582 [inline]\n[\u003cffffffff8347eb55\u003e] kzalloc include/linux/slab.h:703 [inline]\n[\u003cffffffff8347eb55\u003e] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191 [inline]\n[\u003cffffffff8347eb55\u003e] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_gadget.c:385\n[\u003cffffffff827d1d09\u003e] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165\n\n[\u003cffffffff8154bf94\u003e] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076\n[\u003cffffffff8347cd2f\u003e] kmalloc include/linux/slab.h:582 [inline]\n[\u003cffffffff8347cd2f\u003e] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legacy/raw_gadget.c:460\n[\u003cffffffff8347dfe9\u003e] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/raw_gadget.c:1250\n[\u003cffffffff81685173\u003e] vfs_ioctl fs/ioctl.c:51 [inline]\n\n[\u003cffffffff8154bf94\u003e] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076\n[\u003cffffffff833ecc6a\u003e] kmalloc include/linux/slab.h:582 [inline]\n[\u003cffffffff833ecc6a\u003e] kzalloc include/linux/slab.h:703 [inline]\n[\u003cffffffff833ecc6a\u003e] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/udc/dummy_hcd.c:665\n[\u003cffffffff833e9132\u003e] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/udc/core.c:196\n[\u003cffffffff8347f13d\u003e] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/raw_gadget.c:292\n\nThis commit therefore invoke kref_get() under the condition that\nraw_queue_event() return success."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T19:33:07.203Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/68e6287ac61dc22513cd39f02b9ac1fef28513e4"
},
{
"url": "https://git.kernel.org/stable/c/0f7a2b567197798da7bfa2252f4485c0ca6c6266"
},
{
"url": "https://git.kernel.org/stable/c/de77000c1923d7942f9b4f08447c8feeae1c0f33"
},
{
"url": "https://git.kernel.org/stable/c/9934e5d07c0dc294169a7d52f6309f35cd6d7755"
},
{
"url": "https://git.kernel.org/stable/c/83e30f2bf86ef7c38fbd476ed81a88522b620628"
}
],
"title": "USB: gadget: Fix the memory leak in raw_gadget driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53693",
"datePublished": "2025-10-22T13:23:35.280Z",
"dateReserved": "2025-10-22T13:21:37.344Z",
"dateUpdated": "2025-10-30T19:33:07.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39866 (GCVE-0-2025-39866)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: writeback: fix use-after-free in __mark_inode_dirty()
An use-after-free issue occurred when __mark_inode_dirty() get the
bdi_writeback that was in the progress of switching.
CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1
......
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __mark_inode_dirty+0x124/0x418
lr : __mark_inode_dirty+0x118/0x418
sp : ffffffc08c9dbbc0
........
Call trace:
__mark_inode_dirty+0x124/0x418
generic_update_time+0x4c/0x60
file_modified+0xcc/0xd0
ext4_buffered_write_iter+0x58/0x124
ext4_file_write_iter+0x54/0x704
vfs_write+0x1c0/0x308
ksys_write+0x74/0x10c
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x48/0x114
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x40/0xe4
el0t_64_sync_handler+0x120/0x12c
el0t_64_sync+0x194/0x198
Root cause is:
systemd-random-seed kworker
----------------------------------------------------------------------
___mark_inode_dirty inode_switch_wbs_work_fn
spin_lock(&inode->i_lock);
inode_attach_wb
locked_inode_to_wb_and_lock_list
get inode->i_wb
spin_unlock(&inode->i_lock);
spin_lock(&wb->list_lock)
spin_lock(&inode->i_lock)
inode_io_list_move_locked
spin_unlock(&wb->list_lock)
spin_unlock(&inode->i_lock)
spin_lock(&old_wb->list_lock)
inode_do_switch_wbs
spin_lock(&inode->i_lock)
inode->i_wb = new_wb
spin_unlock(&inode->i_lock)
spin_unlock(&old_wb->list_lock)
wb_put_many(old_wb, nr_switched)
cgwb_release
old wb released
wb_wakeup_delayed() accesses wb,
then trigger the use-after-free
issue
Fix this race condition by holding inode spinlock until
wb_wakeup_delayed() finished.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:17.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fs-writeback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b187c976111960e6e54a6b1fff724f6e3d39406c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1edc2feb9c759a9883dfe81cb5ed231412d8b2e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bf89b1f87c72df79cf76203f71fbf8349cd5c9de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e63052921f1b25a836feb1500b841bff7a4a0456",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c8c14adf80bd1a6e4a1d7ee9c2a816881c26d17a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d02d2c98d25793902f65803ab853b592c7a96b29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fs-writeback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: writeback: fix use-after-free in __mark_inode_dirty()\n\nAn use-after-free issue occurred when __mark_inode_dirty() get the\nbdi_writeback that was in the progress of switching.\n\nCPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1\n......\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __mark_inode_dirty+0x124/0x418\nlr : __mark_inode_dirty+0x118/0x418\nsp : ffffffc08c9dbbc0\n........\nCall trace:\n __mark_inode_dirty+0x124/0x418\n generic_update_time+0x4c/0x60\n file_modified+0xcc/0xd0\n ext4_buffered_write_iter+0x58/0x124\n ext4_file_write_iter+0x54/0x704\n vfs_write+0x1c0/0x308\n ksys_write+0x74/0x10c\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x40/0xe4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x194/0x198\n\nRoot cause is:\n\nsystemd-random-seed kworker\n----------------------------------------------------------------------\n___mark_inode_dirty inode_switch_wbs_work_fn\n\n spin_lock(\u0026inode-\u003ei_lock);\n inode_attach_wb\n locked_inode_to_wb_and_lock_list\n get inode-\u003ei_wb\n spin_unlock(\u0026inode-\u003ei_lock);\n spin_lock(\u0026wb-\u003elist_lock)\n spin_lock(\u0026inode-\u003ei_lock)\n inode_io_list_move_locked\n spin_unlock(\u0026wb-\u003elist_lock)\n spin_unlock(\u0026inode-\u003ei_lock)\n spin_lock(\u0026old_wb-\u003elist_lock)\n inode_do_switch_wbs\n spin_lock(\u0026inode-\u003ei_lock)\n inode-\u003ei_wb = new_wb\n spin_unlock(\u0026inode-\u003ei_lock)\n spin_unlock(\u0026old_wb-\u003elist_lock)\n wb_put_many(old_wb, nr_switched)\n cgwb_release\n old wb released\n wb_wakeup_delayed() accesses wb,\n then trigger the use-after-free\n issue\n\nFix this race condition by holding inode spinlock until\nwb_wakeup_delayed() finished."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:22.571Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b187c976111960e6e54a6b1fff724f6e3d39406c"
},
{
"url": "https://git.kernel.org/stable/c/1edc2feb9c759a9883dfe81cb5ed231412d8b2e4"
},
{
"url": "https://git.kernel.org/stable/c/bf89b1f87c72df79cf76203f71fbf8349cd5c9de"
},
{
"url": "https://git.kernel.org/stable/c/e63052921f1b25a836feb1500b841bff7a4a0456"
},
{
"url": "https://git.kernel.org/stable/c/c8c14adf80bd1a6e4a1d7ee9c2a816881c26d17a"
},
{
"url": "https://git.kernel.org/stable/c/d02d2c98d25793902f65803ab853b592c7a96b29"
}
],
"title": "fs: writeback: fix use-after-free in __mark_inode_dirty()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39866",
"datePublished": "2025-09-19T15:26:35.725Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:17.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53280 (GCVE-0-2023-53280)
Vulnerability from cvelistv5
Published
2025-09-16 08:11
Modified
2025-09-16 08:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
System crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up
gets called for uninitialized wait queue sp->nvme_ls_waitq.
qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0
qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021
Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]
RIP: 0010:__wake_up_common+0x4c/0x190
RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086
RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320
RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8
R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20
R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
__wake_up_common_lock+0x7c/0xc0
qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]
? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]
? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]
? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]
Remove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed
previously in the commits tagged Fixed: below.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5621b0dd74532c09965264c14958de3f85b498a6 Version: 5621b0dd74532c09965264c14958de3f85b498a6 Version: 5621b0dd74532c09965264c14958de3f85b498a6 Version: 5621b0dd74532c09965264c14958de3f85b498a6 Version: 5621b0dd74532c09965264c14958de3f85b498a6 Version: 5621b0dd74532c09965264c14958de3f85b498a6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_def.h",
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7084ebf4f54d46fed5153112d685f4137334175",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
},
{
"lessThan": "0b1ce92fabdb7d02ddf8641230a06e2752ae5baa",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
},
{
"lessThan": "522ee1b3030f3b6b5fd59489d12b4ca767c9e5da",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
},
{
"lessThan": "f459d586fdf12c53116c9fddf43065165fdd5969",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
},
{
"lessThan": "92529387a0066754fd9cda080fb3298b8cca750c",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
},
{
"lessThan": "20fce500b232b970e40312a9c97e7f3b6d7a709c",
"status": "affected",
"version": "5621b0dd74532c09965264c14958de3f85b498a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_def.h",
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Remove unused nvme_ls_waitq wait queue\n\nSystem crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up\ngets called for uninitialized wait queue sp-\u003envme_ls_waitq.\n\n qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0\n qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __wake_up_common_lock+0x7c/0xc0\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n\nRemove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed\npreviously in the commits tagged Fixed: below."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:14.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7084ebf4f54d46fed5153112d685f4137334175"
},
{
"url": "https://git.kernel.org/stable/c/0b1ce92fabdb7d02ddf8641230a06e2752ae5baa"
},
{
"url": "https://git.kernel.org/stable/c/522ee1b3030f3b6b5fd59489d12b4ca767c9e5da"
},
{
"url": "https://git.kernel.org/stable/c/f459d586fdf12c53116c9fddf43065165fdd5969"
},
{
"url": "https://git.kernel.org/stable/c/92529387a0066754fd9cda080fb3298b8cca750c"
},
{
"url": "https://git.kernel.org/stable/c/20fce500b232b970e40312a9c97e7f3b6d7a709c"
}
],
"title": "scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53280",
"datePublished": "2025-09-16T08:11:14.533Z",
"dateReserved": "2025-09-16T08:09:37.991Z",
"dateUpdated": "2025-09-16T08:11:14.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39693 (GCVE-0-2025-39693)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Avoid a NULL pointer dereference
[WHY]
Although unlikely drm_atomic_get_new_connector_state() or
drm_atomic_get_old_connector_state() can return NULL.
[HOW]
Check returns before dereference.
(cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:25.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c92d12b5cb9d9d88c12ae71794d3a7382fcdec0",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "6f860abff89417c0354b6ee5bbca188a233c5762",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "36a6b43573d152736eaf2557fe60580dd73e9350",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "f653dd30839eb4f573a7539e90b8a58ff9bedf2f",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "0c1a486cbe6f9cb194e3c4a8ade4af2a642ba165",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "07b93a5704b0b72002f0c4bd1076214af67dc661",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid a NULL pointer dereference\n\n[WHY]\nAlthough unlikely drm_atomic_get_new_connector_state() or\ndrm_atomic_get_old_connector_state() can return NULL.\n\n[HOW]\nCheck returns before dereference.\n\n(cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:32.491Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c92d12b5cb9d9d88c12ae71794d3a7382fcdec0"
},
{
"url": "https://git.kernel.org/stable/c/6f860abff89417c0354b6ee5bbca188a233c5762"
},
{
"url": "https://git.kernel.org/stable/c/36a6b43573d152736eaf2557fe60580dd73e9350"
},
{
"url": "https://git.kernel.org/stable/c/f653dd30839eb4f573a7539e90b8a58ff9bedf2f"
},
{
"url": "https://git.kernel.org/stable/c/0c1a486cbe6f9cb194e3c4a8ade4af2a642ba165"
},
{
"url": "https://git.kernel.org/stable/c/07b93a5704b0b72002f0c4bd1076214af67dc661"
}
],
"title": "drm/amd/display: Avoid a NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39693",
"datePublished": "2025-09-05T17:20:59.287Z",
"dateReserved": "2025-04-16T07:20:57.114Z",
"dateUpdated": "2025-11-03T17:42:25.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53665 (GCVE-0-2023-53665)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: don't dereference mddev after export_rdev()
Except for initial reference, mddev->kobject is referenced by
rdev->kobject, and if the last rdev is freed, there is no guarantee that
mddev is still valid. Hence mddev should not be used anymore after
export_rdev().
This problem can be triggered by following test for mdadm at very
low rate:
New file: mdadm/tests/23rdev-lifetime
devname=${dev0##*/}
devt=`cat /sys/block/$devname/dev`
pid=""
runtime=2
clean_up_test() {
pill -9 $pid
echo clear > /sys/block/md0/md/array_state
}
trap 'clean_up_test' EXIT
add_by_sysfs() {
while true; do
echo $devt > /sys/block/md0/md/new_dev
done
}
remove_by_sysfs(){
while true; do
echo remove > /sys/block/md0/md/dev-${devname}/state
done
}
echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed"
add_by_sysfs &
pid="$pid $!"
remove_by_sysfs &
pid="$pid $!"
sleep $runtime
exit 0
Test cmd:
./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime
Test result:
general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP
CPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562
RIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]
Call Trace:
<TASK>
mddev_unlock+0x1b6/0x310 [md_mod]
rdev_attr_store+0xec/0x190 [md_mod]
sysfs_kf_write+0x52/0x70
kernfs_fop_write_iter+0x19a/0x2a0
vfs_write+0x3b5/0x770
ksys_write+0x74/0x150
__x64_sys_write+0x22/0x30
do_syscall_64+0x40/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fix this problem by don't dereference mddev after export_rdev().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad430ad0669d2757377373390d68e1454fc7a344",
"status": "affected",
"version": "3ce94ce5d05ae89190a23f6187f64d8f4b2d3782",
"versionType": "git"
},
{
"lessThan": "7deac114be5fb25a4e865212ed0feaf5f85f2a28",
"status": "affected",
"version": "3ce94ce5d05ae89190a23f6187f64d8f4b2d3782",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: don\u0027t dereference mddev after export_rdev()\n\nExcept for initial reference, mddev-\u003ekobject is referenced by\nrdev-\u003ekobject, and if the last rdev is freed, there is no guarantee that\nmddev is still valid. Hence mddev should not be used anymore after\nexport_rdev().\n\nThis problem can be triggered by following test for mdadm at very\nlow rate:\n\nNew file: mdadm/tests/23rdev-lifetime\n\ndevname=${dev0##*/}\ndevt=`cat /sys/block/$devname/dev`\npid=\"\"\nruntime=2\n\nclean_up_test() {\n pill -9 $pid\n echo clear \u003e /sys/block/md0/md/array_state\n}\n\ntrap \u0027clean_up_test\u0027 EXIT\n\nadd_by_sysfs() {\n while true; do\n echo $devt \u003e /sys/block/md0/md/new_dev\n done\n}\n\nremove_by_sysfs(){\n while true; do\n echo remove \u003e /sys/block/md0/md/dev-${devname}/state\n done\n}\n\necho md0 \u003e /sys/module/md_mod/parameters/new_array || die \"create md0 failed\"\n\nadd_by_sysfs \u0026\npid=\"$pid $!\"\n\nremove_by_sysfs \u0026\npid=\"$pid $!\"\n\nsleep $runtime\nexit 0\n\nTest cmd:\n\n./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime\n\nTest result:\n\ngeneral protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP\nCPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562\nRIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]\nCall Trace:\n \u003cTASK\u003e\n mddev_unlock+0x1b6/0x310 [md_mod]\n rdev_attr_store+0xec/0x190 [md_mod]\n sysfs_kf_write+0x52/0x70\n kernfs_fop_write_iter+0x19a/0x2a0\n vfs_write+0x3b5/0x770\n ksys_write+0x74/0x150\n __x64_sys_write+0x22/0x30\n do_syscall_64+0x40/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFix this problem by don\u0027t dereference mddev after export_rdev()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:23.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad430ad0669d2757377373390d68e1454fc7a344"
},
{
"url": "https://git.kernel.org/stable/c/7deac114be5fb25a4e865212ed0feaf5f85f2a28"
}
],
"title": "md: don\u0027t dereference mddev after export_rdev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53665",
"datePublished": "2025-10-07T15:21:23.808Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:23.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53718 (GCVE-0-2023-53718)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Do not swap cpu_buffer during resize process
When ring_buffer_swap_cpu was called during resize process,
the cpu buffer was swapped in the middle, resulting in incorrect state.
Continuing to run in the wrong state will result in oops.
This issue can be easily reproduced using the following two scripts:
/tmp # cat test1.sh
//#! /bin/sh
for i in `seq 0 100000`
do
echo 2000 > /sys/kernel/debug/tracing/buffer_size_kb
sleep 0.5
echo 5000 > /sys/kernel/debug/tracing/buffer_size_kb
sleep 0.5
done
/tmp # cat test2.sh
//#! /bin/sh
for i in `seq 0 100000`
do
echo irqsoff > /sys/kernel/debug/tracing/current_tracer
sleep 1
echo nop > /sys/kernel/debug/tracing/current_tracer
sleep 1
done
/tmp # ./test1.sh &
/tmp # ./test2.sh &
A typical oops log is as follows, sometimes with other different oops logs.
[ 231.711293] WARNING: CPU: 0 PID: 9 at kernel/trace/ring_buffer.c:2026 rb_update_pages+0x378/0x3f8
[ 231.713375] Modules linked in:
[ 231.714735] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15
[ 231.716750] Hardware name: linux,dummy-virt (DT)
[ 231.718152] Workqueue: events update_pages_handler
[ 231.719714] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 231.721171] pc : rb_update_pages+0x378/0x3f8
[ 231.722212] lr : rb_update_pages+0x25c/0x3f8
[ 231.723248] sp : ffff800082b9bd50
[ 231.724169] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 0000000000000000
[ 231.726102] x26: 0000000000000001 x25: fffffffffffff010 x24: 0000000000000ff0
[ 231.728122] x23: ffff0000c3a0b600 x22: ffff0000c3a0b5c0 x21: fffffffffffffe0a
[ 231.730203] x20: ffff0000c3a0b600 x19: ffff0000c0102400 x18: 0000000000000000
[ 231.732329] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe7aa8510
[ 231.734212] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000002
[ 231.736291] x11: ffff8000826998a8 x10: ffff800082b9baf0 x9 : ffff800081137558
[ 231.738195] x8 : fffffc00030e82c8 x7 : 0000000000000000 x6 : 0000000000000001
[ 231.740192] x5 : ffff0000ffbafe00 x4 : 0000000000000000 x3 : 0000000000000000
[ 231.742118] x2 : 00000000000006aa x1 : 0000000000000001 x0 : ffff0000c0007208
[ 231.744196] Call trace:
[ 231.744892] rb_update_pages+0x378/0x3f8
[ 231.745893] update_pages_handler+0x1c/0x38
[ 231.746893] process_one_work+0x1f0/0x468
[ 231.747852] worker_thread+0x54/0x410
[ 231.748737] kthread+0x124/0x138
[ 231.749549] ret_from_fork+0x10/0x20
[ 231.750434] ---[ end trace 0000000000000000 ]---
[ 233.720486] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 233.721696] Mem abort info:
[ 233.721935] ESR = 0x0000000096000004
[ 233.722283] EC = 0x25: DABT (current EL), IL = 32 bits
[ 233.722596] SET = 0, FnV = 0
[ 233.722805] EA = 0, S1PTW = 0
[ 233.723026] FSC = 0x04: level 0 translation fault
[ 233.723458] Data abort info:
[ 233.723734] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 233.724176] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 233.724589] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 233.725075] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000104943000
[ 233.725592] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[ 233.726231] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 233.726720] Modules linked in:
[ 233.727007] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15
[ 233.727777] Hardware name: linux,dummy-virt (DT)
[ 233.728225] Workqueue: events update_pages_handler
[ 233.728655] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 233.729054] pc : rb_update_pages+0x1a8/0x3f8
[ 233.729334] lr : rb_update_pages+0x154/0x3f8
[ 233.729592] sp : ffff800082b9bd50
[ 233.729792] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 00000000
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c",
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66a3b2a121386702663065d5c9e5a33c03d3f4a2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "49b830d75f03d5dd41146d10e4d3e2a8211c4b94",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "128c06a34cfe55212632533a706b050d54552741",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02e52d7daaa3f0f48819f198092cf4871065bbf7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a96c0288d0737ad77882024974c075345c72011",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c",
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not swap cpu_buffer during resize process\n\nWhen ring_buffer_swap_cpu was called during resize process,\nthe cpu buffer was swapped in the middle, resulting in incorrect state.\nContinuing to run in the wrong state will result in oops.\n\nThis issue can be easily reproduced using the following two scripts:\n/tmp # cat test1.sh\n//#! /bin/sh\nfor i in `seq 0 100000`\ndo\n echo 2000 \u003e /sys/kernel/debug/tracing/buffer_size_kb\n sleep 0.5\n echo 5000 \u003e /sys/kernel/debug/tracing/buffer_size_kb\n sleep 0.5\ndone\n/tmp # cat test2.sh\n//#! /bin/sh\nfor i in `seq 0 100000`\ndo\n echo irqsoff \u003e /sys/kernel/debug/tracing/current_tracer\n sleep 1\n echo nop \u003e /sys/kernel/debug/tracing/current_tracer\n sleep 1\ndone\n/tmp # ./test1.sh \u0026\n/tmp # ./test2.sh \u0026\n\nA typical oops log is as follows, sometimes with other different oops logs.\n\n[ 231.711293] WARNING: CPU: 0 PID: 9 at kernel/trace/ring_buffer.c:2026 rb_update_pages+0x378/0x3f8\n[ 231.713375] Modules linked in:\n[ 231.714735] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15\n[ 231.716750] Hardware name: linux,dummy-virt (DT)\n[ 231.718152] Workqueue: events update_pages_handler\n[ 231.719714] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 231.721171] pc : rb_update_pages+0x378/0x3f8\n[ 231.722212] lr : rb_update_pages+0x25c/0x3f8\n[ 231.723248] sp : ffff800082b9bd50\n[ 231.724169] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 0000000000000000\n[ 231.726102] x26: 0000000000000001 x25: fffffffffffff010 x24: 0000000000000ff0\n[ 231.728122] x23: ffff0000c3a0b600 x22: ffff0000c3a0b5c0 x21: fffffffffffffe0a\n[ 231.730203] x20: ffff0000c3a0b600 x19: ffff0000c0102400 x18: 0000000000000000\n[ 231.732329] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe7aa8510\n[ 231.734212] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000002\n[ 231.736291] x11: ffff8000826998a8 x10: ffff800082b9baf0 x9 : ffff800081137558\n[ 231.738195] x8 : fffffc00030e82c8 x7 : 0000000000000000 x6 : 0000000000000001\n[ 231.740192] x5 : ffff0000ffbafe00 x4 : 0000000000000000 x3 : 0000000000000000\n[ 231.742118] x2 : 00000000000006aa x1 : 0000000000000001 x0 : ffff0000c0007208\n[ 231.744196] Call trace:\n[ 231.744892] rb_update_pages+0x378/0x3f8\n[ 231.745893] update_pages_handler+0x1c/0x38\n[ 231.746893] process_one_work+0x1f0/0x468\n[ 231.747852] worker_thread+0x54/0x410\n[ 231.748737] kthread+0x124/0x138\n[ 231.749549] ret_from_fork+0x10/0x20\n[ 231.750434] ---[ end trace 0000000000000000 ]---\n[ 233.720486] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 233.721696] Mem abort info:\n[ 233.721935] ESR = 0x0000000096000004\n[ 233.722283] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 233.722596] SET = 0, FnV = 0\n[ 233.722805] EA = 0, S1PTW = 0\n[ 233.723026] FSC = 0x04: level 0 translation fault\n[ 233.723458] Data abort info:\n[ 233.723734] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 233.724176] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 233.724589] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 233.725075] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000104943000\n[ 233.725592] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ 233.726231] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 233.726720] Modules linked in:\n[ 233.727007] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15\n[ 233.727777] Hardware name: linux,dummy-virt (DT)\n[ 233.728225] Workqueue: events update_pages_handler\n[ 233.728655] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 233.729054] pc : rb_update_pages+0x1a8/0x3f8\n[ 233.729334] lr : rb_update_pages+0x154/0x3f8\n[ 233.729592] sp : ffff800082b9bd50\n[ 233.729792] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 00000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:50.809Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66a3b2a121386702663065d5c9e5a33c03d3f4a2"
},
{
"url": "https://git.kernel.org/stable/c/49b830d75f03d5dd41146d10e4d3e2a8211c4b94"
},
{
"url": "https://git.kernel.org/stable/c/128c06a34cfe55212632533a706b050d54552741"
},
{
"url": "https://git.kernel.org/stable/c/02e52d7daaa3f0f48819f198092cf4871065bbf7"
},
{
"url": "https://git.kernel.org/stable/c/8a96c0288d0737ad77882024974c075345c72011"
}
],
"title": "ring-buffer: Do not swap cpu_buffer during resize process",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53718",
"datePublished": "2025-10-22T13:23:50.809Z",
"dateReserved": "2025-10-22T13:21:37.347Z",
"dateUpdated": "2025-10-22T13:23:50.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39945 (GCVE-0-2025-39945)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cnic: Fix use-after-free bugs in cnic_delete_task
The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),
which does not guarantee that the delayed work item 'delete_task' has
fully completed if it was already running. Additionally, the delayed work
item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only
blocks and waits for work items that were already queued to the
workqueue prior to its invocation. Any work items submitted after
flush_workqueue() is called are not included in the set of tasks that the
flush operation awaits. This means that after the cyclic work items have
finished executing, a delayed work item may still exist in the workqueue.
This leads to use-after-free scenarios where the cnic_dev is deallocated
by cnic_free_dev(), while delete_task remains active and attempt to
dereference cnic_dev in cnic_delete_task().
A typical race condition is illustrated below:
CPU 0 (cleanup) | CPU 1 (delayed work callback)
cnic_netdev_event() |
cnic_stop_hw() | cnic_delete_task()
cnic_cm_stop_bnx2x_hw() | ...
cancel_delayed_work() | /* the queue_delayed_work()
flush_workqueue() | executes after flush_workqueue()*/
| queue_delayed_work()
cnic_free_dev(dev)//free | cnic_delete_task() //new instance
| dev = cp->dev; //use
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the cyclic delayed work item is properly canceled and that any
ongoing execution of the work item completes before the cnic_dev is
deallocated. Furthermore, since cancel_delayed_work_sync() uses
__flush_work(work, true) to synchronously wait for any currently
executing instance of the work item to finish, the flush_workqueue()
becomes redundant and should be removed.
This bug was identified through static analysis. To reproduce the issue
and validate the fix, I simulated the cnic PCI device in QEMU and
introduced intentional delays — such as inserting calls to ssleep()
within the cnic_delete_task() function — to increase the likelihood
of triggering the bug.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/cnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fde6e73189f40ebcf0633aed2b68e731c25f3aa3",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "7b6a5b0a6b392263c3767fc945b311ea04b34bbd",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "0405055930264ea8fd26f4131466fa7652e5e47d",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "e1fcd4a9c09feac0902a65615e866dbf22616125",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "8eeb2091e72d75df8ceaa2172638d61b4cf8929a",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "6e33a7eed587062ca8161ad1f4584882a860d697",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "0627e1481676669cae2df0d85b5ff13e7d24c390",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "cfa7d9b1e3a8604afc84e9e51d789c29574fb216",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/cnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncnic: Fix use-after-free bugs in cnic_delete_task\n\nThe original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),\nwhich does not guarantee that the delayed work item \u0027delete_task\u0027 has\nfully completed if it was already running. Additionally, the delayed work\nitem is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only\nblocks and waits for work items that were already queued to the\nworkqueue prior to its invocation. Any work items submitted after\nflush_workqueue() is called are not included in the set of tasks that the\nflush operation awaits. This means that after the cyclic work items have\nfinished executing, a delayed work item may still exist in the workqueue.\nThis leads to use-after-free scenarios where the cnic_dev is deallocated\nby cnic_free_dev(), while delete_task remains active and attempt to\ndereference cnic_dev in cnic_delete_task().\n\nA typical race condition is illustrated below:\n\nCPU 0 (cleanup) | CPU 1 (delayed work callback)\ncnic_netdev_event() |\n cnic_stop_hw() | cnic_delete_task()\n cnic_cm_stop_bnx2x_hw() | ...\n cancel_delayed_work() | /* the queue_delayed_work()\n flush_workqueue() | executes after flush_workqueue()*/\n | queue_delayed_work()\n cnic_free_dev(dev)//free | cnic_delete_task() //new instance\n | dev = cp-\u003edev; //use\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the cyclic delayed work item is properly canceled and that any\nongoing execution of the work item completes before the cnic_dev is\ndeallocated. Furthermore, since cancel_delayed_work_sync() uses\n__flush_work(work, true) to synchronously wait for any currently\nexecuting instance of the work item to finish, the flush_workqueue()\nbecomes redundant and should be removed.\n\nThis bug was identified through static analysis. To reproduce the issue\nand validate the fix, I simulated the cnic PCI device in QEMU and\nintroduced intentional delays \u2014 such as inserting calls to ssleep()\nwithin the cnic_delete_task() function \u2014 to increase the likelihood\nof triggering the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:04.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fde6e73189f40ebcf0633aed2b68e731c25f3aa3"
},
{
"url": "https://git.kernel.org/stable/c/7b6a5b0a6b392263c3767fc945b311ea04b34bbd"
},
{
"url": "https://git.kernel.org/stable/c/0405055930264ea8fd26f4131466fa7652e5e47d"
},
{
"url": "https://git.kernel.org/stable/c/e1fcd4a9c09feac0902a65615e866dbf22616125"
},
{
"url": "https://git.kernel.org/stable/c/8eeb2091e72d75df8ceaa2172638d61b4cf8929a"
},
{
"url": "https://git.kernel.org/stable/c/6e33a7eed587062ca8161ad1f4584882a860d697"
},
{
"url": "https://git.kernel.org/stable/c/0627e1481676669cae2df0d85b5ff13e7d24c390"
},
{
"url": "https://git.kernel.org/stable/c/cfa7d9b1e3a8604afc84e9e51d789c29574fb216"
}
],
"title": "cnic: Fix use-after-free bugs in cnic_delete_task",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39945",
"datePublished": "2025-10-04T07:31:07.109Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:04.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53321 (GCVE-0-2023-53321)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211_hwsim: drop short frames
While technically some control frames like ACK are shorter and
end after Address 1, such frames shouldn't be forwarded through
wmediumd or similar userspace, so require the full 3-address
header to avoid accessing invalid memory if shorter frames are
passed in.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/virtual/mac80211_hwsim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3beb97bed860d95b14ad23578ce8ddaea62023db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "672205c6f2d11978fcd7f0f336bb2c708e28874b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c64ee9dd335832d5e2ab0a8fc83a34ad4c729799",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b9a175e3b250b0dc6e152988040aa5014e98e61e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "89a41ed7f21476301659ebd25ccb48a60791c1a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fba360a047d5eeeb9d4b7c3a9b1c8308980ce9a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/virtual/mac80211_hwsim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211_hwsim: drop short frames\n\nWhile technically some control frames like ACK are shorter and\nend after Address 1, such frames shouldn\u0027t be forwarded through\nwmediumd or similar userspace, so require the full 3-address\nheader to avoid accessing invalid memory if shorter frames are\npassed in."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:57.206Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3beb97bed860d95b14ad23578ce8ddaea62023db"
},
{
"url": "https://git.kernel.org/stable/c/672205c6f2d11978fcd7f0f336bb2c708e28874b"
},
{
"url": "https://git.kernel.org/stable/c/c64ee9dd335832d5e2ab0a8fc83a34ad4c729799"
},
{
"url": "https://git.kernel.org/stable/c/b9a175e3b250b0dc6e152988040aa5014e98e61e"
},
{
"url": "https://git.kernel.org/stable/c/89a41ed7f21476301659ebd25ccb48a60791c1a7"
},
{
"url": "https://git.kernel.org/stable/c/fba360a047d5eeeb9d4b7c3a9b1c8308980ce9a6"
}
],
"title": "wifi: mac80211_hwsim: drop short frames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53321",
"datePublished": "2025-09-16T16:11:57.206Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:57.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53528 (GCVE-0-2023-53528)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix unsafe drain work queue code
If create_qp does not fully succeed it is possible for qp cleanup
code to attempt to drain the send or recv work queues before the
queues have been created causing a seg fault. This patch checks
to see if the queues exist before attempting to drain them.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_comp.c",
"drivers/infiniband/sw/rxe/rxe_resp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da572f6313aeead1f79e0810666bd8d8ffc794d4",
"status": "affected",
"version": "49dc9c1f0c7e396654a31a480328fffd902fa494",
"versionType": "git"
},
{
"lessThan": "d366642b3099bd322375f5b71ba84ab1d586cd6d",
"status": "affected",
"version": "49dc9c1f0c7e396654a31a480328fffd902fa494",
"versionType": "git"
},
{
"lessThan": "5993b75d0bc71cd2b441d174b028fc36180f032c",
"status": "affected",
"version": "49dc9c1f0c7e396654a31a480328fffd902fa494",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_comp.c",
"drivers/infiniband/sw/rxe/rxe_resp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix unsafe drain work queue code\n\nIf create_qp does not fully succeed it is possible for qp cleanup\ncode to attempt to drain the send or recv work queues before the\nqueues have been created causing a seg fault. This patch checks\nto see if the queues exist before attempting to drain them."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:13.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da572f6313aeead1f79e0810666bd8d8ffc794d4"
},
{
"url": "https://git.kernel.org/stable/c/d366642b3099bd322375f5b71ba84ab1d586cd6d"
},
{
"url": "https://git.kernel.org/stable/c/5993b75d0bc71cd2b441d174b028fc36180f032c"
}
],
"title": "RDMA/rxe: Fix unsafe drain work queue code",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53528",
"datePublished": "2025-10-01T11:46:13.504Z",
"dateReserved": "2025-10-01T11:39:39.408Z",
"dateUpdated": "2025-10-01T11:46:13.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39709 (GCVE-0-2025-39709)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: venus: protect against spurious interrupts during probe
Make sure the interrupt handler is initialized before the interrupt is
registered.
If the IRQ is registered before hfi_create(), it's possible that an
interrupt fires before the handler setup is complete, leading to a NULL
dereference.
This error condition has been observed during system boot on Rb3Gen2.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:35.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/venus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18c2b2bd982b8546312c9a7895515672169f28e0",
"status": "affected",
"version": "af2c3834c8ca7cc65d15592ac671933df8848115",
"versionType": "git"
},
{
"lessThan": "88cf63c2599761c48dec8f618d57dccf8f6f4b53",
"status": "affected",
"version": "af2c3834c8ca7cc65d15592ac671933df8848115",
"versionType": "git"
},
{
"lessThan": "9db6a78bc5e418e0064e2248c8f3b9b9e8418646",
"status": "affected",
"version": "af2c3834c8ca7cc65d15592ac671933df8848115",
"versionType": "git"
},
{
"lessThan": "37cc0ac889b018097c217c5929fd6dc2aed636a1",
"status": "affected",
"version": "af2c3834c8ca7cc65d15592ac671933df8848115",
"versionType": "git"
},
{
"lessThan": "f54be97bc69b1096198b6717c150dec69f2a1b4d",
"status": "affected",
"version": "af2c3834c8ca7cc65d15592ac671933df8848115",
"versionType": "git"
},
{
"lessThan": "639eb587f977c02423f4762467055b23902b4131",
"status": "affected",
"version": "af2c3834c8ca7cc65d15592ac671933df8848115",
"versionType": "git"
},
{
"lessThan": "e796028b4835af00d9a38ebbb208ec3a6634702a",
"status": "affected",
"version": "af2c3834c8ca7cc65d15592ac671933df8848115",
"versionType": "git"
},
{
"lessThan": "3200144a2fa4209dc084a19941b9b203b43580f0",
"status": "affected",
"version": "af2c3834c8ca7cc65d15592ac671933df8848115",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/venus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: protect against spurious interrupts during probe\n\nMake sure the interrupt handler is initialized before the interrupt is\nregistered.\n\nIf the IRQ is registered before hfi_create(), it\u0027s possible that an\ninterrupt fires before the handler setup is complete, leading to a NULL\ndereference.\n\nThis error condition has been observed during system boot on Rb3Gen2."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:52.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18c2b2bd982b8546312c9a7895515672169f28e0"
},
{
"url": "https://git.kernel.org/stable/c/88cf63c2599761c48dec8f618d57dccf8f6f4b53"
},
{
"url": "https://git.kernel.org/stable/c/9db6a78bc5e418e0064e2248c8f3b9b9e8418646"
},
{
"url": "https://git.kernel.org/stable/c/37cc0ac889b018097c217c5929fd6dc2aed636a1"
},
{
"url": "https://git.kernel.org/stable/c/f54be97bc69b1096198b6717c150dec69f2a1b4d"
},
{
"url": "https://git.kernel.org/stable/c/639eb587f977c02423f4762467055b23902b4131"
},
{
"url": "https://git.kernel.org/stable/c/e796028b4835af00d9a38ebbb208ec3a6634702a"
},
{
"url": "https://git.kernel.org/stable/c/3200144a2fa4209dc084a19941b9b203b43580f0"
}
],
"title": "media: venus: protect against spurious interrupts during probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39709",
"datePublished": "2025-09-05T17:21:16.153Z",
"dateReserved": "2025-04-16T07:20:57.116Z",
"dateUpdated": "2025-11-03T17:42:35.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53534 (GCVE-0-2023-53534)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: mtk_drm_crtc: Add checks for devm_kcalloc
As the devm_kcalloc may return NULL, the return value needs to be checked
to avoid NULL poineter dereference.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_drm_crtc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b64b6dff15a38468b8cd33fc7864fa4e02b0933a",
"status": "affected",
"version": "31c5558dae0513bd2bae33ea37543f584c6c35a5",
"versionType": "git"
},
{
"lessThan": "62952905e195f7350bc230cf0960a74ddbceed5d",
"status": "affected",
"version": "31c5558dae0513bd2bae33ea37543f584c6c35a5",
"versionType": "git"
},
{
"lessThan": "67ea657c7891c2f86a7750395640d9bdf2555926",
"status": "affected",
"version": "31c5558dae0513bd2bae33ea37543f584c6c35a5",
"versionType": "git"
},
{
"lessThan": "7d569ae98ee5490585929be69fea68047679b7b2",
"status": "affected",
"version": "31c5558dae0513bd2bae33ea37543f584c6c35a5",
"versionType": "git"
},
{
"lessThan": "5bf1e3bd7da625ccf9a22c8cb7d65271e6e47f4c",
"status": "affected",
"version": "31c5558dae0513bd2bae33ea37543f584c6c35a5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_drm_crtc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: mtk_drm_crtc: Add checks for devm_kcalloc\n\nAs the devm_kcalloc may return NULL, the return value needs to be checked\nto avoid NULL poineter dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:45.909Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b64b6dff15a38468b8cd33fc7864fa4e02b0933a"
},
{
"url": "https://git.kernel.org/stable/c/62952905e195f7350bc230cf0960a74ddbceed5d"
},
{
"url": "https://git.kernel.org/stable/c/67ea657c7891c2f86a7750395640d9bdf2555926"
},
{
"url": "https://git.kernel.org/stable/c/7d569ae98ee5490585929be69fea68047679b7b2"
},
{
"url": "https://git.kernel.org/stable/c/5bf1e3bd7da625ccf9a22c8cb7d65271e6e47f4c"
}
],
"title": "drm/mediatek: mtk_drm_crtc: Add checks for devm_kcalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53534",
"datePublished": "2025-10-04T15:16:45.909Z",
"dateReserved": "2025-10-04T15:14:15.919Z",
"dateUpdated": "2025-10-04T15:16:45.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38476 (GCVE-0-2025-38476)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-11-03 17:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rpl: Fix use-after-free in rpl_do_srh_inline().
Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers
the splat below [0].
rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after
skb_cow_head(), which is illegal as the header could be freed then.
Let's fix it by making oldhdr to a local struct instead of a pointer.
[0]:
[root@fedora net]# ./lwt_dst_cache_ref_loop.sh
...
TEST: rpl (input)
[ 57.631529] ==================================================================
BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)
Read of size 40 at addr ffff888122bf96d8 by task ping6/1543
CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:122)
print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)
kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)
kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))
__asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))
rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)
rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)
lwtunnel_input (net/core/lwtunnel.c:459)
ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))
__netif_receive_skb_one_core (net/core/dev.c:5967)
process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)
__napi_poll.constprop.0 (net/core/dev.c:7452)
net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480 (discriminator 20))
</IRQ>
<TASK>
__local_bh_enable_ip (kernel/softirq.c:407)
__dev_queue_xmit (net/core/dev.c:4740)
ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)
ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)
ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)
ip6_send_skb (net/ipv6/ip6_output.c:1983)
rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)
__sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))
__x64_sys_sendto (net/socket.c:2231)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f68cffb2a06
Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08
RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06
RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003
RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4
R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0
</TASK>
Allocated by task 1543:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)
kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)
kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))
__alloc_skb (net/core/skbuff.c:669)
__ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))
ip6_
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:38:42.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/rpl_iptunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c09e21dfc08d8afb92d9ea3bee3457adbe3ef297",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "e8101506ab86dd78f823b7028f2036a380f3a12a",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "62dcd9d6e61c39122d2f251a26829e2e55b0a11d",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "06ec83b6c792fde1f710c1de3e836da6e257c4c4",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "034b428aa3583373a5a20b1c5931bb2b3cae1f36",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "b640daa2822a39ff76e70200cb2b7b892b896dce",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/rpl_iptunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpl: Fix use-after-free in rpl_do_srh_inline().\n\nRunning lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers\nthe splat below [0].\n\nrpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after\nskb_cow_head(), which is illegal as the header could be freed then.\n\nLet\u0027s fix it by making oldhdr to a local struct instead of a pointer.\n\n[0]:\n[root@fedora net]# ./lwt_dst_cache_ref_loop.sh\n...\nTEST: rpl (input)\n[ 57.631529] ==================================================================\nBUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\nRead of size 40 at addr ffff888122bf96d8 by task ping6/1543\n\nCPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))\n __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))\n rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\n rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)\n lwtunnel_input (net/core/lwtunnel.c:459)\n ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))\n __netif_receive_skb_one_core (net/core/dev.c:5967)\n process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)\n __napi_poll.constprop.0 (net/core/dev.c:7452)\n net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480 (discriminator 20))\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip (kernel/softirq.c:407)\n __dev_queue_xmit (net/core/dev.c:4740)\n ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)\n ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)\n ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)\n ip6_send_skb (net/ipv6/ip6_output.c:1983)\n rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)\n __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2231)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f68cffb2a06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 \u003c48\u003e 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06\nRDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003\nRBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4\nR13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0\n \u003c/TASK\u003e\n\nAllocated by task 1543:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\n kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)\n kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))\n __alloc_skb (net/core/skbuff.c:669)\n __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))\n ip6_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:12.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c09e21dfc08d8afb92d9ea3bee3457adbe3ef297"
},
{
"url": "https://git.kernel.org/stable/c/8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc"
},
{
"url": "https://git.kernel.org/stable/c/e8101506ab86dd78f823b7028f2036a380f3a12a"
},
{
"url": "https://git.kernel.org/stable/c/62dcd9d6e61c39122d2f251a26829e2e55b0a11d"
},
{
"url": "https://git.kernel.org/stable/c/06ec83b6c792fde1f710c1de3e836da6e257c4c4"
},
{
"url": "https://git.kernel.org/stable/c/034b428aa3583373a5a20b1c5931bb2b3cae1f36"
},
{
"url": "https://git.kernel.org/stable/c/b640daa2822a39ff76e70200cb2b7b892b896dce"
}
],
"title": "rpl: Fix use-after-free in rpl_do_srh_inline().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38476",
"datePublished": "2025-07-28T11:21:37.175Z",
"dateReserved": "2025-04-16T04:51:24.021Z",
"dateUpdated": "2025-11-03T17:38:42.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53644 (GCVE-0-2023-53644)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: radio-shark: Add endpoint checks
The syzbot fuzzer was able to provoke a WARNING from the radio-shark2
driver:
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 <0f> 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc90003876dd0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac
RBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200
FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
usb_bulk_msg+0x226/0x550 drivers/usb/core/message.c:387
shark_write_reg+0x1ff/0x2e0 drivers/media/radio/radio-shark2.c:88
...
The problem was caused by the fact that the driver does not check
whether the endpoints it uses are actually present and have the
appropriate types. This can be fixed by adding a simple check of
these endpoints (and similarly for the radio-shark driver).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/radio/radio-shark.c",
"drivers/media/radio/radio-shark2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ed6a312ac1e7278f92b1b3d95377b335ae21e89",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "afd72825b4fcb7ae4015e1c93b054f4c37a25684",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2b580d0f03c4fc00013cd08f9ed96b87a08fd0d9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a30dce9d7f70f8438956f6a01142b926c301334",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1bde4b4360c3d8a35504443efabd3243b802805",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "53764a17f5d8f0d00b13297d06b5e65fa844288b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c3057a1927fa0b9ed8948b6f3b56b4ff9fa63d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "76e31045ba030e94e72105c01b2e98f543d175ac",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/radio/radio-shark.c",
"drivers/media/radio/radio-shark2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: radio-shark: Add endpoint checks\n\nThe syzbot fuzzer was able to provoke a WARNING from the radio-shark2\ndriver:\n\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504\nModules linked in:\nCPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504\nCode: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 \u003c0f\u003e 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7\nRSP: 0018:ffffc90003876dd0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000\nRDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac\nRBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001\nR13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200\nFS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_bulk_msg+0x226/0x550 drivers/usb/core/message.c:387\n shark_write_reg+0x1ff/0x2e0 drivers/media/radio/radio-shark2.c:88\n...\n\nThe problem was caused by the fact that the driver does not check\nwhether the endpoints it uses are actually present and have the\nappropriate types. This can be fixed by adding a simple check of\nthese endpoints (and similarly for the radio-shark driver)."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:43.049Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ed6a312ac1e7278f92b1b3d95377b335ae21e89"
},
{
"url": "https://git.kernel.org/stable/c/afd72825b4fcb7ae4015e1c93b054f4c37a25684"
},
{
"url": "https://git.kernel.org/stable/c/2b580d0f03c4fc00013cd08f9ed96b87a08fd0d9"
},
{
"url": "https://git.kernel.org/stable/c/8a30dce9d7f70f8438956f6a01142b926c301334"
},
{
"url": "https://git.kernel.org/stable/c/b1bde4b4360c3d8a35504443efabd3243b802805"
},
{
"url": "https://git.kernel.org/stable/c/53764a17f5d8f0d00b13297d06b5e65fa844288b"
},
{
"url": "https://git.kernel.org/stable/c/4c3057a1927fa0b9ed8948b6f3b56b4ff9fa63d3"
},
{
"url": "https://git.kernel.org/stable/c/76e31045ba030e94e72105c01b2e98f543d175ac"
}
],
"title": "media: radio-shark: Add endpoint checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53644",
"datePublished": "2025-10-07T15:19:43.049Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:43.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50499 (GCVE-0-2022-50499)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-core: Fix double free in dvb_register_device()
In function dvb_register_device() -> dvb_register_media_device() ->
dvb_create_media_entity(), dvb->entity is allocated and initialized. If
the initialization fails, it frees the dvb->entity, and return an error
code. The caller takes the error code and handles the error by calling
dvb_media_device_free(), which unregisters the entity and frees the
field again if it is not NULL. As dvb->entity may not NULLed in
dvb_create_media_entity() when the allocation of dvbdev->pad fails, a
double free may occur. This may also cause an Use After free in
media_device_unregister_entity().
Fix this by storing NULL to dvb->entity when it is freed.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9db28659aa893c68f162b11fd63bb7f6a713e52f Version: 1399a136127bfe1b9bb7c951d9851da62a519121 Version: 4df2427a5148093987437054bb82da4d014dcd59 Version: fcd5ce4b3936242e6679875a4d3c3acfc8743e15 Version: fcd5ce4b3936242e6679875a4d3c3acfc8743e15 Version: fcd5ce4b3936242e6679875a4d3c3acfc8743e15 Version: fcd5ce4b3936242e6679875a4d3c3acfc8743e15 Version: fcd5ce4b3936242e6679875a4d3c3acfc8743e15 Version: fcd5ce4b3936242e6679875a4d3c3acfc8743e15 Version: 8c17f6f5d0d6aab72a2af25c9911ac66e984be06 Version: 202be5d6e46f682b9d1d79cd4dc6ab726e62ef1c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvbdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0588b12c418c3e4f927ced11f27b02ef4a5bfb07",
"status": "affected",
"version": "9db28659aa893c68f162b11fd63bb7f6a713e52f",
"versionType": "git"
},
{
"lessThan": "e9a78485b658361fab6a5547377be6c1af6f1b3d",
"status": "affected",
"version": "1399a136127bfe1b9bb7c951d9851da62a519121",
"versionType": "git"
},
{
"lessThan": "70bc51303871159796b55ba1a8f16637b46c2511",
"status": "affected",
"version": "4df2427a5148093987437054bb82da4d014dcd59",
"versionType": "git"
},
{
"lessThan": "b21f62b49ee9c3e0216d685d9cfd6003e5727271",
"status": "affected",
"version": "fcd5ce4b3936242e6679875a4d3c3acfc8743e15",
"versionType": "git"
},
{
"lessThan": "7dd5a68cdbbbe7fc67ba701cb52ba10d8ba149f8",
"status": "affected",
"version": "fcd5ce4b3936242e6679875a4d3c3acfc8743e15",
"versionType": "git"
},
{
"lessThan": "acf984a3718c2458eb9e08b6714490a04f213c58",
"status": "affected",
"version": "fcd5ce4b3936242e6679875a4d3c3acfc8743e15",
"versionType": "git"
},
{
"lessThan": "772892b29ac50c2c5e918fc80104aa6ede81d837",
"status": "affected",
"version": "fcd5ce4b3936242e6679875a4d3c3acfc8743e15",
"versionType": "git"
},
{
"lessThan": "123eddf92a114e03919942641d2c2b1f4ca56ea6",
"status": "affected",
"version": "fcd5ce4b3936242e6679875a4d3c3acfc8743e15",
"versionType": "git"
},
{
"lessThan": "6b0d0477fce747d4137aa65856318b55fba72198",
"status": "affected",
"version": "fcd5ce4b3936242e6679875a4d3c3acfc8743e15",
"versionType": "git"
},
{
"status": "affected",
"version": "8c17f6f5d0d6aab72a2af25c9911ac66e984be06",
"versionType": "git"
},
{
"status": "affected",
"version": "202be5d6e46f682b9d1d79cd4dc6ab726e62ef1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvbdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.9.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14.147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-core: Fix double free in dvb_register_device()\n\nIn function dvb_register_device() -\u003e dvb_register_media_device() -\u003e\ndvb_create_media_entity(), dvb-\u003eentity is allocated and initialized. If\nthe initialization fails, it frees the dvb-\u003eentity, and return an error\ncode. The caller takes the error code and handles the error by calling\ndvb_media_device_free(), which unregisters the entity and frees the\nfield again if it is not NULL. As dvb-\u003eentity may not NULLed in\ndvb_create_media_entity() when the allocation of dvbdev-\u003epad fails, a\ndouble free may occur. This may also cause an Use After free in\nmedia_device_unregister_entity().\n\nFix this by storing NULL to dvb-\u003eentity when it is freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:50.064Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0588b12c418c3e4f927ced11f27b02ef4a5bfb07"
},
{
"url": "https://git.kernel.org/stable/c/e9a78485b658361fab6a5547377be6c1af6f1b3d"
},
{
"url": "https://git.kernel.org/stable/c/70bc51303871159796b55ba1a8f16637b46c2511"
},
{
"url": "https://git.kernel.org/stable/c/b21f62b49ee9c3e0216d685d9cfd6003e5727271"
},
{
"url": "https://git.kernel.org/stable/c/7dd5a68cdbbbe7fc67ba701cb52ba10d8ba149f8"
},
{
"url": "https://git.kernel.org/stable/c/acf984a3718c2458eb9e08b6714490a04f213c58"
},
{
"url": "https://git.kernel.org/stable/c/772892b29ac50c2c5e918fc80104aa6ede81d837"
},
{
"url": "https://git.kernel.org/stable/c/123eddf92a114e03919942641d2c2b1f4ca56ea6"
},
{
"url": "https://git.kernel.org/stable/c/6b0d0477fce747d4137aa65856318b55fba72198"
}
],
"title": "media: dvb-core: Fix double free in dvb_register_device()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50499",
"datePublished": "2025-10-04T15:43:50.064Z",
"dateReserved": "2025-10-04T15:39:19.464Z",
"dateUpdated": "2025-10-04T15:43:50.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39869 (GCVE-0-2025-39869)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
Fix a critical memory allocation bug in edma_setup_from_hw() where
queue_priority_map was allocated with insufficient memory. The code
declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),
but allocated memory using sizeof(s8) instead of the correct size.
This caused out-of-bounds memory writes when accessing:
queue_priority_map[i][0] = i;
queue_priority_map[i][1] = i;
The bug manifested as kernel crashes with "Oops - undefined instruction"
on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the
memory corruption triggered kernel hardening features on Clang.
Change the allocation to use sizeof(*queue_priority_map) which
automatically gets the correct size for the 2D array structure.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:18.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/edma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d4de60d6db02d9b01d5890d5156b04fad65d07a",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "d722de80ce037dccf6931e778f4a46499d51bdf9",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "301a96cc4dc006c9a285913d301e681cfbf7edb6",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "1baed10553fc8b388351d8fc803e3ae6f1a863bc",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "069fd1688c57c0cc8a3de64d108579b31676f74b",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "d5e82f3f2c918d446df46e8d65f8083fd97cdec5",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "e63419dbf2ceb083c1651852209c7f048089ac0f",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/edma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Fix memory allocation size for queue_priority_map\n\nFix a critical memory allocation bug in edma_setup_from_hw() where\nqueue_priority_map was allocated with insufficient memory. The code\ndeclared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),\nbut allocated memory using sizeof(s8) instead of the correct size.\n\nThis caused out-of-bounds memory writes when accessing:\n queue_priority_map[i][0] = i;\n queue_priority_map[i][1] = i;\n\nThe bug manifested as kernel crashes with \"Oops - undefined instruction\"\non ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the\nmemory corruption triggered kernel hardening features on Clang.\n\nChange the allocation to use sizeof(*queue_priority_map) which\nautomatically gets the correct size for the 2D array structure."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:04.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d4de60d6db02d9b01d5890d5156b04fad65d07a"
},
{
"url": "https://git.kernel.org/stable/c/d722de80ce037dccf6931e778f4a46499d51bdf9"
},
{
"url": "https://git.kernel.org/stable/c/301a96cc4dc006c9a285913d301e681cfbf7edb6"
},
{
"url": "https://git.kernel.org/stable/c/5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93"
},
{
"url": "https://git.kernel.org/stable/c/1baed10553fc8b388351d8fc803e3ae6f1a863bc"
},
{
"url": "https://git.kernel.org/stable/c/069fd1688c57c0cc8a3de64d108579b31676f74b"
},
{
"url": "https://git.kernel.org/stable/c/d5e82f3f2c918d446df46e8d65f8083fd97cdec5"
},
{
"url": "https://git.kernel.org/stable/c/e63419dbf2ceb083c1651852209c7f048089ac0f"
}
],
"title": "dmaengine: ti: edma: Fix memory allocation size for queue_priority_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39869",
"datePublished": "2025-09-23T06:00:43.852Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:18.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53457 (GCVE-0-2023-53457)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
FS: JFS: Fix null-ptr-deref Read in txBegin
Syzkaller reported an issue where txBegin may be called
on a superblock in a read-only mounted filesystem which leads
to NULL pointer deref. This could be solved by checking if
the filesystem is read-only before calling txBegin, and returning
with appropiate error code.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7225e9e09519deb7e0c42eb6070029cc456e84d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b4c144767736221cad92c132f72b3c6ed06a0ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a7d17d6bd7cd4f6940b335ea7a6fce5b6d22adc2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a3f20efe6c901d4c0871cfd1d8c65e2ade71fc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e94d0d378d2754b26fc54b429582553f7b53e15",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e5eb6c5ecd8ddb9cfea751cf30f9e23eac97ca3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd2db13fb72ff18c633a48229589d42ceb89d1f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "47cfdc338d674d38f4b2f22b7612cc6a2763ba27",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS: JFS: Fix null-ptr-deref Read in txBegin\n\n Syzkaller reported an issue where txBegin may be called\n on a superblock in a read-only mounted filesystem which leads\n to NULL pointer deref. This could be solved by checking if\n the filesystem is read-only before calling txBegin, and returning\n with appropiate error code."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:28.730Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7225e9e09519deb7e0c42eb6070029cc456e84d"
},
{
"url": "https://git.kernel.org/stable/c/1b4c144767736221cad92c132f72b3c6ed06a0ea"
},
{
"url": "https://git.kernel.org/stable/c/a7d17d6bd7cd4f6940b335ea7a6fce5b6d22adc2"
},
{
"url": "https://git.kernel.org/stable/c/2a3f20efe6c901d4c0871cfd1d8c65e2ade71fc1"
},
{
"url": "https://git.kernel.org/stable/c/3e94d0d378d2754b26fc54b429582553f7b53e15"
},
{
"url": "https://git.kernel.org/stable/c/3e5eb6c5ecd8ddb9cfea751cf30f9e23eac97ca3"
},
{
"url": "https://git.kernel.org/stable/c/fd2db13fb72ff18c633a48229589d42ceb89d1f8"
},
{
"url": "https://git.kernel.org/stable/c/47cfdc338d674d38f4b2f22b7612cc6a2763ba27"
}
],
"title": "FS: JFS: Fix null-ptr-deref Read in txBegin",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53457",
"datePublished": "2025-10-01T11:42:28.730Z",
"dateReserved": "2025-09-17T14:54:09.755Z",
"dateUpdated": "2025-10-01T11:42:28.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53708 (GCVE-0-2023-53708)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objects
If a badly constructed firmware includes multiple `ACPI_TYPE_PACKAGE`
objects while evaluating the AMD LPS0 _DSM, there will be a memory
leak. Explicitly guard against this.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/x86/s2idle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b7964cd9db30bc84808a40d13a0633b4313f149",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1ea7e47807279369c82718efd2677ea25c6579e3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e8bbde9293151430884aed882a88eaa22298f72",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "883cf0d4cf288313b71146ddebdf5d647b76c78b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/x86/s2idle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objects\n\nIf a badly constructed firmware includes multiple `ACPI_TYPE_PACKAGE`\nobjects while evaluating the AMD LPS0 _DSM, there will be a memory\nleak. Explicitly guard against this."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:44.496Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b7964cd9db30bc84808a40d13a0633b4313f149"
},
{
"url": "https://git.kernel.org/stable/c/1ea7e47807279369c82718efd2677ea25c6579e3"
},
{
"url": "https://git.kernel.org/stable/c/9e8bbde9293151430884aed882a88eaa22298f72"
},
{
"url": "https://git.kernel.org/stable/c/883cf0d4cf288313b71146ddebdf5d647b76c78b"
}
],
"title": "ACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53708",
"datePublished": "2025-10-22T13:23:44.496Z",
"dateReserved": "2025-10-22T13:21:37.346Z",
"dateUpdated": "2025-10-22T13:23:44.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53288 (GCVE-0-2023-53288)
Vulnerability from cvelistv5
Published
2025-09-16 08:11
Modified
2025-09-16 08:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/client: Fix memory leak in drm_client_modeset_probe
When a new mode is set to modeset->mode, the previous mode should be freed.
This fixes the following kmemleak report:
drm_mode_duplicate+0x45/0x220 [drm]
drm_client_modeset_probe+0x944/0xf50 [drm]
__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper]
drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper]
drm_client_register+0x169/0x240 [drm]
ast_pci_probe+0x142/0x190 [ast]
local_pci_probe+0xdc/0x180
work_for_cpu_fn+0x4e/0xa0
process_one_work+0x8b7/0x1540
worker_thread+0x70a/0xed0
kthread+0x29f/0x340
ret_from_fork+0x1f/0x30
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_client_modeset.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d580017bdb9b3e930b6009e467e5e1589f8ca8a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5f2a12f64347f535c6ef55fa7eb36a2874d69b59",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1369d0c586ad44f2d18fe2f4cbc5bcb24132fa71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "917bef37cfaca07781c6fbaf6cd9404d27e64e6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8108a494639e56aea77e7196a1d6ea89792b9d4a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2329cc7a101af1a844fbf706c0724c0baea38365",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_client_modeset.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fix memory leak in drm_client_modeset_probe\n\nWhen a new mode is set to modeset-\u003emode, the previous mode should be freed.\nThis fixes the following kmemleak report:\n\ndrm_mode_duplicate+0x45/0x220 [drm]\ndrm_client_modeset_probe+0x944/0xf50 [drm]\n__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper]\ndrm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper]\ndrm_client_register+0x169/0x240 [drm]\nast_pci_probe+0x142/0x190 [ast]\nlocal_pci_probe+0xdc/0x180\nwork_for_cpu_fn+0x4e/0xa0\nprocess_one_work+0x8b7/0x1540\nworker_thread+0x70a/0xed0\nkthread+0x29f/0x340\nret_from_fork+0x1f/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:21.150Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d580017bdb9b3e930b6009e467e5e1589f8ca8a"
},
{
"url": "https://git.kernel.org/stable/c/5f2a12f64347f535c6ef55fa7eb36a2874d69b59"
},
{
"url": "https://git.kernel.org/stable/c/1369d0c586ad44f2d18fe2f4cbc5bcb24132fa71"
},
{
"url": "https://git.kernel.org/stable/c/917bef37cfaca07781c6fbaf6cd9404d27e64e6f"
},
{
"url": "https://git.kernel.org/stable/c/8108a494639e56aea77e7196a1d6ea89792b9d4a"
},
{
"url": "https://git.kernel.org/stable/c/2329cc7a101af1a844fbf706c0724c0baea38365"
}
],
"title": "drm/client: Fix memory leak in drm_client_modeset_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53288",
"datePublished": "2025-09-16T08:11:21.150Z",
"dateReserved": "2025-09-16T08:09:37.992Z",
"dateUpdated": "2025-09-16T08:11:21.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53721 (GCVE-0-2023-53721)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-30 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Fix a NULL pointer dereference in ath12k_mac_op_hw_scan()
In ath12k_mac_op_hw_scan(), the return value of kzalloc() is directly
used in memcpy(), which may lead to a NULL pointer dereference on
failure of kzalloc().
Fix this bug by adding a check of arg.extraie.ptr.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a263df398b581189fe632b4ab8440f3dd76c251",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "8ad314da54c6dd223a6b6cc85019160aa842f659",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix a NULL pointer dereference in ath12k_mac_op_hw_scan()\n\nIn ath12k_mac_op_hw_scan(), the return value of kzalloc() is directly\nused in memcpy(), which may lead to a NULL pointer dereference on\nfailure of kzalloc().\n\nFix this bug by adding a check of arg.extraie.ptr.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T19:33:08.319Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a263df398b581189fe632b4ab8440f3dd76c251"
},
{
"url": "https://git.kernel.org/stable/c/8ad314da54c6dd223a6b6cc85019160aa842f659"
}
],
"title": "wifi: ath12k: Fix a NULL pointer dereference in ath12k_mac_op_hw_scan()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53721",
"datePublished": "2025-10-22T13:23:52.699Z",
"dateReserved": "2025-10-22T13:21:37.348Z",
"dateUpdated": "2025-10-30T19:33:08.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53516 (GCVE-0-2023-53516)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF
The previous commit 954d1fa1ac93 ("macvlan: Add netlink attribute for
broadcast cutoff") added one additional attribute named
IFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff.
However, it forgot to describe the nla_policy at macvlan_policy
(drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer
can be faked as empty (0 bytes) by a malicious user, which could leads
to OOB in heap just like CVE-2023-3773.
To fix it, this commit just completes the nla_policy description for
IFLA_MACVLAN_BC_CUTOFF. This enforces the length check and avoids the
potential OOB read.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79f44709aa7a744fbfbadd4aef678443290c6991",
"status": "affected",
"version": "954d1fa1ac93aa8a66f7d9a9ba545cf7f020d348",
"versionType": "git"
},
{
"lessThan": "55cef78c244d0d076f5a75a35530ca63c92f4426",
"status": "affected",
"version": "954d1fa1ac93aa8a66f7d9a9ba545cf7f020d348",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF\n\nThe previous commit 954d1fa1ac93 (\"macvlan: Add netlink attribute for\nbroadcast cutoff\") added one additional attribute named\nIFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff.\n\nHowever, it forgot to describe the nla_policy at macvlan_policy\n(drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer\ncan be faked as empty (0 bytes) by a malicious user, which could leads\nto OOB in heap just like CVE-2023-3773.\n\nTo fix it, this commit just completes the nla_policy description for\nIFLA_MACVLAN_BC_CUTOFF. This enforces the length check and avoids the\npotential OOB read."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:03.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79f44709aa7a744fbfbadd4aef678443290c6991"
},
{
"url": "https://git.kernel.org/stable/c/55cef78c244d0d076f5a75a35530ca63c92f4426"
}
],
"title": "macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53516",
"datePublished": "2025-10-01T11:46:03.878Z",
"dateReserved": "2025-10-01T11:39:39.406Z",
"dateUpdated": "2025-10-01T11:46:03.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53245 (GCVE-0-2023-53245)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-15 14:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
Hyper-V provides the ability to connect Fibre Channel LUNs to the host
system and present them in a guest VM as a SCSI device. I/O to the vFC
device is handled by the storvsc driver. The storvsc driver includes a
partial integration with the FC transport implemented in the generic
portion of the Linux SCSI subsystem so that FC attributes can be displayed
in /sys. However, the partial integration means that some aspects of vFC
don't work properly. Unfortunately, a full and correct integration isn't
practical because of limitations in what Hyper-V provides to the guest.
In particular, in the context of Hyper-V storvsc, the FC transport timeout
function fc_eh_timed_out() causes a kernel panic because it can't find the
rport and dereferences a NULL pointer. The original patch that added the
call from storvsc_eh_timed_out() to fc_eh_timed_out() is faulty in this
regard.
In many cases a timeout is due to a transient condition, so the situation
can be improved by just continuing to wait like with other I/O requests
issued by storvsc, and avoiding the guaranteed panic. For a permanent
failure, continuing to wait may result in a hung thread instead of a panic,
which again may be better.
So fix the panic by removing the storvsc call to fc_eh_timed_out(). This
allows storvsc to keep waiting for a response. The change has been tested
by users who experienced a panic in fc_eh_timed_out() due to transient
timeouts, and it solves their problem.
In the future we may want to deprecate the vFC functionality in storvsc
since it can't be fully fixed. But it has current users for whom it is
working well enough, so it should probably stay for a while longer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3930d7309807ba0bfa460dfa9ed68d5560347dd2 Version: 3930d7309807ba0bfa460dfa9ed68d5560347dd2 Version: 3930d7309807ba0bfa460dfa9ed68d5560347dd2 Version: 3930d7309807ba0bfa460dfa9ed68d5560347dd2 Version: 3930d7309807ba0bfa460dfa9ed68d5560347dd2 Version: 3930d7309807ba0bfa460dfa9ed68d5560347dd2 Version: 3930d7309807ba0bfa460dfa9ed68d5560347dd2 Version: 3930d7309807ba0bfa460dfa9ed68d5560347dd2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/storvsc_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd87f4df9865a53807001ed12c0f0420b14ececd",
"status": "affected",
"version": "3930d7309807ba0bfa460dfa9ed68d5560347dd2",
"versionType": "git"
},
{
"lessThan": "311db605e07f0d4fc0cc7ddb74f1e5692ea2f469",
"status": "affected",
"version": "3930d7309807ba0bfa460dfa9ed68d5560347dd2",
"versionType": "git"
},
{
"lessThan": "048ebc9a28fb918ee635dd4b2fcf4248eb6e4050",
"status": "affected",
"version": "3930d7309807ba0bfa460dfa9ed68d5560347dd2",
"versionType": "git"
},
{
"lessThan": "1678408d08f31a694d5150a56796dd04c9710b22",
"status": "affected",
"version": "3930d7309807ba0bfa460dfa9ed68d5560347dd2",
"versionType": "git"
},
{
"lessThan": "7a792b3d888aab2c65389f9f4f9f2f6c000b1a0d",
"status": "affected",
"version": "3930d7309807ba0bfa460dfa9ed68d5560347dd2",
"versionType": "git"
},
{
"lessThan": "ed70fa5629a8b992a5372d7044d1db1f8fa6de29",
"status": "affected",
"version": "3930d7309807ba0bfa460dfa9ed68d5560347dd2",
"versionType": "git"
},
{
"lessThan": "763c06565055ae373fe7f89c11e1447bd1ded264",
"status": "affected",
"version": "3930d7309807ba0bfa460dfa9ed68d5560347dd2",
"versionType": "git"
},
{
"lessThan": "175544ad48cbf56affeef2a679c6a4d4fb1e2881",
"status": "affected",
"version": "3930d7309807ba0bfa460dfa9ed68d5560347dd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/storvsc_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Fix handling of virtual Fibre Channel timeouts\n\nHyper-V provides the ability to connect Fibre Channel LUNs to the host\nsystem and present them in a guest VM as a SCSI device. I/O to the vFC\ndevice is handled by the storvsc driver. The storvsc driver includes a\npartial integration with the FC transport implemented in the generic\nportion of the Linux SCSI subsystem so that FC attributes can be displayed\nin /sys. However, the partial integration means that some aspects of vFC\ndon\u0027t work properly. Unfortunately, a full and correct integration isn\u0027t\npractical because of limitations in what Hyper-V provides to the guest.\n\nIn particular, in the context of Hyper-V storvsc, the FC transport timeout\nfunction fc_eh_timed_out() causes a kernel panic because it can\u0027t find the\nrport and dereferences a NULL pointer. The original patch that added the\ncall from storvsc_eh_timed_out() to fc_eh_timed_out() is faulty in this\nregard.\n\nIn many cases a timeout is due to a transient condition, so the situation\ncan be improved by just continuing to wait like with other I/O requests\nissued by storvsc, and avoiding the guaranteed panic. For a permanent\nfailure, continuing to wait may result in a hung thread instead of a panic,\nwhich again may be better.\n\nSo fix the panic by removing the storvsc call to fc_eh_timed_out(). This\nallows storvsc to keep waiting for a response. The change has been tested\nby users who experienced a panic in fc_eh_timed_out() due to transient\ntimeouts, and it solves their problem.\n\nIn the future we may want to deprecate the vFC functionality in storvsc\nsince it can\u0027t be fully fixed. But it has current users for whom it is\nworking well enough, so it should probably stay for a while longer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:14.280Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd87f4df9865a53807001ed12c0f0420b14ececd"
},
{
"url": "https://git.kernel.org/stable/c/311db605e07f0d4fc0cc7ddb74f1e5692ea2f469"
},
{
"url": "https://git.kernel.org/stable/c/048ebc9a28fb918ee635dd4b2fcf4248eb6e4050"
},
{
"url": "https://git.kernel.org/stable/c/1678408d08f31a694d5150a56796dd04c9710b22"
},
{
"url": "https://git.kernel.org/stable/c/7a792b3d888aab2c65389f9f4f9f2f6c000b1a0d"
},
{
"url": "https://git.kernel.org/stable/c/ed70fa5629a8b992a5372d7044d1db1f8fa6de29"
},
{
"url": "https://git.kernel.org/stable/c/763c06565055ae373fe7f89c11e1447bd1ded264"
},
{
"url": "https://git.kernel.org/stable/c/175544ad48cbf56affeef2a679c6a4d4fb1e2881"
}
],
"title": "scsi: storvsc: Fix handling of virtual Fibre Channel timeouts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53245",
"datePublished": "2025-09-15T14:46:14.280Z",
"dateReserved": "2025-09-15T14:19:21.848Z",
"dateUpdated": "2025-09-15T14:46:14.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50561 (GCVE-0-2022-50561)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: fix memory leak in iio_device_register_eventset()
When iio_device_register_sysfs_group() returns failed,
iio_device_register_eventset() needs to free attrs array.
Otherwise, kmemleak would scan & report memory leak as below:
unreferenced object 0xffff88810a1cc3c0 (size 32):
comm "100-i2c-vcnl302", pid 728, jiffies 4295052307 (age 156.027s)
backtrace:
__kmalloc+0x46/0x1b0
iio_device_register_eventset at drivers/iio/industrialio-event.c:541
__iio_device_register at drivers/iio/industrialio-core.c:1959
__devm_iio_device_register at drivers/iio/industrialio-core.c:2040
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/industrialio-event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc6afd6070f3a5b086c8c5cfa6ded63ae44494da",
"status": "affected",
"version": "32f171724e5cbecc80594fb6eced057cfdd6eb6f",
"versionType": "git"
},
{
"lessThan": "5de3add7509c95685f1185683b817dd206c4b1f1",
"status": "affected",
"version": "32f171724e5cbecc80594fb6eced057cfdd6eb6f",
"versionType": "git"
},
{
"lessThan": "a154b1c139fbf6a49762159be81d425d41ceec87",
"status": "affected",
"version": "32f171724e5cbecc80594fb6eced057cfdd6eb6f",
"versionType": "git"
},
{
"lessThan": "86fdd15e10e404e70ecb2a3bff24d70356d42b36",
"status": "affected",
"version": "32f171724e5cbecc80594fb6eced057cfdd6eb6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/industrialio-event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: fix memory leak in iio_device_register_eventset()\n\nWhen iio_device_register_sysfs_group() returns failed,\niio_device_register_eventset() needs to free attrs array.\n\nOtherwise, kmemleak would scan \u0026 report memory leak as below:\n\nunreferenced object 0xffff88810a1cc3c0 (size 32):\n comm \"100-i2c-vcnl302\", pid 728, jiffies 4295052307 (age 156.027s)\n backtrace:\n __kmalloc+0x46/0x1b0\n iio_device_register_eventset at drivers/iio/industrialio-event.c:541\n __iio_device_register at drivers/iio/industrialio-core.c:1959\n __devm_iio_device_register at drivers/iio/industrialio-core.c:2040"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:20.802Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc6afd6070f3a5b086c8c5cfa6ded63ae44494da"
},
{
"url": "https://git.kernel.org/stable/c/5de3add7509c95685f1185683b817dd206c4b1f1"
},
{
"url": "https://git.kernel.org/stable/c/a154b1c139fbf6a49762159be81d425d41ceec87"
},
{
"url": "https://git.kernel.org/stable/c/86fdd15e10e404e70ecb2a3bff24d70356d42b36"
}
],
"title": "iio: fix memory leak in iio_device_register_eventset()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50561",
"datePublished": "2025-10-22T13:23:20.802Z",
"dateReserved": "2025-10-22T13:20:23.759Z",
"dateUpdated": "2025-10-22T13:23:20.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53220 (GCVE-0-2023-53220)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach az6007_i2c_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.
Similar commit:
commit 0ed554fd769a
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb-v2/az6007.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6763fefa267f6e62595a6ac1f57815d99fc90b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "adcb73f8ce9aec48b1f85223f401c1574015d8d2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "991c77fe18c6f374bbf83376f8c42550aa565662",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9def3e9718a4dc756f48db147d42ec41a966240",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b1ea100ad3695025969dc4693f307877fb688d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ab7ea4e17d6a605d05308adf8f3408924770cba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a1110f19d4940e4185251d072cbb0ff51486a1e7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1047f9343011f2cedc73c64829686206a7e9fc3f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb-v2/az6007.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: az6007: Fix null-ptr-deref in az6007_i2c_xfer()\n\nIn az6007_i2c_xfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach az6007_i2c_xfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\n\nSimilar commit:\ncommit 0ed554fd769a\n(\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:49.075Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6763fefa267f6e62595a6ac1f57815d99fc90b7"
},
{
"url": "https://git.kernel.org/stable/c/adcb73f8ce9aec48b1f85223f401c1574015d8d2"
},
{
"url": "https://git.kernel.org/stable/c/991c77fe18c6f374bbf83376f8c42550aa565662"
},
{
"url": "https://git.kernel.org/stable/c/a9def3e9718a4dc756f48db147d42ec41a966240"
},
{
"url": "https://git.kernel.org/stable/c/5b1ea100ad3695025969dc4693f307877fb688d6"
},
{
"url": "https://git.kernel.org/stable/c/6ab7ea4e17d6a605d05308adf8f3408924770cba"
},
{
"url": "https://git.kernel.org/stable/c/a1110f19d4940e4185251d072cbb0ff51486a1e7"
},
{
"url": "https://git.kernel.org/stable/c/1047f9343011f2cedc73c64829686206a7e9fc3f"
}
],
"title": "media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53220",
"datePublished": "2025-09-15T14:21:49.075Z",
"dateReserved": "2025-09-15T14:19:21.845Z",
"dateUpdated": "2025-09-15T14:21:49.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50264 (GCVE-0-2024-50264)
Vulnerability from cvelistv5
Published
2024-11-19 01:29
Modified
2025-11-03 22:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
During loopback communication, a dangling pointer can be created in
vsk->trans, potentially leading to a Use-After-Free condition. This
issue is resolved by initializing vsk->trans to NULL.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50264",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T14:48:50.387406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T14:58:32.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:27:43.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f092a4271f6dccf88fe0d132475a17b69ef71df",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "fd8ae346692a56b4437d626c5460c7104980f389",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "eb1bdcb7dfc30b24495ee4c5533af0ed135cb5f1",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "2a6a4e69f255b7aed17f93995691ab4f0d3c2203",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "44d29897eafd0e1196453d3003a4d5e0b968eeab",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "b110196fec44fe966952004bd426967c2a8fd358",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "5f970935d09934222fdef3d0e20c648ea7a963c1",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.324",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.286",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.230",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.172",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.117",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.61",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.8",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: Initialization of the dangling pointer occurring in vsk-\u003etrans\n\nDuring loopback communication, a dangling pointer can be created in\nvsk-\u003etrans, potentially leading to a Use-After-Free condition. This\nissue is resolved by initializing vsk-\u003etrans to NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:51:46.682Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f092a4271f6dccf88fe0d132475a17b69ef71df"
},
{
"url": "https://git.kernel.org/stable/c/fd8ae346692a56b4437d626c5460c7104980f389"
},
{
"url": "https://git.kernel.org/stable/c/eb1bdcb7dfc30b24495ee4c5533af0ed135cb5f1"
},
{
"url": "https://git.kernel.org/stable/c/2a6a4e69f255b7aed17f93995691ab4f0d3c2203"
},
{
"url": "https://git.kernel.org/stable/c/44d29897eafd0e1196453d3003a4d5e0b968eeab"
},
{
"url": "https://git.kernel.org/stable/c/b110196fec44fe966952004bd426967c2a8fd358"
},
{
"url": "https://git.kernel.org/stable/c/5f970935d09934222fdef3d0e20c648ea7a963c1"
},
{
"url": "https://git.kernel.org/stable/c/6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f"
},
{
"url": "https://a13xp0p0v.github.io/2025/09/02/kernel-hack-drill-and-CVE-2024-50264.html"
}
],
"title": "vsock/virtio: Initialization of the dangling pointer occurring in vsk-\u003etrans",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50264",
"datePublished": "2024-11-19T01:29:59.511Z",
"dateReserved": "2024-10-21T19:36:19.982Z",
"dateUpdated": "2025-11-03T22:27:43.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39988 (GCVE-0-2025-39988)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the etas_es58x driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL));
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, es58x_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN(FD)
frame.
This can result in a buffer overflow. For example, using the es581.4
variant, the frame will be dispatched to es581_4_tx_can_msg(), go
through the last check at the beginning of this function:
if (can_is_canfd_skb(skb))
return -EMSGSIZE;
and reach this line:
memcpy(tx_can_msg->data, cf->data, cf->len);
Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs!
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU or
CANFD_MTU (depending on the device capabilities). By fixing the root
cause, this prevents the buffer overflow.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72de0facc50afdb101fb7197d880407f1abfc77f",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "c4e582e686c4d683c87f2b4a316385b3d81d370f",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "cbc1de71766f326a44bb798aeae4a7ef4a081cc9",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "b26cccd87dcddc47b450a40f3b1ac3fe346efcff",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "e587af2c89ecc6382c518febea52fa9ba81e47c0",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "38c0abad45b190a30d8284a37264d2127a6ec303",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the etas_es58x driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL));\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, es58x_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN(FD)\nframe.\n\nThis can result in a buffer overflow. For example, using the es581.4\nvariant, the frame will be dispatched to es581_4_tx_can_msg(), go\nthrough the last check at the beginning of this function:\n\n\tif (can_is_canfd_skb(skb))\n\t\treturn -EMSGSIZE;\n\nand reach this line:\n\n\tmemcpy(tx_can_msg-\u003edata, cf-\u003edata, cf-\u003elen);\n\nHere, cf-\u003elen corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame-\u003eflags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs!\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU or\nCANFD_MTU (depending on the device capabilities). By fixing the root\ncause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:06.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72de0facc50afdb101fb7197d880407f1abfc77f"
},
{
"url": "https://git.kernel.org/stable/c/c4e582e686c4d683c87f2b4a316385b3d81d370f"
},
{
"url": "https://git.kernel.org/stable/c/cbc1de71766f326a44bb798aeae4a7ef4a081cc9"
},
{
"url": "https://git.kernel.org/stable/c/b26cccd87dcddc47b450a40f3b1ac3fe346efcff"
},
{
"url": "https://git.kernel.org/stable/c/e587af2c89ecc6382c518febea52fa9ba81e47c0"
},
{
"url": "https://git.kernel.org/stable/c/38c0abad45b190a30d8284a37264d2127a6ec303"
}
],
"title": "can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39988",
"datePublished": "2025-10-15T07:56:06.601Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:06.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53733 (GCVE-0-2023-53733)
Vulnerability from cvelistv5
Published
2025-10-24 11:44
Modified
2025-10-24 11:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knode
When u32_replace_hw_knode fails, we need to undo the tcf_bind_filter
operation done at u32_set_parms.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9345793469b65ee5ba7b033239916c2a67d3dd4",
"status": "affected",
"version": "d34e3e181395192d6d1f50dd97bd7854e04e33a4",
"versionType": "git"
},
{
"lessThan": "025159ed118ba5145b241d574edadb0e00d3c20f",
"status": "affected",
"version": "d34e3e181395192d6d1f50dd97bd7854e04e33a4",
"versionType": "git"
},
{
"lessThan": "9cb36faedeafb9720ac236aeae2ea57091d90a09",
"status": "affected",
"version": "d34e3e181395192d6d1f50dd97bd7854e04e33a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knode\n\nWhen u32_replace_hw_knode fails, we need to undo the tcf_bind_filter\noperation done at u32_set_parms."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T11:44:28.115Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9345793469b65ee5ba7b033239916c2a67d3dd4"
},
{
"url": "https://git.kernel.org/stable/c/025159ed118ba5145b241d574edadb0e00d3c20f"
},
{
"url": "https://git.kernel.org/stable/c/9cb36faedeafb9720ac236aeae2ea57091d90a09"
}
],
"title": "net: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53733",
"datePublished": "2025-10-24T11:44:28.115Z",
"dateReserved": "2025-10-22T13:21:37.350Z",
"dateUpdated": "2025-10-24T11:44:28.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53520 (GCVE-0-2023-53520)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix hci_suspend_sync crash
If hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier
may still be accessing it, it can cause the program to crash.
Here's the call trace:
<4>[102152.653246] Call Trace:
<4>[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth]
<4>[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth]
<4>[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth]
<4>[102152.653268] notifier_call_chain+0x43/0x6b
<4>[102152.653271] __blocking_notifier_call_chain+0x48/0x69
<4>[102152.653273] __pm_notifier_call_chain+0x22/0x39
<4>[102152.653276] pm_suspend+0x287/0x57c
<4>[102152.653278] state_store+0xae/0xe5
<4>[102152.653281] kernfs_fop_write+0x109/0x173
<4>[102152.653284] __vfs_write+0x16f/0x1a2
<4>[102152.653287] ? selinux_file_permission+0xca/0x16f
<4>[102152.653289] ? security_file_permission+0x36/0x109
<4>[102152.653291] vfs_write+0x114/0x21d
<4>[102152.653293] __x64_sys_write+0x7b/0xdb
<4>[102152.653296] do_syscall_64+0x59/0x194
<4>[102152.653299] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
This patch holds the reference count of the hci_dev object while
processing it in hci_suspend_notifier to avoid potential crash
caused by the race condition.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "06e2b5ad72b60f90bfe565c201346532e271f484",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f9c8ce5d665653e3cf71a76349d41d7a7f7947e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "573ebae162111063eedc6c838a659ba628f66a0f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix hci_suspend_sync crash\n\nIf hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier\nmay still be accessing it, it can cause the program to crash.\nHere\u0027s the call trace:\n \u003c4\u003e[102152.653246] Call Trace:\n \u003c4\u003e[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth]\n \u003c4\u003e[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth]\n \u003c4\u003e[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth]\n \u003c4\u003e[102152.653268] notifier_call_chain+0x43/0x6b\n \u003c4\u003e[102152.653271] __blocking_notifier_call_chain+0x48/0x69\n \u003c4\u003e[102152.653273] __pm_notifier_call_chain+0x22/0x39\n \u003c4\u003e[102152.653276] pm_suspend+0x287/0x57c\n \u003c4\u003e[102152.653278] state_store+0xae/0xe5\n \u003c4\u003e[102152.653281] kernfs_fop_write+0x109/0x173\n \u003c4\u003e[102152.653284] __vfs_write+0x16f/0x1a2\n \u003c4\u003e[102152.653287] ? selinux_file_permission+0xca/0x16f\n \u003c4\u003e[102152.653289] ? security_file_permission+0x36/0x109\n \u003c4\u003e[102152.653291] vfs_write+0x114/0x21d\n \u003c4\u003e[102152.653293] __x64_sys_write+0x7b/0xdb\n \u003c4\u003e[102152.653296] do_syscall_64+0x59/0x194\n \u003c4\u003e[102152.653299] entry_SYSCALL_64_after_hwframe+0x5c/0xc1\n\nThis patch holds the reference count of the hci_dev object while\nprocessing it in hci_suspend_notifier to avoid potential crash\ncaused by the race condition."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:07.355Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/06e2b5ad72b60f90bfe565c201346532e271f484"
},
{
"url": "https://git.kernel.org/stable/c/f9c8ce5d665653e3cf71a76349d41d7a7f7947e6"
},
{
"url": "https://git.kernel.org/stable/c/573ebae162111063eedc6c838a659ba628f66a0f"
}
],
"title": "Bluetooth: Fix hci_suspend_sync crash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53520",
"datePublished": "2025-10-01T11:46:07.355Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:07.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50560 (GCVE-0-2022-50560)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/meson: explicitly remove aggregate driver at module unload time
Because component_master_del wasn't being called when unloading the
meson_drm module, the aggregate device would linger forever in the global
aggregate_devices list. That means when unloading and reloading the
meson_dw_hdmi module, component_add would call into
try_to_bring_up_aggregate_device and find the unbound meson_drm aggregate
device.
This would in turn dereference some of the aggregate_device's struct
entries which point to memory automatically freed by the devres API when
unbinding the aggregate device from meson_drv_unbind, and trigger an
use-after-free bug:
[ +0.000014] =============================================================
[ +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500
[ +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536
[ +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1
[ +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT)
[ +0.000008] Call trace:
[ +0.000005] dump_backtrace+0x1ec/0x280
[ +0.000011] show_stack+0x24/0x80
[ +0.000007] dump_stack_lvl+0x98/0xd4
[ +0.000010] print_address_description.constprop.0+0x80/0x520
[ +0.000011] print_report+0x128/0x260
[ +0.000007] kasan_report+0xb8/0xfc
[ +0.000007] __asan_report_load8_noabort+0x3c/0x50
[ +0.000009] find_components+0x468/0x500
[ +0.000008] try_to_bring_up_aggregate_device+0x64/0x390
[ +0.000009] __component_add+0x1dc/0x49c
[ +0.000009] component_add+0x20/0x30
[ +0.000008] meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi]
[ +0.000013] platform_probe+0xd0/0x220
[ +0.000008] really_probe+0x3ac/0xa80
[ +0.000008] __driver_probe_device+0x1f8/0x400
[ +0.000008] driver_probe_device+0x68/0x1b0
[ +0.000008] __driver_attach+0x20c/0x480
[ +0.000009] bus_for_each_dev+0x114/0x1b0
[ +0.000007] driver_attach+0x48/0x64
[ +0.000009] bus_add_driver+0x390/0x564
[ +0.000007] driver_register+0x1a8/0x3e4
[ +0.000009] __platform_driver_register+0x6c/0x94
[ +0.000007] meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi]
[ +0.000014] do_one_initcall+0xc4/0x2b0
[ +0.000008] do_init_module+0x154/0x570
[ +0.000010] load_module+0x1a78/0x1ea4
[ +0.000008] __do_sys_init_module+0x184/0x1cc
[ +0.000008] __arm64_sys_init_module+0x78/0xb0
[ +0.000008] invoke_syscall+0x74/0x260
[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260
[ +0.000009] do_el0_svc+0x50/0x70
[ +0.000008] el0_svc+0x68/0x1a0
[ +0.000009] el0t_64_sync_handler+0x11c/0x150
[ +0.000009] el0t_64_sync+0x18c/0x190
[ +0.000014] Allocated by task 902:
[ +0.000007] kasan_save_stack+0x2c/0x5c
[ +0.000009] __kasan_kmalloc+0x90/0xd0
[ +0.000007] __kmalloc_node+0x240/0x580
[ +0.000010] memcg_alloc_slab_cgroups+0xa4/0x1ac
[ +0.000010] memcg_slab_post_alloc_hook+0xbc/0x4c0
[ +0.000008] kmem_cache_alloc_node+0x1d0/0x490
[ +0.000009] __alloc_skb+0x1d4/0x310
[ +0.000010] alloc_skb_with_frags+0x8c/0x620
[ +0.000008] sock_alloc_send_pskb+0x5ac/0x6d0
[ +0.000010] unix_dgram_sendmsg+0x2e0/0x12f0
[ +0.000010] sock_sendmsg+0xcc/0x110
[ +0.000007] sock_write_iter+0x1d0/0x304
[ +0.000008] new_sync_write+0x364/0x460
[ +0.000007] vfs_write+0x420/0x5ac
[ +0.000008] ksys_write+0x19c/0x1f0
[ +0.000008] __arm64_sys_write+0x78/0xb0
[ +0.000007] invoke_syscall+0x74/0x260
[ +0.000008] el0_svc_common.constprop.0+0x1a8/0x260
[ +0.000009] do_el0_svc+0x50/0x70
[ +0.000007] el0_svc+0x68/0x1a0
[ +0.000008] el0t_64_sync_handler+0x11c/0x150
[ +0.000008] el0t_64_sync+0x18c/0x190
[ +0.000013] Freed by task 2509:
[ +0.000008] kasan_save_stack+0x2c/0x5c
[ +0.000007] kasan_set_track+0x2c/0x40
[ +0.000008] kasan_set_free_info+0x28/0x50
[ +0.000008] ____kasan_slab_free+0x128/0x1d4
[ +0.000008] __kasan_slab_free+0x18/0x24
[ +0.000007] slab_free_freelist_hook+0x108/0x230
[ +0.000010]
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/meson/meson_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a427a22839daacd36531a62c83d5c9cd6f20657",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "587c7da877219e6185217bf64418e62e114dab1e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f11aa996fc01888f870be0e79ba71526888c0d8a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ef20de2fe0ee1decedbfabb17782897ca27bfe5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8616f2a0589a80e08434212324250eb22f6a66ce",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/meson/meson_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: explicitly remove aggregate driver at module unload time\n\nBecause component_master_del wasn\u0027t being called when unloading the\nmeson_drm module, the aggregate device would linger forever in the global\naggregate_devices list. That means when unloading and reloading the\nmeson_dw_hdmi module, component_add would call into\ntry_to_bring_up_aggregate_device and find the unbound meson_drm aggregate\ndevice.\n\nThis would in turn dereference some of the aggregate_device\u0027s struct\nentries which point to memory automatically freed by the devres API when\nunbinding the aggregate device from meson_drv_unbind, and trigger an\nuse-after-free bug:\n\n[ +0.000014] =============================================================\n[ +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500\n[ +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536\n[ +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1\n[ +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[ +0.000008] Call trace:\n[ +0.000005] dump_backtrace+0x1ec/0x280\n[ +0.000011] show_stack+0x24/0x80\n[ +0.000007] dump_stack_lvl+0x98/0xd4\n[ +0.000010] print_address_description.constprop.0+0x80/0x520\n[ +0.000011] print_report+0x128/0x260\n[ +0.000007] kasan_report+0xb8/0xfc\n[ +0.000007] __asan_report_load8_noabort+0x3c/0x50\n[ +0.000009] find_components+0x468/0x500\n[ +0.000008] try_to_bring_up_aggregate_device+0x64/0x390\n[ +0.000009] __component_add+0x1dc/0x49c\n[ +0.000009] component_add+0x20/0x30\n[ +0.000008] meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi]\n[ +0.000013] platform_probe+0xd0/0x220\n[ +0.000008] really_probe+0x3ac/0xa80\n[ +0.000008] __driver_probe_device+0x1f8/0x400\n[ +0.000008] driver_probe_device+0x68/0x1b0\n[ +0.000008] __driver_attach+0x20c/0x480\n[ +0.000009] bus_for_each_dev+0x114/0x1b0\n[ +0.000007] driver_attach+0x48/0x64\n[ +0.000009] bus_add_driver+0x390/0x564\n[ +0.000007] driver_register+0x1a8/0x3e4\n[ +0.000009] __platform_driver_register+0x6c/0x94\n[ +0.000007] meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi]\n[ +0.000014] do_one_initcall+0xc4/0x2b0\n[ +0.000008] do_init_module+0x154/0x570\n[ +0.000010] load_module+0x1a78/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000008] __arm64_sys_init_module+0x78/0xb0\n[ +0.000008] invoke_syscall+0x74/0x260\n[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260\n[ +0.000009] do_el0_svc+0x50/0x70\n[ +0.000008] el0_svc+0x68/0x1a0\n[ +0.000009] el0t_64_sync_handler+0x11c/0x150\n[ +0.000009] el0t_64_sync+0x18c/0x190\n\n[ +0.000014] Allocated by task 902:\n[ +0.000007] kasan_save_stack+0x2c/0x5c\n[ +0.000009] __kasan_kmalloc+0x90/0xd0\n[ +0.000007] __kmalloc_node+0x240/0x580\n[ +0.000010] memcg_alloc_slab_cgroups+0xa4/0x1ac\n[ +0.000010] memcg_slab_post_alloc_hook+0xbc/0x4c0\n[ +0.000008] kmem_cache_alloc_node+0x1d0/0x490\n[ +0.000009] __alloc_skb+0x1d4/0x310\n[ +0.000010] alloc_skb_with_frags+0x8c/0x620\n[ +0.000008] sock_alloc_send_pskb+0x5ac/0x6d0\n[ +0.000010] unix_dgram_sendmsg+0x2e0/0x12f0\n[ +0.000010] sock_sendmsg+0xcc/0x110\n[ +0.000007] sock_write_iter+0x1d0/0x304\n[ +0.000008] new_sync_write+0x364/0x460\n[ +0.000007] vfs_write+0x420/0x5ac\n[ +0.000008] ksys_write+0x19c/0x1f0\n[ +0.000008] __arm64_sys_write+0x78/0xb0\n[ +0.000007] invoke_syscall+0x74/0x260\n[ +0.000008] el0_svc_common.constprop.0+0x1a8/0x260\n[ +0.000009] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000008] el0t_64_sync_handler+0x11c/0x150\n[ +0.000008] el0t_64_sync+0x18c/0x190\n\n[ +0.000013] Freed by task 2509:\n[ +0.000008] kasan_save_stack+0x2c/0x5c\n[ +0.000007] kasan_set_track+0x2c/0x40\n[ +0.000008] kasan_set_free_info+0x28/0x50\n[ +0.000008] ____kasan_slab_free+0x128/0x1d4\n[ +0.000008] __kasan_slab_free+0x18/0x24\n[ +0.000007] slab_free_freelist_hook+0x108/0x230\n[ +0.000010] \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:20.117Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a427a22839daacd36531a62c83d5c9cd6f20657"
},
{
"url": "https://git.kernel.org/stable/c/587c7da877219e6185217bf64418e62e114dab1e"
},
{
"url": "https://git.kernel.org/stable/c/f11aa996fc01888f870be0e79ba71526888c0d8a"
},
{
"url": "https://git.kernel.org/stable/c/6ef20de2fe0ee1decedbfabb17782897ca27bfe5"
},
{
"url": "https://git.kernel.org/stable/c/8616f2a0589a80e08434212324250eb22f6a66ce"
}
],
"title": "drm/meson: explicitly remove aggregate driver at module unload time",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50560",
"datePublished": "2025-10-22T13:23:20.117Z",
"dateReserved": "2025-10-22T13:20:23.759Z",
"dateUpdated": "2025-10-22T13:23:20.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50490 (GCVE-0-2022-50490)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Propagate error from htab_lock_bucket() to userspace
In __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns
-EBUSY, it will go to next bucket. Going to next bucket may not only
skip the elements in current bucket silently, but also incur
out-of-bound memory access or expose kernel memory to userspace if
current bucket_cnt is greater than bucket_size or zero.
Fixing it by stopping batch operation and returning -EBUSY when
htab_lock_bucket() fails, and the application can retry or skip the busy
batch as needed.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e13425104903970a5ede853082d3bbb4edec6f3",
"status": "affected",
"version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
"versionType": "git"
},
{
"lessThan": "6bfee6eb3d6b96ae730a542909dd22b5f9f50d58",
"status": "affected",
"version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
"versionType": "git"
},
{
"lessThan": "4f1f39a8f1ce1b24fee6852d7dcd704ce7c4334d",
"status": "affected",
"version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
"versionType": "git"
},
{
"lessThan": "66a7a92e4d0d091e79148a4c6ec15d1da65f4280",
"status": "affected",
"version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Propagate error from htab_lock_bucket() to userspace\n\nIn __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns\n-EBUSY, it will go to next bucket. Going to next bucket may not only\nskip the elements in current bucket silently, but also incur\nout-of-bound memory access or expose kernel memory to userspace if\ncurrent bucket_cnt is greater than bucket_size or zero.\n\nFixing it by stopping batch operation and returning -EBUSY when\nhtab_lock_bucket() fails, and the application can retry or skip the busy\nbatch as needed."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:43.790Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e13425104903970a5ede853082d3bbb4edec6f3"
},
{
"url": "https://git.kernel.org/stable/c/6bfee6eb3d6b96ae730a542909dd22b5f9f50d58"
},
{
"url": "https://git.kernel.org/stable/c/4f1f39a8f1ce1b24fee6852d7dcd704ce7c4334d"
},
{
"url": "https://git.kernel.org/stable/c/66a7a92e4d0d091e79148a4c6ec15d1da65f4280"
}
],
"title": "bpf: Propagate error from htab_lock_bucket() to userspace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50490",
"datePublished": "2025-10-04T15:43:43.790Z",
"dateReserved": "2025-10-04T15:39:19.463Z",
"dateUpdated": "2025-10-04T15:43:43.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53170 (GCVE-0-2023-53170)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-15 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: Removed unneeded of_node_put in felix_parse_ports_node
Remove unnecessary of_node_put from the continue path to prevent
child node from being released twice, which could avoid resource
leak or other unexpected issues.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/ocelot/felix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ead10b44b79ce8bfcd51e749d54e009de5f511a",
"status": "affected",
"version": "de879a016a94a670fafeb3eb03b3d5803d81ab37",
"versionType": "git"
},
{
"lessThan": "04499f28b40bfc24f20b0e2331008bb90a54a6cf",
"status": "affected",
"version": "de879a016a94a670fafeb3eb03b3d5803d81ab37",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/ocelot/felix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: Removed unneeded of_node_put in felix_parse_ports_node\n\nRemove unnecessary of_node_put from the continue path to prevent\nchild node from being released twice, which could avoid resource\nleak or other unexpected issues."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:04:03.446Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ead10b44b79ce8bfcd51e749d54e009de5f511a"
},
{
"url": "https://git.kernel.org/stable/c/04499f28b40bfc24f20b0e2331008bb90a54a6cf"
}
],
"title": "net: dsa: Removed unneeded of_node_put in felix_parse_ports_node",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53170",
"datePublished": "2025-09-15T14:04:03.446Z",
"dateReserved": "2025-09-15T13:59:19.064Z",
"dateUpdated": "2025-09-15T14:04:03.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53523 (GCVE-0-2023-53523)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: fix time stamp counter initialization
If the gs_usb device driver is unloaded (or unbound) before the
interface is shut down, the USB stack first calls the struct
usb_driver::disconnect and then the struct net_device_ops::ndo_stop
callback.
In gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more
RX'ed CAN frames are send from the USB device to the host. Later in
gs_can_close() a reset control message is send to each CAN channel to
remove the controller from the CAN bus. In this race window the USB
device can still receive CAN frames from the bus and internally queue
them to be send to the host.
At least in the current version of the candlelight firmware, the queue
of received CAN frames is not emptied during the reset command. After
loading (or binding) the gs_usb driver, new URBs are submitted during
the struct net_device_ops::ndo_open callback and the candlelight
firmware starts sending its already queued CAN frames to the host.
However, this scenario was not considered when implementing the
hardware timestamp function. The cycle counter/time counter
infrastructure is set up (gs_usb_timestamp_init()) after the USBs are
submitted, resulting in a NULL pointer dereference if
timecounter_cyc2time() (via the call chain:
gs_usb_receive_bulk_callback() -> gs_usb_set_timestamp() ->
gs_usb_skb_set_timestamp()) is called too early.
Move the gs_usb_timestamp_init() function before the URBs are
submitted to fix this problem.
For a comprehensive solution, we need to consider gs_usb devices with
more than 1 channel. The cycle counter/time counter infrastructure is
setup per channel, but the RX URBs are per device. Once gs_can_open()
of _a_ channel has been called, and URBs have been submitted, the
gs_usb_receive_bulk_callback() can be called for _all_ available
channels, even for channels that are not running, yet. As cycle
counter/time counter has not set up, this will again lead to a NULL
pointer dereference.
Convert the cycle counter/time counter from a "per channel" to a "per
device" functionality. Also set it up, before submitting any URBs to
the device.
Further in gs_usb_receive_bulk_callback(), don't process any URBs for
not started CAN channels, only resubmit the URB.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "210a8cffc9c1b044281c0a868485c870c9c11374",
"status": "affected",
"version": "45dfa45f52e66f8eee30a64b16550a9c47915044",
"versionType": "git"
},
{
"lessThan": "5886e4d5ecec3e22844efed90b2dd383ef804b3a",
"status": "affected",
"version": "45dfa45f52e66f8eee30a64b16550a9c47915044",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: fix time stamp counter initialization\n\nIf the gs_usb device driver is unloaded (or unbound) before the\ninterface is shut down, the USB stack first calls the struct\nusb_driver::disconnect and then the struct net_device_ops::ndo_stop\ncallback.\n\nIn gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more\nRX\u0027ed CAN frames are send from the USB device to the host. Later in\ngs_can_close() a reset control message is send to each CAN channel to\nremove the controller from the CAN bus. In this race window the USB\ndevice can still receive CAN frames from the bus and internally queue\nthem to be send to the host.\n\nAt least in the current version of the candlelight firmware, the queue\nof received CAN frames is not emptied during the reset command. After\nloading (or binding) the gs_usb driver, new URBs are submitted during\nthe struct net_device_ops::ndo_open callback and the candlelight\nfirmware starts sending its already queued CAN frames to the host.\n\nHowever, this scenario was not considered when implementing the\nhardware timestamp function. The cycle counter/time counter\ninfrastructure is set up (gs_usb_timestamp_init()) after the USBs are\nsubmitted, resulting in a NULL pointer dereference if\ntimecounter_cyc2time() (via the call chain:\ngs_usb_receive_bulk_callback() -\u003e gs_usb_set_timestamp() -\u003e\ngs_usb_skb_set_timestamp()) is called too early.\n\nMove the gs_usb_timestamp_init() function before the URBs are\nsubmitted to fix this problem.\n\nFor a comprehensive solution, we need to consider gs_usb devices with\nmore than 1 channel. The cycle counter/time counter infrastructure is\nsetup per channel, but the RX URBs are per device. Once gs_can_open()\nof _a_ channel has been called, and URBs have been submitted, the\ngs_usb_receive_bulk_callback() can be called for _all_ available\nchannels, even for channels that are not running, yet. As cycle\ncounter/time counter has not set up, this will again lead to a NULL\npointer dereference.\n\nConvert the cycle counter/time counter from a \"per channel\" to a \"per\ndevice\" functionality. Also set it up, before submitting any URBs to\nthe device.\n\nFurther in gs_usb_receive_bulk_callback(), don\u0027t process any URBs for\nnot started CAN channels, only resubmit the URB."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:09.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/210a8cffc9c1b044281c0a868485c870c9c11374"
},
{
"url": "https://git.kernel.org/stable/c/5886e4d5ecec3e22844efed90b2dd383ef804b3a"
}
],
"title": "can: gs_usb: fix time stamp counter initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53523",
"datePublished": "2025-10-01T11:46:09.632Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:09.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50489 (GCVE-0-2022-50489)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mipi-dsi: Detach devices when removing the host
Whenever the MIPI-DSI host is unregistered, the code of
mipi_dsi_host_unregister() loops over every device currently found on that
bus and will unregister it.
However, it doesn't detach it from the bus first, which leads to all kind
of resource leaks if the host wants to perform some clean up whenever a
device is detached.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 068a00233969833f1ba925e7627797489efd6041 Version: 068a00233969833f1ba925e7627797489efd6041 Version: 068a00233969833f1ba925e7627797489efd6041 Version: 068a00233969833f1ba925e7627797489efd6041 Version: 068a00233969833f1ba925e7627797489efd6041 Version: 068a00233969833f1ba925e7627797489efd6041 Version: 068a00233969833f1ba925e7627797489efd6041 Version: 068a00233969833f1ba925e7627797489efd6041 Version: 068a00233969833f1ba925e7627797489efd6041 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_mipi_dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c202cda08cd5693645d4990ad1eb2e8068a884ec",
"status": "affected",
"version": "068a00233969833f1ba925e7627797489efd6041",
"versionType": "git"
},
{
"lessThan": "262364574b05676d4b9ebde2ddd3588cd2efd8ce",
"status": "affected",
"version": "068a00233969833f1ba925e7627797489efd6041",
"versionType": "git"
},
{
"lessThan": "95ae458209f5a556bba98aff872f933694914eb7",
"status": "affected",
"version": "068a00233969833f1ba925e7627797489efd6041",
"versionType": "git"
},
{
"lessThan": "8242167cfc83dd7e4c96f44b45f108db9bb88146",
"status": "affected",
"version": "068a00233969833f1ba925e7627797489efd6041",
"versionType": "git"
},
{
"lessThan": "45120fa5e522d444e3fc1c5a9afc5d53eed91d00",
"status": "affected",
"version": "068a00233969833f1ba925e7627797489efd6041",
"versionType": "git"
},
{
"lessThan": "26c1b4cfe56f040f71a51c92da1f4cac2e3b9455",
"status": "affected",
"version": "068a00233969833f1ba925e7627797489efd6041",
"versionType": "git"
},
{
"lessThan": "353ab1c13fdd6e524edde780235a8ce9b892c81c",
"status": "affected",
"version": "068a00233969833f1ba925e7627797489efd6041",
"versionType": "git"
},
{
"lessThan": "6fc2cd40db1969ba372ce9536dcfcdb87271eac4",
"status": "affected",
"version": "068a00233969833f1ba925e7627797489efd6041",
"versionType": "git"
},
{
"lessThan": "668a8f17b5290d04ef7343636a5588a0692731a1",
"status": "affected",
"version": "068a00233969833f1ba925e7627797489efd6041",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_mipi_dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mipi-dsi: Detach devices when removing the host\n\nWhenever the MIPI-DSI host is unregistered, the code of\nmipi_dsi_host_unregister() loops over every device currently found on that\nbus and will unregister it.\n\nHowever, it doesn\u0027t detach it from the bus first, which leads to all kind\nof resource leaks if the host wants to perform some clean up whenever a\ndevice is detached."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:43.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c202cda08cd5693645d4990ad1eb2e8068a884ec"
},
{
"url": "https://git.kernel.org/stable/c/262364574b05676d4b9ebde2ddd3588cd2efd8ce"
},
{
"url": "https://git.kernel.org/stable/c/95ae458209f5a556bba98aff872f933694914eb7"
},
{
"url": "https://git.kernel.org/stable/c/8242167cfc83dd7e4c96f44b45f108db9bb88146"
},
{
"url": "https://git.kernel.org/stable/c/45120fa5e522d444e3fc1c5a9afc5d53eed91d00"
},
{
"url": "https://git.kernel.org/stable/c/26c1b4cfe56f040f71a51c92da1f4cac2e3b9455"
},
{
"url": "https://git.kernel.org/stable/c/353ab1c13fdd6e524edde780235a8ce9b892c81c"
},
{
"url": "https://git.kernel.org/stable/c/6fc2cd40db1969ba372ce9536dcfcdb87271eac4"
},
{
"url": "https://git.kernel.org/stable/c/668a8f17b5290d04ef7343636a5588a0692731a1"
}
],
"title": "drm/mipi-dsi: Detach devices when removing the host",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50489",
"datePublished": "2025-10-04T15:43:43.124Z",
"dateReserved": "2025-10-04T15:13:33.469Z",
"dateUpdated": "2025-10-04T15:43:43.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53263 (GCVE-0-2023-53263)
Vulnerability from cvelistv5
Published
2025-09-16 08:06
Modified
2025-09-16 08:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
We can't simply free the connector after calling drm_connector_init on it.
We need to clean up the drm side first.
It might not fix all regressions from commit 2b5d1c29f6c4
("drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"),
but at least it fixes a memory corruption in error handling related to
that commit.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nouveau_connector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f27451c9f29d5ed00232968680c7838a44dcac7",
"status": "affected",
"version": "95983aea80038539ebc70e41e73e9bb4eabd1a92",
"versionType": "git"
},
{
"lessThan": "872feeecd08c81d212a52211d212897b8a857544",
"status": "affected",
"version": "95983aea80038539ebc70e41e73e9bb4eabd1a92",
"versionType": "git"
},
{
"lessThan": "1b254b791d7b7dea6e8adc887fbbd51746d8bb27",
"status": "affected",
"version": "95983aea80038539ebc70e41e73e9bb4eabd1a92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nouveau_connector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create\n\nWe can\u0027t simply free the connector after calling drm_connector_init on it.\nWe need to clean up the drm side first.\n\nIt might not fix all regressions from commit 2b5d1c29f6c4\n(\"drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts\"),\nbut at least it fixes a memory corruption in error handling related to\nthat commit."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:06:53.994Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f27451c9f29d5ed00232968680c7838a44dcac7"
},
{
"url": "https://git.kernel.org/stable/c/872feeecd08c81d212a52211d212897b8a857544"
},
{
"url": "https://git.kernel.org/stable/c/1b254b791d7b7dea6e8adc887fbbd51746d8bb27"
}
],
"title": "drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53263",
"datePublished": "2025-09-16T08:06:53.994Z",
"dateReserved": "2025-09-16T08:05:12.514Z",
"dateUpdated": "2025-09-16T08:06:53.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39686 (GCVE-0-2025-39686)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: Make insn_rw_emulate_bits() do insn->n samples
The `insn_rw_emulate_bits()` function is used as a default handler for
`INSN_READ` instructions for subdevices that have a handler for
`INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default
handler for `INSN_WRITE` instructions for subdevices that have a handler
for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the
`INSN_READ` or `INSN_WRITE` instruction handling with a constructed
`INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE`
instructions are supposed to be able read or write multiple samples,
indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently
only handles a single sample. For `INSN_READ`, the comedi core will
copy `insn->n` samples back to user-space. (That triggered KASAN
kernel-infoleak errors when `insn->n` was greater than 1, but that is
being fixed more generally elsewhere in the comedi core.)
Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return
an error, to conform to the general expectation for `INSN_READ` and
`INSN_WRITE` handlers.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:18.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab77e85bd3bc006ef40738f26f446a660813da44",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "842f307a1d115b24f2bcb2415c4e344f11f55930",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "92352ed2f9ac422181e381c2430c2d0dfb46faa0",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "dc0a2f142d655700db43de90cb6abf141b73d908",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "7afba9221f70d4cbce0f417c558879cba0eb5e66",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Make insn_rw_emulate_bits() do insn-\u003en samples\n\nThe `insn_rw_emulate_bits()` function is used as a default handler for\n`INSN_READ` instructions for subdevices that have a handler for\n`INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default\nhandler for `INSN_WRITE` instructions for subdevices that have a handler\nfor `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the\n`INSN_READ` or `INSN_WRITE` instruction handling with a constructed\n`INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE`\ninstructions are supposed to be able read or write multiple samples,\nindicated by the `insn-\u003en` value, but `insn_rw_emulate_bits()` currently\nonly handles a single sample. For `INSN_READ`, the comedi core will\ncopy `insn-\u003en` samples back to user-space. (That triggered KASAN\nkernel-infoleak errors when `insn-\u003en` was greater than 1, but that is\nbeing fixed more generally elsewhere in the comedi core.)\n\nMake `insn_rw_emulate_bits()` either handle `insn-\u003en` samples, or return\nan error, to conform to the general expectation for `INSN_READ` and\n`INSN_WRITE` handlers."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:24.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab77e85bd3bc006ef40738f26f446a660813da44"
},
{
"url": "https://git.kernel.org/stable/c/ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b"
},
{
"url": "https://git.kernel.org/stable/c/842f307a1d115b24f2bcb2415c4e344f11f55930"
},
{
"url": "https://git.kernel.org/stable/c/92352ed2f9ac422181e381c2430c2d0dfb46faa0"
},
{
"url": "https://git.kernel.org/stable/c/dc0a2f142d655700db43de90cb6abf141b73d908"
},
{
"url": "https://git.kernel.org/stable/c/7afba9221f70d4cbce0f417c558879cba0eb5e66"
}
],
"title": "comedi: Make insn_rw_emulate_bits() do insn-\u003en samples",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39686",
"datePublished": "2025-09-05T17:20:53.071Z",
"dateReserved": "2025-04-16T07:20:57.113Z",
"dateUpdated": "2025-11-03T17:42:18.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50521 (GCVE-0-2022-50521)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
The ACPI buffer memory (out.pointer) returned by wmi_evaluate_method()
is not freed after the call, so it leads to memory leak.
The method results in ACPI buffer is not used, so just pass NULL to
wmi_evaluate_method() which fixes the memory leak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad Version: 99b38b4acc0d7dbbab443273577cff60080fcfad |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/mxm-wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50ac517d6f5348b276f1f663799cf85dce521518",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "5b0f81b0808235967868e01336c976e840217108",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "14bb4bde3b7b2584734b13747b345caeeb41bea3",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "17cd8c46cbec4e6ad593fb9159928b8e7608c11a",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "3cf81501356c9e898ad94b2369ffc805f83f7d7b",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "379e7794c5e7485193d25d73614fbbd1e1387f6f",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "87426ce3bd57ad414b6e2436434ef8128986a9a5",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
},
{
"lessThan": "727cc0147f5066e359aca65cc6cc5e6d64cc15d8",
"status": "affected",
"version": "99b38b4acc0d7dbbab443273577cff60080fcfad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/mxm-wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()\n\nThe ACPI buffer memory (out.pointer) returned by wmi_evaluate_method()\nis not freed after the call, so it leads to memory leak.\n\nThe method results in ACPI buffer is not used, so just pass NULL to\nwmi_evaluate_method() which fixes the memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:15.213Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50ac517d6f5348b276f1f663799cf85dce521518"
},
{
"url": "https://git.kernel.org/stable/c/5b0f81b0808235967868e01336c976e840217108"
},
{
"url": "https://git.kernel.org/stable/c/14bb4bde3b7b2584734b13747b345caeeb41bea3"
},
{
"url": "https://git.kernel.org/stable/c/17cd8c46cbec4e6ad593fb9159928b8e7608c11a"
},
{
"url": "https://git.kernel.org/stable/c/3cf81501356c9e898ad94b2369ffc805f83f7d7b"
},
{
"url": "https://git.kernel.org/stable/c/379e7794c5e7485193d25d73614fbbd1e1387f6f"
},
{
"url": "https://git.kernel.org/stable/c/87426ce3bd57ad414b6e2436434ef8128986a9a5"
},
{
"url": "https://git.kernel.org/stable/c/727cc0147f5066e359aca65cc6cc5e6d64cc15d8"
}
],
"title": "platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50521",
"datePublished": "2025-10-07T15:19:15.213Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:15.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50516 (GCVE-0-2022-50516)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: dlm: fix invalid derefence of sb_lvbptr
I experience issues when putting a lkbsb on the stack and have sb_lvbptr
field to a dangled pointer while not using DLM_LKF_VALBLK. It will crash
with the following kernel message, the dangled pointer is here
0xdeadbeef as example:
[ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef
[ 102.749320] #PF: supervisor read access in kernel mode
[ 102.749323] #PF: error_code(0x0000) - not-present page
[ 102.749325] PGD 0 P4D 0
[ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI
[ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565
[ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014
[ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10
[ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202
[ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040
[ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070
[ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001
[ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70
[ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001
[ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000
[ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0
[ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 102.749379] PKRU: 55555554
[ 102.749381] Call Trace:
[ 102.749382] <TASK>
[ 102.749383] ? send_args+0xb2/0xd0
[ 102.749389] send_common+0xb7/0xd0
[ 102.749395] _unlock_lock+0x2c/0x90
[ 102.749400] unlock_lock.isra.56+0x62/0xa0
[ 102.749405] dlm_unlock+0x21e/0x330
[ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
[ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture]
[ 102.749419] ? preempt_count_sub+0xba/0x100
[ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture]
[ 102.786186] kthread+0x10a/0x130
[ 102.786581] ? kthread_complete_and_exit+0x20/0x20
[ 102.787156] ret_from_fork+0x22/0x30
[ 102.787588] </TASK>
[ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw
[ 102.792536] CR2: 00000000deadbeef
[ 102.792930] ---[ end trace 0000000000000000 ]---
This patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags
is set when copying the lvbptr array instead of if it's just null which
fixes for me the issue.
I think this patch can fix other dlm users as well, depending how they
handle the init, freeing memory handling of sb_lvbptr and don't set
DLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a
hidden issue all the time. However with checking on DLM_LKF_VALBLK the
user always need to provide a sb_lvbptr non-null value. There might be
more intelligent handling between per ls lvblen, DLM_LKF_VALBLK and
non-null to report the user the way how DLM API is used is wrong but can
be added for later, this will only fix the current behaviour.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/dlm/lock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea7be82fd7e1f5de72208bce93fbbe6de6c13dec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1ab6d3030652b5de0015176a5b0ad9df9b847514",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "57c1cfb5781068e5d3632bc6e5f74a8fcc4f1a30",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7175e131ebba47afef47e6ac4d5bab474d1e6e49",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/dlm/lock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: dlm: fix invalid derefence of sb_lvbptr\n\nI experience issues when putting a lkbsb on the stack and have sb_lvbptr\nfield to a dangled pointer while not using DLM_LKF_VALBLK. It will crash\nwith the following kernel message, the dangled pointer is here\n0xdeadbeef as example:\n\n[ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef\n[ 102.749320] #PF: supervisor read access in kernel mode\n[ 102.749323] #PF: error_code(0x0000) - not-present page\n[ 102.749325] PGD 0 P4D 0\n[ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565\n[ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014\n[ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10\n[ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 \u003cf3\u003e a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe\n[ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202\n[ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040\n[ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070\n[ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001\n[ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70\n[ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001\n[ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000\n[ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0\n[ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 102.749379] PKRU: 55555554\n[ 102.749381] Call Trace:\n[ 102.749382] \u003cTASK\u003e\n[ 102.749383] ? send_args+0xb2/0xd0\n[ 102.749389] send_common+0xb7/0xd0\n[ 102.749395] _unlock_lock+0x2c/0x90\n[ 102.749400] unlock_lock.isra.56+0x62/0xa0\n[ 102.749405] dlm_unlock+0x21e/0x330\n[ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]\n[ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture]\n[ 102.749419] ? preempt_count_sub+0xba/0x100\n[ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture]\n[ 102.786186] kthread+0x10a/0x130\n[ 102.786581] ? kthread_complete_and_exit+0x20/0x20\n[ 102.787156] ret_from_fork+0x22/0x30\n[ 102.787588] \u003c/TASK\u003e\n[ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw\n[ 102.792536] CR2: 00000000deadbeef\n[ 102.792930] ---[ end trace 0000000000000000 ]---\n\nThis patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags\nis set when copying the lvbptr array instead of if it\u0027s just null which\nfixes for me the issue.\n\nI think this patch can fix other dlm users as well, depending how they\nhandle the init, freeing memory handling of sb_lvbptr and don\u0027t set\nDLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a\nhidden issue all the time. However with checking on DLM_LKF_VALBLK the\nuser always need to provide a sb_lvbptr non-null value. There might be\nmore intelligent handling between per ls lvblen, DLM_LKF_VALBLK and\nnon-null to report the user the way how DLM API is used is wrong but can\nbe added for later, this will only fix the current behaviour."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:11.657Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea7be82fd7e1f5de72208bce93fbbe6de6c13dec"
},
{
"url": "https://git.kernel.org/stable/c/1ab6d3030652b5de0015176a5b0ad9df9b847514"
},
{
"url": "https://git.kernel.org/stable/c/57c1cfb5781068e5d3632bc6e5f74a8fcc4f1a30"
},
{
"url": "https://git.kernel.org/stable/c/7175e131ebba47afef47e6ac4d5bab474d1e6e49"
}
],
"title": "fs: dlm: fix invalid derefence of sb_lvbptr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50516",
"datePublished": "2025-10-07T15:19:11.657Z",
"dateReserved": "2025-10-07T15:15:38.662Z",
"dateUpdated": "2025-10-07T15:19:11.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53177 (GCVE-0-2023-53177)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-15 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: hi846: fix usage of pm_runtime_get_if_in_use()
pm_runtime_get_if_in_use() does not only return nonzero values when
the device is in use, it can return a negative errno too.
And especially during resuming from system suspend, when runtime pm
is not yet up again, -EAGAIN is being returned, so the subsequent
pm_runtime_put() call results in a refcount underflow.
Fix system-resume by handling -EAGAIN of pm_runtime_get_if_in_use().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/hi846.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "42ec6269f98edd915ee37da3c6456bb6243ea56a",
"status": "affected",
"version": "e8c0882685f9152f0d729664a12bcbe749cb7736",
"versionType": "git"
},
{
"lessThan": "c5dcd7a19f1ed8fe98384f3a9444c7c53befd74e",
"status": "affected",
"version": "e8c0882685f9152f0d729664a12bcbe749cb7736",
"versionType": "git"
},
{
"lessThan": "04fc06f6dc1592ed5d675311ac50d8fba5db62ab",
"status": "affected",
"version": "e8c0882685f9152f0d729664a12bcbe749cb7736",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/hi846.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: hi846: fix usage of pm_runtime_get_if_in_use()\n\npm_runtime_get_if_in_use() does not only return nonzero values when\nthe device is in use, it can return a negative errno too.\n\nAnd especially during resuming from system suspend, when runtime pm\nis not yet up again, -EAGAIN is being returned, so the subsequent\npm_runtime_put() call results in a refcount underflow.\n\nFix system-resume by handling -EAGAIN of pm_runtime_get_if_in_use()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:04:20.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/42ec6269f98edd915ee37da3c6456bb6243ea56a"
},
{
"url": "https://git.kernel.org/stable/c/c5dcd7a19f1ed8fe98384f3a9444c7c53befd74e"
},
{
"url": "https://git.kernel.org/stable/c/04fc06f6dc1592ed5d675311ac50d8fba5db62ab"
}
],
"title": "media: hi846: fix usage of pm_runtime_get_if_in_use()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53177",
"datePublished": "2025-09-15T14:04:20.626Z",
"dateReserved": "2025-09-15T13:59:19.064Z",
"dateUpdated": "2025-09-15T14:04:20.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53215 (GCVE-0-2023-53215)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Don't balance task to its current running CPU
We've run into the case that the balancer tries to balance a migration
disabled task and trigger the warning in set_task_cpu() like below:
------------[ cut here ]------------
WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240
Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip>
CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1
Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021
pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : set_task_cpu+0x188/0x240
lr : load_balance+0x5d0/0xc60
sp : ffff80000803bc70
x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040
x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001
x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78
x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000
x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000
x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530
x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e
x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a
x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001
Call trace:
set_task_cpu+0x188/0x240
load_balance+0x5d0/0xc60
rebalance_domains+0x26c/0x380
_nohz_idle_balance.isra.0+0x1e0/0x370
run_rebalance_domains+0x6c/0x80
__do_softirq+0x128/0x3d8
____do_softirq+0x18/0x24
call_on_irq_stack+0x2c/0x38
do_softirq_own_stack+0x24/0x3c
__irq_exit_rcu+0xcc/0xf4
irq_exit_rcu+0x18/0x24
el1_interrupt+0x4c/0xe4
el1h_64_irq_handler+0x18/0x2c
el1h_64_irq+0x74/0x78
arch_cpu_idle+0x18/0x4c
default_idle_call+0x58/0x194
do_idle+0x244/0x2b0
cpu_startup_entry+0x30/0x3c
secondary_start_kernel+0x14c/0x190
__secondary_switched+0xb0/0xb4
---[ end trace 0000000000000000 ]---
Further investigation shows that the warning is superfluous, the migration
disabled task is just going to be migrated to its current running CPU.
This is because that on load balance if the dst_cpu is not allowed by the
task, we'll re-select a new_dst_cpu as a candidate. If no task can be
balanced to dst_cpu we'll try to balance the task to the new_dst_cpu
instead. In this case when the migration disabled task is not on CPU it
only allows to run on its current CPU, load balance will select its
current CPU as new_dst_cpu and later triggers the warning above.
The new_dst_cpu is chosen from the env->dst_grpmask. Currently it
contains CPUs in sched_group_span() and if we have overlapped groups it's
possible to run into this case. This patch makes env->dst_grpmask of
group_balance_mask() which exclude any CPUs from the busiest group and
solve the issue. For balancing in a domain with no overlapped groups
the behaviour keeps same as before.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/fair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32d937f94b7805d4c9028b8727a7d6241547da54",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a5286f4655ce2fa28f477c0b957ea7f323fe2fab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6b0c79aa33075b34c3cdcea4132c0afb3fc42d68",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3cb43222bab8ab328fc91ed30899b3df2efbccfd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "78a5f711efceb37e32c48cd6b40addb671fea9cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "34eb902050d473bb2befa15714fb1d30a0991c15",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0dd37d6dd33a9c23351e6115ae8cdac7863bc7de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/fair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Don\u0027t balance task to its current running CPU\n\nWe\u0027ve run into the case that the balancer tries to balance a migration\ndisabled task and trigger the warning in set_task_cpu() like below:\n\n ------------[ cut here ]------------\n WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240\n Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 \u003c...snip\u003e\n CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1\n Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021\n pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : set_task_cpu+0x188/0x240\n lr : load_balance+0x5d0/0xc60\n sp : ffff80000803bc70\n x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040\n x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001\n x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78\n x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000\n x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000\n x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530\n x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e\n x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a\n x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001\n Call trace:\n set_task_cpu+0x188/0x240\n load_balance+0x5d0/0xc60\n rebalance_domains+0x26c/0x380\n _nohz_idle_balance.isra.0+0x1e0/0x370\n run_rebalance_domains+0x6c/0x80\n __do_softirq+0x128/0x3d8\n ____do_softirq+0x18/0x24\n call_on_irq_stack+0x2c/0x38\n do_softirq_own_stack+0x24/0x3c\n __irq_exit_rcu+0xcc/0xf4\n irq_exit_rcu+0x18/0x24\n el1_interrupt+0x4c/0xe4\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x74/0x78\n arch_cpu_idle+0x18/0x4c\n default_idle_call+0x58/0x194\n do_idle+0x244/0x2b0\n cpu_startup_entry+0x30/0x3c\n secondary_start_kernel+0x14c/0x190\n __secondary_switched+0xb0/0xb4\n ---[ end trace 0000000000000000 ]---\n\nFurther investigation shows that the warning is superfluous, the migration\ndisabled task is just going to be migrated to its current running CPU.\nThis is because that on load balance if the dst_cpu is not allowed by the\ntask, we\u0027ll re-select a new_dst_cpu as a candidate. If no task can be\nbalanced to dst_cpu we\u0027ll try to balance the task to the new_dst_cpu\ninstead. In this case when the migration disabled task is not on CPU it\nonly allows to run on its current CPU, load balance will select its\ncurrent CPU as new_dst_cpu and later triggers the warning above.\n\nThe new_dst_cpu is chosen from the env-\u003edst_grpmask. Currently it\ncontains CPUs in sched_group_span() and if we have overlapped groups it\u0027s\npossible to run into this case. This patch makes env-\u003edst_grpmask of\ngroup_balance_mask() which exclude any CPUs from the busiest group and\nsolve the issue. For balancing in a domain with no overlapped groups\nthe behaviour keeps same as before."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:43.107Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32d937f94b7805d4c9028b8727a7d6241547da54"
},
{
"url": "https://git.kernel.org/stable/c/a5286f4655ce2fa28f477c0b957ea7f323fe2fab"
},
{
"url": "https://git.kernel.org/stable/c/cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1"
},
{
"url": "https://git.kernel.org/stable/c/6b0c79aa33075b34c3cdcea4132c0afb3fc42d68"
},
{
"url": "https://git.kernel.org/stable/c/3cb43222bab8ab328fc91ed30899b3df2efbccfd"
},
{
"url": "https://git.kernel.org/stable/c/78a5f711efceb37e32c48cd6b40addb671fea9cc"
},
{
"url": "https://git.kernel.org/stable/c/34eb902050d473bb2befa15714fb1d30a0991c15"
},
{
"url": "https://git.kernel.org/stable/c/0dd37d6dd33a9c23351e6115ae8cdac7863bc7de"
}
],
"title": "sched/fair: Don\u0027t balance task to its current running CPU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53215",
"datePublished": "2025-09-15T14:21:43.107Z",
"dateReserved": "2025-09-15T14:19:21.845Z",
"dateUpdated": "2025-09-15T14:21:43.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53432 (GCVE-0-2023-53432)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firewire: net: fix use after free in fwnet_finish_incoming_packet()
The netif_rx() function frees the skb so we can't dereference it to
save the skb->len.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firewire/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2ea70379e4f4efa95c9daa7f3f9bdd4d40aec927",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9040adc38cf6bfbb77034d558ac2c52f70d840ac",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9860921ab4521252dc39bb21b9c936bd09a00982",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ff256751a2853e1ffaa36958ff933ccc98c6cb5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firewire/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: net: fix use after free in fwnet_finish_incoming_packet()\n\nThe netif_rx() function frees the skb so we can\u0027t dereference it to\nsave the skb-\u003elen."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:12.446Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2ea70379e4f4efa95c9daa7f3f9bdd4d40aec927"
},
{
"url": "https://git.kernel.org/stable/c/9040adc38cf6bfbb77034d558ac2c52f70d840ac"
},
{
"url": "https://git.kernel.org/stable/c/9860921ab4521252dc39bb21b9c936bd09a00982"
},
{
"url": "https://git.kernel.org/stable/c/3ff256751a2853e1ffaa36958ff933ccc98c6cb5"
}
],
"title": "firewire: net: fix use after free in fwnet_finish_incoming_packet()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53432",
"datePublished": "2025-09-18T16:04:12.446Z",
"dateReserved": "2025-09-17T14:54:09.745Z",
"dateUpdated": "2025-09-18T16:04:12.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53719 (GCVE-0-2023-53719)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
Smatch reports:
drivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn:
'port->membase' from of_iomap() not released on lines: 631.
In arc_serial_probe(), if uart_add_one_port() fails,
port->membase is not released, which would cause a resource leak.
To fix this, I replace of_iomap with devm_platform_ioremap_resource.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a Version: 8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a Version: 8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a Version: 8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a Version: 8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a Version: 8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a Version: 8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/arc_uart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f00df24a5021a6f02c1830a290acd4bceb22a2d",
"status": "affected",
"version": "8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a",
"versionType": "git"
},
{
"lessThan": "7525aa211758cc023a371e010d16ceaae1057807",
"status": "affected",
"version": "8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a",
"versionType": "git"
},
{
"lessThan": "153017561d2804cfae87cc9aa377aa84dd906ae1",
"status": "affected",
"version": "8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a",
"versionType": "git"
},
{
"lessThan": "f76a18e53a66c0ef2938276110717b3805720cd9",
"status": "affected",
"version": "8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a",
"versionType": "git"
},
{
"lessThan": "081790eee6b47389a0d895262086d64c6a38d6e5",
"status": "affected",
"version": "8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a",
"versionType": "git"
},
{
"lessThan": "40a462313ba4f337a2b419e7fb4a670f3dd95e14",
"status": "affected",
"version": "8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a",
"versionType": "git"
},
{
"lessThan": "8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd",
"status": "affected",
"version": "8dbe1d5e09a7faec8d22cadcc1011acab8fa6e2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/arc_uart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: arc_uart: fix of_iomap leak in `arc_serial_probe`\n\nSmatch reports:\n\ndrivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn:\n\u0027port-\u003emembase\u0027 from of_iomap() not released on lines: 631.\n\nIn arc_serial_probe(), if uart_add_one_port() fails,\nport-\u003emembase is not released, which would cause a resource leak.\n\nTo fix this, I replace of_iomap with devm_platform_ioremap_resource."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:51.441Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f00df24a5021a6f02c1830a290acd4bceb22a2d"
},
{
"url": "https://git.kernel.org/stable/c/7525aa211758cc023a371e010d16ceaae1057807"
},
{
"url": "https://git.kernel.org/stable/c/153017561d2804cfae87cc9aa377aa84dd906ae1"
},
{
"url": "https://git.kernel.org/stable/c/f76a18e53a66c0ef2938276110717b3805720cd9"
},
{
"url": "https://git.kernel.org/stable/c/081790eee6b47389a0d895262086d64c6a38d6e5"
},
{
"url": "https://git.kernel.org/stable/c/40a462313ba4f337a2b419e7fb4a670f3dd95e14"
},
{
"url": "https://git.kernel.org/stable/c/8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd"
}
],
"title": "serial: arc_uart: fix of_iomap leak in `arc_serial_probe`",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53719",
"datePublished": "2025-10-22T13:23:51.441Z",
"dateReserved": "2025-10-22T13:21:37.347Z",
"dateUpdated": "2025-10-22T13:23:51.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53542 (GCVE-0-2023-53542)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy
For some reason, the driver adding support for Exynos5420 MIPI phy
back in 2016 wasn't used on Exynos5420, which caused a kernel panic.
Add the proper compatible for it.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/boot/dts/exynos5420.dtsi"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c075aa3467a799855a92289a3c619afc0a2ad193",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "537bdfc1a67836fbd68bbe4210bc380f72cca47f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f10001af0f7246cf3e43530d25f8d59a8db10df6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "199624f3144d79fab1cff533ce6a4b82390520a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e68a0f7bc576318a58335c31c542b358bc63f83",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2a6198f5ed7d6e4e06d87a4de007f2e45cc9583",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "29961ee63dd676cc67f7c00f76faa21e11f0d7c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5d5aa219a790d61cad2c38e1aa32058f16ad2f0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/boot/dts/exynos5420.dtsi"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy\n\nFor some reason, the driver adding support for Exynos5420 MIPI phy\nback in 2016 wasn\u0027t used on Exynos5420, which caused a kernel panic.\nAdd the proper compatible for it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:51.440Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c075aa3467a799855a92289a3c619afc0a2ad193"
},
{
"url": "https://git.kernel.org/stable/c/537bdfc1a67836fbd68bbe4210bc380f72cca47f"
},
{
"url": "https://git.kernel.org/stable/c/f10001af0f7246cf3e43530d25f8d59a8db10df6"
},
{
"url": "https://git.kernel.org/stable/c/199624f3144d79fab1cff533ce6a4b82390520a3"
},
{
"url": "https://git.kernel.org/stable/c/2e68a0f7bc576318a58335c31c542b358bc63f83"
},
{
"url": "https://git.kernel.org/stable/c/f2a6198f5ed7d6e4e06d87a4de007f2e45cc9583"
},
{
"url": "https://git.kernel.org/stable/c/29961ee63dd676cc67f7c00f76faa21e11f0d7c6"
},
{
"url": "https://git.kernel.org/stable/c/5d5aa219a790d61cad2c38e1aa32058f16ad2f0b"
}
],
"title": "ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53542",
"datePublished": "2025-10-04T15:16:51.440Z",
"dateReserved": "2025-10-04T15:14:15.920Z",
"dateUpdated": "2025-10-04T15:16:51.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53645 (GCVE-0-2023-53645)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Make bpf_refcount_acquire fallible for non-owning refs
This patch fixes an incorrect assumption made in the original
bpf_refcount series [0], specifically that the BPF program calling
bpf_refcount_acquire on some node can always guarantee that the node is
alive. In that series, the patch adding failure behavior to rbtree_add
and list_push_{front, back} breaks this assumption for non-owning
references.
Consider the following program:
n = bpf_kptr_xchg(&mapval, NULL);
/* skip error checking */
bpf_spin_lock(&l);
if(bpf_rbtree_add(&t, &n->rb, less)) {
bpf_refcount_acquire(n);
/* Failed to add, do something else with the node */
}
bpf_spin_unlock(&l);
It's incorrect to assume that bpf_refcount_acquire will always succeed in this
scenario. bpf_refcount_acquire is being called in a critical section
here, but the lock being held is associated with rbtree t, which isn't
necessarily the lock associated with the tree that the node is already
in. So after bpf_rbtree_add fails to add the node and calls bpf_obj_drop
in it, the program has no ownership of the node's lifetime. Therefore
the node's refcount can be decr'd to 0 at any time after the failing
rbtree_add. If this happens before the refcount_acquire above, the node
might be free'd, and regardless refcount_acquire will be incrementing a
0 refcount.
Later patches in the series exercise this scenario, resulting in the
expected complaint from the kernel (without this patch's changes):
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcount_warn_saturate+0xbc/0x110
Modules linked in: bpf_testmod(O)
CPU: 1 PID: 207 Comm: test_progs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:refcount_warn_saturate+0xbc/0x110
Code: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff <0f> 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7
RSP: 0018:ffff88810b9179b0 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680
RBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7
R10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388
R13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048
FS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
bpf_refcount_acquire_impl+0xb5/0xc0
(rest of output snipped)
The patch addresses this by changing bpf_refcount_acquire_impl to use
refcount_inc_not_zero instead of refcount_inc and marking
bpf_refcount_acquire KF_RET_NULL.
For owning references, though, we know the above scenario is not possible
and thus that bpf_refcount_acquire will always succeed. Some verifier
bookkeeping is added to track "is input owning ref?" for bpf_refcount_acquire
calls and return false from is_kfunc_ret_null for bpf_refcount_acquire on
owning refs despite it being marked KF_RET_NULL.
Existing selftests using bpf_refcount_acquire are modified where
necessary to NULL-check its return value.
[0]: https://lore.kernel.org/bpf/20230415201811.343116-1-davemarchevsky@fb.com/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c",
"kernel/bpf/verifier.c",
"tools/testing/selftests/bpf/progs/refcounted_kptr.c",
"tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d906d1b940b9dbf0a3e821d6b32a51c369273d91",
"status": "affected",
"version": "d2dcc67df910dd85253a701b6a5b747f955d28f5",
"versionType": "git"
},
{
"lessThan": "7793fc3babe9fea908e57f7c187ea819f9fd7e95",
"status": "affected",
"version": "d2dcc67df910dd85253a701b6a5b747f955d28f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c",
"kernel/bpf/verifier.c",
"tools/testing/selftests/bpf/progs/refcounted_kptr.c",
"tools/testing/selftests/bpf/progs/refcounted_kptr_fail.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Make bpf_refcount_acquire fallible for non-owning refs\n\nThis patch fixes an incorrect assumption made in the original\nbpf_refcount series [0], specifically that the BPF program calling\nbpf_refcount_acquire on some node can always guarantee that the node is\nalive. In that series, the patch adding failure behavior to rbtree_add\nand list_push_{front, back} breaks this assumption for non-owning\nreferences.\n\nConsider the following program:\n\n n = bpf_kptr_xchg(\u0026mapval, NULL);\n /* skip error checking */\n\n bpf_spin_lock(\u0026l);\n if(bpf_rbtree_add(\u0026t, \u0026n-\u003erb, less)) {\n bpf_refcount_acquire(n);\n /* Failed to add, do something else with the node */\n }\n bpf_spin_unlock(\u0026l);\n\nIt\u0027s incorrect to assume that bpf_refcount_acquire will always succeed in this\nscenario. bpf_refcount_acquire is being called in a critical section\nhere, but the lock being held is associated with rbtree t, which isn\u0027t\nnecessarily the lock associated with the tree that the node is already\nin. So after bpf_rbtree_add fails to add the node and calls bpf_obj_drop\nin it, the program has no ownership of the node\u0027s lifetime. Therefore\nthe node\u0027s refcount can be decr\u0027d to 0 at any time after the failing\nrbtree_add. If this happens before the refcount_acquire above, the node\nmight be free\u0027d, and regardless refcount_acquire will be incrementing a\n0 refcount.\n\nLater patches in the series exercise this scenario, resulting in the\nexpected complaint from the kernel (without this patch\u0027s changes):\n\n refcount_t: addition on 0; use-after-free.\n WARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcount_warn_saturate+0xbc/0x110\n Modules linked in: bpf_testmod(O)\n CPU: 1 PID: 207 Comm: test_progs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\n RIP: 0010:refcount_warn_saturate+0xbc/0x110\n Code: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff \u003c0f\u003e 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7\n RSP: 0018:ffff88810b9179b0 EFLAGS: 00010082\n RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\n RDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680\n RBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7\n R10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388\n R13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048\n FS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n bpf_refcount_acquire_impl+0xb5/0xc0\n\n (rest of output snipped)\n\nThe patch addresses this by changing bpf_refcount_acquire_impl to use\nrefcount_inc_not_zero instead of refcount_inc and marking\nbpf_refcount_acquire KF_RET_NULL.\n\nFor owning references, though, we know the above scenario is not possible\nand thus that bpf_refcount_acquire will always succeed. Some verifier\nbookkeeping is added to track \"is input owning ref?\" for bpf_refcount_acquire\ncalls and return false from is_kfunc_ret_null for bpf_refcount_acquire on\nowning refs despite it being marked KF_RET_NULL.\n\nExisting selftests using bpf_refcount_acquire are modified where\nnecessary to NULL-check its return value.\n\n [0]: https://lore.kernel.org/bpf/20230415201811.343116-1-davemarchevsky@fb.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:43.738Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d906d1b940b9dbf0a3e821d6b32a51c369273d91"
},
{
"url": "https://git.kernel.org/stable/c/7793fc3babe9fea908e57f7c187ea819f9fd7e95"
}
],
"title": "bpf: Make bpf_refcount_acquire fallible for non-owning refs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53645",
"datePublished": "2025-10-07T15:19:43.738Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:43.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53730 (GCVE-0-2023-53730)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost
adjust_inuse_and_calc_cost() use spin_lock_irq() and IRQ will be enabled
when unlock. DEADLOCK might happen if we have held other locks and disabled
IRQ before invoking it.
Fix it by using spin_lock_irqsave() instead, which can keep IRQ state
consistent with before when unlock.
================================
WARNING: inconsistent lock state
5.10.0-02758-g8e5f91fd772f #26 Not tainted
--------------------------------
inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
kworker/2:3/388 [HC0[0]:SC0[0]:HE0:SE1] takes:
ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq
ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390
{IN-HARDIRQ-W} state was registered at:
__lock_acquire+0x3d7/0x1070
lock_acquire+0x197/0x4a0
__raw_spin_lock_irqsave
_raw_spin_lock_irqsave+0x3b/0x60
bfq_idle_slice_timer_body
bfq_idle_slice_timer+0x53/0x1d0
__run_hrtimer+0x477/0xa70
__hrtimer_run_queues+0x1c6/0x2d0
hrtimer_interrupt+0x302/0x9e0
local_apic_timer_interrupt
__sysvec_apic_timer_interrupt+0xfd/0x420
run_sysvec_on_irqstack_cond
sysvec_apic_timer_interrupt+0x46/0xa0
asm_sysvec_apic_timer_interrupt+0x12/0x20
irq event stamp: 837522
hardirqs last enabled at (837521): [<ffffffff84b9419d>] __raw_spin_unlock_irqrestore
hardirqs last enabled at (837521): [<ffffffff84b9419d>] _raw_spin_unlock_irqrestore+0x3d/0x40
hardirqs last disabled at (837522): [<ffffffff84b93fa3>] __raw_spin_lock_irq
hardirqs last disabled at (837522): [<ffffffff84b93fa3>] _raw_spin_lock_irq+0x43/0x50
softirqs last enabled at (835852): [<ffffffff84e00558>] __do_softirq+0x558/0x8ec
softirqs last disabled at (835845): [<ffffffff84c010ff>] asm_call_irq_on_stack+0xf/0x20
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&bfqd->lock);
<Interrupt>
lock(&bfqd->lock);
*** DEADLOCK ***
3 locks held by kworker/2:3/388:
#0: ffff888107af0f38 ((wq_completion)kthrotld){+.+.}-{0:0}, at: process_one_work+0x742/0x13f0
#1: ffff8881176bfdd8 ((work_completion)(&td->dispatch_work)){+.+.}-{0:0}, at: process_one_work+0x777/0x13f0
#2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq
#2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390
stack backtrace:
CPU: 2 PID: 388 Comm: kworker/2:3 Not tainted 5.10.0-02758-g8e5f91fd772f #26
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: kthrotld blk_throtl_dispatch_work_fn
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x167
print_usage_bug
valid_state
mark_lock_irq.cold+0x32/0x3a
mark_lock+0x693/0xbc0
mark_held_locks+0x9e/0xe0
__trace_hardirqs_on_caller
lockdep_hardirqs_on_prepare.part.0+0x151/0x360
trace_hardirqs_on+0x5b/0x180
__raw_spin_unlock_irq
_raw_spin_unlock_irq+0x24/0x40
spin_unlock_irq
adjust_inuse_and_calc_cost+0x4fb/0x970
ioc_rqos_merge+0x277/0x740
__rq_qos_merge+0x62/0xb0
rq_qos_merge
bio_attempt_back_merge+0x12c/0x4a0
blk_mq_sched_try_merge+0x1b6/0x4d0
bfq_bio_merge+0x24a/0x390
__blk_mq_sched_bio_merge+0xa6/0x460
blk_mq_sched_bio_merge
blk_mq_submit_bio+0x2e7/0x1ee0
__submit_bio_noacct_mq+0x175/0x3b0
submit_bio_noacct+0x1fb/0x270
blk_throtl_dispatch_work_fn+0x1ef/0x2b0
process_one_work+0x83e/0x13f0
process_scheduled_works
worker_thread+0x7e3/0xd80
kthread+0x353/0x470
ret_from_fork+0x1f/0x30
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4 Version: b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4 Version: b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4 Version: b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4 Version: b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4 Version: b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-iocost.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8563b58a4360e648ce18f0e98a75a4be51667431",
"status": "affected",
"version": "b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4",
"versionType": "git"
},
{
"lessThan": "eb120c0aff5ceab9c9c46b87f302465bbf2bbaed",
"status": "affected",
"version": "b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4",
"versionType": "git"
},
{
"lessThan": "8ceeb3fc86a83700bb1585c189006080a47e8506",
"status": "affected",
"version": "b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4",
"versionType": "git"
},
{
"lessThan": "9279a1b74ad98039d5d44d26b9e7a9cfe655b6d3",
"status": "affected",
"version": "b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4",
"versionType": "git"
},
{
"lessThan": "3376c4fe2db4aea2dc721a27a999c41fdb45b54f",
"status": "affected",
"version": "b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4",
"versionType": "git"
},
{
"lessThan": "8d211554679d0b23702bd32ba04aeac0c1c4f660",
"status": "affected",
"version": "b0853ab4a238c54b8f97ca7dde1ae156e2bbd5e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-iocost.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost\n\nadjust_inuse_and_calc_cost() use spin_lock_irq() and IRQ will be enabled\nwhen unlock. DEADLOCK might happen if we have held other locks and disabled\nIRQ before invoking it.\n\nFix it by using spin_lock_irqsave() instead, which can keep IRQ state\nconsistent with before when unlock.\n\n ================================\n WARNING: inconsistent lock state\n 5.10.0-02758-g8e5f91fd772f #26 Not tainted\n --------------------------------\n inconsistent {IN-HARDIRQ-W} -\u003e {HARDIRQ-ON-W} usage.\n kworker/2:3/388 [HC0[0]:SC0[0]:HE0:SE1] takes:\n ffff888118c00c28 (\u0026bfqd-\u003elock){?.-.}-{2:2}, at: spin_lock_irq\n ffff888118c00c28 (\u0026bfqd-\u003elock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390\n {IN-HARDIRQ-W} state was registered at:\n __lock_acquire+0x3d7/0x1070\n lock_acquire+0x197/0x4a0\n __raw_spin_lock_irqsave\n _raw_spin_lock_irqsave+0x3b/0x60\n bfq_idle_slice_timer_body\n bfq_idle_slice_timer+0x53/0x1d0\n __run_hrtimer+0x477/0xa70\n __hrtimer_run_queues+0x1c6/0x2d0\n hrtimer_interrupt+0x302/0x9e0\n local_apic_timer_interrupt\n __sysvec_apic_timer_interrupt+0xfd/0x420\n run_sysvec_on_irqstack_cond\n sysvec_apic_timer_interrupt+0x46/0xa0\n asm_sysvec_apic_timer_interrupt+0x12/0x20\n irq event stamp: 837522\n hardirqs last enabled at (837521): [\u003cffffffff84b9419d\u003e] __raw_spin_unlock_irqrestore\n hardirqs last enabled at (837521): [\u003cffffffff84b9419d\u003e] _raw_spin_unlock_irqrestore+0x3d/0x40\n hardirqs last disabled at (837522): [\u003cffffffff84b93fa3\u003e] __raw_spin_lock_irq\n hardirqs last disabled at (837522): [\u003cffffffff84b93fa3\u003e] _raw_spin_lock_irq+0x43/0x50\n softirqs last enabled at (835852): [\u003cffffffff84e00558\u003e] __do_softirq+0x558/0x8ec\n softirqs last disabled at (835845): [\u003cffffffff84c010ff\u003e] asm_call_irq_on_stack+0xf/0x20\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(\u0026bfqd-\u003elock);\n \u003cInterrupt\u003e\n lock(\u0026bfqd-\u003elock);\n\n *** DEADLOCK ***\n\n 3 locks held by kworker/2:3/388:\n #0: ffff888107af0f38 ((wq_completion)kthrotld){+.+.}-{0:0}, at: process_one_work+0x742/0x13f0\n #1: ffff8881176bfdd8 ((work_completion)(\u0026td-\u003edispatch_work)){+.+.}-{0:0}, at: process_one_work+0x777/0x13f0\n #2: ffff888118c00c28 (\u0026bfqd-\u003elock){?.-.}-{2:2}, at: spin_lock_irq\n #2: ffff888118c00c28 (\u0026bfqd-\u003elock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390\n\n stack backtrace:\n CPU: 2 PID: 388 Comm: kworker/2:3 Not tainted 5.10.0-02758-g8e5f91fd772f #26\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n Workqueue: kthrotld blk_throtl_dispatch_work_fn\n Call Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x107/0x167\n print_usage_bug\n valid_state\n mark_lock_irq.cold+0x32/0x3a\n mark_lock+0x693/0xbc0\n mark_held_locks+0x9e/0xe0\n __trace_hardirqs_on_caller\n lockdep_hardirqs_on_prepare.part.0+0x151/0x360\n trace_hardirqs_on+0x5b/0x180\n __raw_spin_unlock_irq\n _raw_spin_unlock_irq+0x24/0x40\n spin_unlock_irq\n adjust_inuse_and_calc_cost+0x4fb/0x970\n ioc_rqos_merge+0x277/0x740\n __rq_qos_merge+0x62/0xb0\n rq_qos_merge\n bio_attempt_back_merge+0x12c/0x4a0\n blk_mq_sched_try_merge+0x1b6/0x4d0\n bfq_bio_merge+0x24a/0x390\n __blk_mq_sched_bio_merge+0xa6/0x460\n blk_mq_sched_bio_merge\n blk_mq_submit_bio+0x2e7/0x1ee0\n __submit_bio_noacct_mq+0x175/0x3b0\n submit_bio_noacct+0x1fb/0x270\n blk_throtl_dispatch_work_fn+0x1ef/0x2b0\n process_one_work+0x83e/0x13f0\n process_scheduled_works\n worker_thread+0x7e3/0xd80\n kthread+0x353/0x470\n ret_from_fork+0x1f/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:58.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8563b58a4360e648ce18f0e98a75a4be51667431"
},
{
"url": "https://git.kernel.org/stable/c/eb120c0aff5ceab9c9c46b87f302465bbf2bbaed"
},
{
"url": "https://git.kernel.org/stable/c/8ceeb3fc86a83700bb1585c189006080a47e8506"
},
{
"url": "https://git.kernel.org/stable/c/9279a1b74ad98039d5d44d26b9e7a9cfe655b6d3"
},
{
"url": "https://git.kernel.org/stable/c/3376c4fe2db4aea2dc721a27a999c41fdb45b54f"
},
{
"url": "https://git.kernel.org/stable/c/8d211554679d0b23702bd32ba04aeac0c1c4f660"
}
],
"title": "blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53730",
"datePublished": "2025-10-22T13:23:58.419Z",
"dateReserved": "2025-10-22T13:21:37.349Z",
"dateUpdated": "2025-10-22T13:23:58.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38697 (GCVE-0-2025-38697)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: upper bound check of tree index in dbAllocAG
When computing the tree index in dbAllocAG, we never check if we are
out of bounds realative to the size of the stree.
This could happen in a scenario where the filesystem metadata are
corrupted.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:26.028Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5bdb9553fb134fd52ec208a8b378120670f6e784",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a4f199203f79ca9cd7355799ccb26800174ff093",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1467a75819e41341cd5ebd16faa2af1ca3c8f4fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "49ea46d9025aa1914b24ea957636cbe4367a7311",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "173cfd741ad7073640bfb7e2344c2a0ee005e769",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c8ca21a2836993d7cb816668458e05e598574e55",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2dd05f09cc323018136a7ecdb3d1007be9ede27f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "30e19a884c0b11f33821aacda7e72e914bec26ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c214006856ff52a8ff17ed8da52d50601d54f9ce",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: upper bound check of tree index in dbAllocAG\n\nWhen computing the tree index in dbAllocAG, we never check if we are\nout of bounds realative to the size of the stree.\nThis could happen in a scenario where the filesystem metadata are\ncorrupted."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:14.669Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5bdb9553fb134fd52ec208a8b378120670f6e784"
},
{
"url": "https://git.kernel.org/stable/c/a4f199203f79ca9cd7355799ccb26800174ff093"
},
{
"url": "https://git.kernel.org/stable/c/1467a75819e41341cd5ebd16faa2af1ca3c8f4fe"
},
{
"url": "https://git.kernel.org/stable/c/49ea46d9025aa1914b24ea957636cbe4367a7311"
},
{
"url": "https://git.kernel.org/stable/c/173cfd741ad7073640bfb7e2344c2a0ee005e769"
},
{
"url": "https://git.kernel.org/stable/c/c8ca21a2836993d7cb816668458e05e598574e55"
},
{
"url": "https://git.kernel.org/stable/c/2dd05f09cc323018136a7ecdb3d1007be9ede27f"
},
{
"url": "https://git.kernel.org/stable/c/30e19a884c0b11f33821aacda7e72e914bec26ef"
},
{
"url": "https://git.kernel.org/stable/c/c214006856ff52a8ff17ed8da52d50601d54f9ce"
}
],
"title": "jfs: upper bound check of tree index in dbAllocAG",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38697",
"datePublished": "2025-09-04T15:32:49.848Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:26.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40052 (GCVE-0-2025-40052)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix crypto buffers in non-linear memory
The crypto API, through the scatterlist API, expects input buffers to be
in linear memory. We handle this with the cifs_sg_set_buf() helper
that converts vmalloc'd memory to their corresponding pages.
However, when we allocate our aead_request buffer (@creq in
smb2ops.c::crypt_message()), we do so with kvzalloc(), which possibly
puts aead_request->__ctx in vmalloc area.
AEAD algorithm then uses ->__ctx for its private/internal data and
operations, and uses sg_set_buf() for such data on a few places.
This works fine as long as @creq falls into kmalloc zone (small
requests) or vmalloc'd memory is still within linear range.
Tasks' stacks are vmalloc'd by default (CONFIG_VMAP_STACK=y), so too
many tasks will increment the base stacks' addresses to a point where
virt_addr_valid(buf) will fail (BUG() in sg_set_buf()) when that
happens.
In practice: too many parallel reads and writes on an encrypted mount
will trigger this bug.
To fix this, always alloc @creq with kmalloc() instead.
Also drop the @sensitive_size variable/arguments since
kfree_sensitive() doesn't need it.
Backtrace:
[ 945.272081] ------------[ cut here ]------------
[ 945.272774] kernel BUG at include/linux/scatterlist.h:209!
[ 945.273520] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
[ 945.274412] CPU: 7 UID: 0 PID: 56 Comm: kworker/u33:0 Kdump: loaded Not tainted 6.15.0-lku-11779-g8e9d6efccdd7-dirty #1 PREEMPT(voluntary)
[ 945.275736] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014
[ 945.276877] Workqueue: writeback wb_workfn (flush-cifs-2)
[ 945.277457] RIP: 0010:crypto_gcm_init_common+0x1f9/0x220
[ 945.278018] Code: b0 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 c7 c0 00 00 00 80 48 2b 05 5c 58 e5 00 e9 58 ff ff ff <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 48 c7 04 24 01 00 00 00 48 8b
[ 945.279992] RSP: 0018:ffffc90000a27360 EFLAGS: 00010246
[ 945.280578] RAX: 0000000000000000 RBX: ffffc90001d85060 RCX: 0000000000000030
[ 945.281376] RDX: 0000000000080000 RSI: 0000000000000000 RDI: ffffc90081d85070
[ 945.282145] RBP: ffffc90001d85010 R08: ffffc90001d85000 R09: 0000000000000000
[ 945.282898] R10: ffffc90001d85090 R11: 0000000000001000 R12: ffffc90001d85070
[ 945.283656] R13: ffff888113522948 R14: ffffc90001d85060 R15: ffffc90001d85010
[ 945.284407] FS: 0000000000000000(0000) GS:ffff8882e66cf000(0000) knlGS:0000000000000000
[ 945.285262] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 945.285884] CR2: 00007fa7ffdd31f4 CR3: 000000010540d000 CR4: 0000000000350ef0
[ 945.286683] Call Trace:
[ 945.286952] <TASK>
[ 945.287184] ? crypt_message+0x33f/0xad0 [cifs]
[ 945.287719] crypto_gcm_encrypt+0x36/0xe0
[ 945.288152] crypt_message+0x54a/0xad0 [cifs]
[ 945.288724] smb3_init_transform_rq+0x277/0x300 [cifs]
[ 945.289300] smb_send_rqst+0xa3/0x160 [cifs]
[ 945.289944] cifs_call_async+0x178/0x340 [cifs]
[ 945.290514] ? __pfx_smb2_writev_callback+0x10/0x10 [cifs]
[ 945.291177] smb2_async_writev+0x3e3/0x670 [cifs]
[ 945.291759] ? find_held_lock+0x32/0x90
[ 945.292212] ? netfs_advance_write+0xf2/0x310
[ 945.292723] netfs_advance_write+0xf2/0x310
[ 945.293210] netfs_write_folio+0x346/0xcc0
[ 945.293689] ? __pfx__raw_spin_unlock_irq+0x10/0x10
[ 945.294250] netfs_writepages+0x117/0x460
[ 945.294724] do_writepages+0xbe/0x170
[ 945.295152] ? find_held_lock+0x32/0x90
[ 945.295600] ? kvm_sched_clock_read+0x11/0x20
[ 945.296103] __writeback_single_inode+0x56/0x4b0
[ 945.296643] writeback_sb_inodes+0x229/0x550
[ 945.297140] __writeback_inodes_wb+0x4c/0xe0
[ 945.297642] wb_writeback+0x2f1/0x3f0
[ 945.298069] wb_workfn+0x300/0x490
[ 945.298472] process_one_work+0x1fe/0x590
[ 945.298949] worker_thread+0x1ce/0x3c0
[ 945.299397] ? __pfx_worker_thread+0x10/0x10
[ 945.299900] kthr
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba905a567105dde21cdb8e6d3a87110fa434b393",
"status": "affected",
"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2",
"versionType": "git"
},
{
"lessThan": "7a8a8c15468f0c99685e9964451feffd1a3cc859",
"status": "affected",
"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2",
"versionType": "git"
},
{
"lessThan": "4a61b68abd2788db0364c9a0b6a39f1699fea440",
"status": "affected",
"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2",
"versionType": "git"
},
{
"lessThan": "998a67b954680f26f3734040aeeed08642d49721",
"status": "affected",
"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix crypto buffers in non-linear memory\n\nThe crypto API, through the scatterlist API, expects input buffers to be\nin linear memory. We handle this with the cifs_sg_set_buf() helper\nthat converts vmalloc\u0027d memory to their corresponding pages.\n\nHowever, when we allocate our aead_request buffer (@creq in\nsmb2ops.c::crypt_message()), we do so with kvzalloc(), which possibly\nputs aead_request-\u003e__ctx in vmalloc area.\n\nAEAD algorithm then uses -\u003e__ctx for its private/internal data and\noperations, and uses sg_set_buf() for such data on a few places.\n\nThis works fine as long as @creq falls into kmalloc zone (small\nrequests) or vmalloc\u0027d memory is still within linear range.\n\nTasks\u0027 stacks are vmalloc\u0027d by default (CONFIG_VMAP_STACK=y), so too\nmany tasks will increment the base stacks\u0027 addresses to a point where\nvirt_addr_valid(buf) will fail (BUG() in sg_set_buf()) when that\nhappens.\n\nIn practice: too many parallel reads and writes on an encrypted mount\nwill trigger this bug.\n\nTo fix this, always alloc @creq with kmalloc() instead.\nAlso drop the @sensitive_size variable/arguments since\nkfree_sensitive() doesn\u0027t need it.\n\nBacktrace:\n\n[ 945.272081] ------------[ cut here ]------------\n[ 945.272774] kernel BUG at include/linux/scatterlist.h:209!\n[ 945.273520] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 945.274412] CPU: 7 UID: 0 PID: 56 Comm: kworker/u33:0 Kdump: loaded Not tainted 6.15.0-lku-11779-g8e9d6efccdd7-dirty #1 PREEMPT(voluntary)\n[ 945.275736] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014\n[ 945.276877] Workqueue: writeback wb_workfn (flush-cifs-2)\n[ 945.277457] RIP: 0010:crypto_gcm_init_common+0x1f9/0x220\n[ 945.278018] Code: b0 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 c7 c0 00 00 00 80 48 2b 05 5c 58 e5 00 e9 58 ff ff ff \u003c0f\u003e 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 48 c7 04 24 01 00 00 00 48 8b\n[ 945.279992] RSP: 0018:ffffc90000a27360 EFLAGS: 00010246\n[ 945.280578] RAX: 0000000000000000 RBX: ffffc90001d85060 RCX: 0000000000000030\n[ 945.281376] RDX: 0000000000080000 RSI: 0000000000000000 RDI: ffffc90081d85070\n[ 945.282145] RBP: ffffc90001d85010 R08: ffffc90001d85000 R09: 0000000000000000\n[ 945.282898] R10: ffffc90001d85090 R11: 0000000000001000 R12: ffffc90001d85070\n[ 945.283656] R13: ffff888113522948 R14: ffffc90001d85060 R15: ffffc90001d85010\n[ 945.284407] FS: 0000000000000000(0000) GS:ffff8882e66cf000(0000) knlGS:0000000000000000\n[ 945.285262] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 945.285884] CR2: 00007fa7ffdd31f4 CR3: 000000010540d000 CR4: 0000000000350ef0\n[ 945.286683] Call Trace:\n[ 945.286952] \u003cTASK\u003e\n[ 945.287184] ? crypt_message+0x33f/0xad0 [cifs]\n[ 945.287719] crypto_gcm_encrypt+0x36/0xe0\n[ 945.288152] crypt_message+0x54a/0xad0 [cifs]\n[ 945.288724] smb3_init_transform_rq+0x277/0x300 [cifs]\n[ 945.289300] smb_send_rqst+0xa3/0x160 [cifs]\n[ 945.289944] cifs_call_async+0x178/0x340 [cifs]\n[ 945.290514] ? __pfx_smb2_writev_callback+0x10/0x10 [cifs]\n[ 945.291177] smb2_async_writev+0x3e3/0x670 [cifs]\n[ 945.291759] ? find_held_lock+0x32/0x90\n[ 945.292212] ? netfs_advance_write+0xf2/0x310\n[ 945.292723] netfs_advance_write+0xf2/0x310\n[ 945.293210] netfs_write_folio+0x346/0xcc0\n[ 945.293689] ? __pfx__raw_spin_unlock_irq+0x10/0x10\n[ 945.294250] netfs_writepages+0x117/0x460\n[ 945.294724] do_writepages+0xbe/0x170\n[ 945.295152] ? find_held_lock+0x32/0x90\n[ 945.295600] ? kvm_sched_clock_read+0x11/0x20\n[ 945.296103] __writeback_single_inode+0x56/0x4b0\n[ 945.296643] writeback_sb_inodes+0x229/0x550\n[ 945.297140] __writeback_inodes_wb+0x4c/0xe0\n[ 945.297642] wb_writeback+0x2f1/0x3f0\n[ 945.298069] wb_workfn+0x300/0x490\n[ 945.298472] process_one_work+0x1fe/0x590\n[ 945.298949] worker_thread+0x1ce/0x3c0\n[ 945.299397] ? __pfx_worker_thread+0x10/0x10\n[ 945.299900] kthr\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:27.854Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba905a567105dde21cdb8e6d3a87110fa434b393"
},
{
"url": "https://git.kernel.org/stable/c/7a8a8c15468f0c99685e9964451feffd1a3cc859"
},
{
"url": "https://git.kernel.org/stable/c/4a61b68abd2788db0364c9a0b6a39f1699fea440"
},
{
"url": "https://git.kernel.org/stable/c/998a67b954680f26f3734040aeeed08642d49721"
}
],
"title": "smb: client: fix crypto buffers in non-linear memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40052",
"datePublished": "2025-10-28T11:48:27.854Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-10-28T11:48:27.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53640 (GCVE-0-2023-53640)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-30 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: lpass: Fix for KASAN use_after_free out of bounds
When we run syzkaller we get below Out of Bounds error.
"KASAN: slab-out-of-bounds Read in regcache_flat_read"
Below is the backtrace of the issue:
BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110
Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144
CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W
Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)
Call trace:
dump_backtrace+0x0/0x4ec
show_stack+0x34/0x50
dump_stack_lvl+0xdc/0x11c
print_address_description+0x30/0x2d8
kasan_report+0x178/0x1e4
__asan_report_load4_noabort+0x44/0x50
regcache_flat_read+0x10c/0x110
regcache_read+0xf8/0x5a0
_regmap_read+0x45c/0x86c
_regmap_update_bits+0x128/0x290
regmap_update_bits_base+0xc0/0x15c
snd_soc_component_update_bits+0xa8/0x22c
snd_soc_component_write_field+0x68/0xd4
tx_macro_put_dec_enum+0x1d0/0x268
snd_ctl_elem_write+0x288/0x474
By Error checking and checking valid values issue gets rectifies.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-tx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f1512d78b5de928f4616a871e77b58fd546e651",
"status": "affected",
"version": "c39667ddcfc516fee084e449179d54430a558298",
"versionType": "git"
},
{
"lessThan": "8d81d3b0ed3610d24191d24f8e9e20f6775f0cc5",
"status": "affected",
"version": "c39667ddcfc516fee084e449179d54430a558298",
"versionType": "git"
},
{
"lessThan": "f5e61e3fe799ba2fda4320af23d26d28c3302045",
"status": "affected",
"version": "c39667ddcfc516fee084e449179d54430a558298",
"versionType": "git"
},
{
"lessThan": "75e5fab7db0cecb6e16b22c34608f0b40a4c7cd1",
"status": "affected",
"version": "c39667ddcfc516fee084e449179d54430a558298",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-tx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: lpass: Fix for KASAN use_after_free out of bounds\n\nWhen we run syzkaller we get below Out of Bounds error.\n\n\"KASAN: slab-out-of-bounds Read in regcache_flat_read\"\n\nBelow is the backtrace of the issue:\n\nBUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110\nRead of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144\nCPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W\nHardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)\nCall trace:\ndump_backtrace+0x0/0x4ec\nshow_stack+0x34/0x50\ndump_stack_lvl+0xdc/0x11c\nprint_address_description+0x30/0x2d8\nkasan_report+0x178/0x1e4\n__asan_report_load4_noabort+0x44/0x50\nregcache_flat_read+0x10c/0x110\nregcache_read+0xf8/0x5a0\n_regmap_read+0x45c/0x86c\n_regmap_update_bits+0x128/0x290\nregmap_update_bits_base+0xc0/0x15c\nsnd_soc_component_update_bits+0xa8/0x22c\nsnd_soc_component_write_field+0x68/0xd4\ntx_macro_put_dec_enum+0x1d0/0x268\nsnd_ctl_elem_write+0x288/0x474\n\nBy Error checking and checking valid values issue gets rectifies."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T19:33:06.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f1512d78b5de928f4616a871e77b58fd546e651"
},
{
"url": "https://git.kernel.org/stable/c/8d81d3b0ed3610d24191d24f8e9e20f6775f0cc5"
},
{
"url": "https://git.kernel.org/stable/c/f5e61e3fe799ba2fda4320af23d26d28c3302045"
},
{
"url": "https://git.kernel.org/stable/c/75e5fab7db0cecb6e16b22c34608f0b40a4c7cd1"
}
],
"title": "ASoC: lpass: Fix for KASAN use_after_free out of bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53640",
"datePublished": "2025-10-07T15:19:40.348Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-30T19:33:06.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50546 (GCVE-0-2022-50546)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix uninititialized value in 'ext4_evict_inode'
Syzbot found the following issue:
=====================================================
BUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180
ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180
evict+0x365/0x9a0 fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x985/0xdd0 fs/inode.c:1773
__ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361
ext4_mknod+0x376/0x840 fs/ext4/namei.c:2844
vfs_mknod+0x79d/0x830 fs/namei.c:3914
do_mknodat+0x47d/0xaa0
__do_sys_mknodat fs/namei.c:3992 [inline]
__se_sys_mknodat fs/namei.c:3989 [inline]
__ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
Uninit was created at:
__alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578
alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285
alloc_slab_page mm/slub.c:1794 [inline]
allocate_slab+0x1b5/0x1010 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429
alloc_inode_sb include/linux/fs.h:3117 [inline]
ext4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321
alloc_inode+0x83/0x440 fs/inode.c:259
new_inode_pseudo fs/inode.c:1018 [inline]
new_inode+0x3b/0x430 fs/inode.c:1046
__ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959
ext4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992
vfs_mkdir+0x62a/0x870 fs/namei.c:4035
do_mkdirat+0x466/0x7b0 fs/namei.c:4060
__do_sys_mkdirat fs/namei.c:4075 [inline]
__se_sys_mkdirat fs/namei.c:4073 [inline]
__ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
CPU: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
=====================================================
Now, 'ext4_alloc_inode()' didn't init 'ei->i_flags'. If new inode failed
before set 'ei->i_flags' in '__ext4_new_inode()', then do 'iput()'. As after
6bc0d63dad7f commit will access 'ei->i_flags' in 'ext4_evict_inode()' which
will lead to access uninit-value.
To solve above issue just init 'ei->i_flags' in 'ext4_alloc_inode()'.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bb337d8dd1e1d6b7719872e45e36392f3ab14b4f Version: a5f9bd4beae8553480d02b569d4aabee1b49345d Version: 0e6fbc566fcc4c230bf80f76cf5df26b42142d8a Version: 0b885394fd009aa0b46d81b496a816ab11309f8a Version: 6bc0d63dad7f9f54d381925ee855b402f652fa39 Version: 6bc0d63dad7f9f54d381925ee855b402f652fa39 Version: 6bc0d63dad7f9f54d381925ee855b402f652fa39 Version: 819d16f7feaca0f2ed3409be14fe953127fc51b6 Version: 458aee4a6e5be7ad862ee27dfaf07ce552d84f32 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f0bffdcc7cb14598af2aa706f1e0f2a9054154ba",
"status": "affected",
"version": "bb337d8dd1e1d6b7719872e45e36392f3ab14b4f",
"versionType": "git"
},
{
"lessThan": "e431b4fb1fb8c2654b808086e9747a000adb9655",
"status": "affected",
"version": "a5f9bd4beae8553480d02b569d4aabee1b49345d",
"versionType": "git"
},
{
"lessThan": "091f85db4c3fb1734a6d7fb4777a2b2831da6631",
"status": "affected",
"version": "0e6fbc566fcc4c230bf80f76cf5df26b42142d8a",
"versionType": "git"
},
{
"lessThan": "3c31d8d3ad95aef8cc17a4fcf317e46217148439",
"status": "affected",
"version": "0b885394fd009aa0b46d81b496a816ab11309f8a",
"versionType": "git"
},
{
"lessThan": "56491d60ddca9c697d885394cb0173675b9ab81f",
"status": "affected",
"version": "6bc0d63dad7f9f54d381925ee855b402f652fa39",
"versionType": "git"
},
{
"lessThan": "9f966e021c20caae639dd0e404c8761e8281a2c4",
"status": "affected",
"version": "6bc0d63dad7f9f54d381925ee855b402f652fa39",
"versionType": "git"
},
{
"lessThan": "7ea71af94eaaaf6d9aed24bc94a05b977a741cb9",
"status": "affected",
"version": "6bc0d63dad7f9f54d381925ee855b402f652fa39",
"versionType": "git"
},
{
"status": "affected",
"version": "819d16f7feaca0f2ed3409be14fe953127fc51b6",
"versionType": "git"
},
{
"status": "affected",
"version": "458aee4a6e5be7ad862ee27dfaf07ce552d84f32",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.164",
"versionStartIncluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninititialized value in \u0027ext4_evict_inode\u0027\n\nSyzbot found the following issue:\n=====================================================\nBUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180\n ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180\n evict+0x365/0x9a0 fs/inode.c:664\n iput_final fs/inode.c:1747 [inline]\n iput+0x985/0xdd0 fs/inode.c:1773\n __ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361\n ext4_mknod+0x376/0x840 fs/ext4/namei.c:2844\n vfs_mknod+0x79d/0x830 fs/namei.c:3914\n do_mknodat+0x47d/0xaa0\n __do_sys_mknodat fs/namei.c:3992 [inline]\n __se_sys_mknodat fs/namei.c:3989 [inline]\n __ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n __alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578\n alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285\n alloc_slab_page mm/slub.c:1794 [inline]\n allocate_slab+0x1b5/0x1010 mm/slub.c:1939\n new_slab mm/slub.c:1992 [inline]\n ___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180\n __slab_alloc mm/slub.c:3279 [inline]\n slab_alloc_node mm/slub.c:3364 [inline]\n slab_alloc mm/slub.c:3406 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3413 [inline]\n kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429\n alloc_inode_sb include/linux/fs.h:3117 [inline]\n ext4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321\n alloc_inode+0x83/0x440 fs/inode.c:259\n new_inode_pseudo fs/inode.c:1018 [inline]\n new_inode+0x3b/0x430 fs/inode.c:1046\n __ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959\n ext4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992\n vfs_mkdir+0x62a/0x870 fs/namei.c:4035\n do_mkdirat+0x466/0x7b0 fs/namei.c:4060\n __do_sys_mkdirat fs/namei.c:4075 [inline]\n __se_sys_mkdirat fs/namei.c:4073 [inline]\n __ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nCPU: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n=====================================================\n\nNow, \u0027ext4_alloc_inode()\u0027 didn\u0027t init \u0027ei-\u003ei_flags\u0027. If new inode failed\nbefore set \u0027ei-\u003ei_flags\u0027 in \u0027__ext4_new_inode()\u0027, then do \u0027iput()\u0027. As after\n6bc0d63dad7f commit will access \u0027ei-\u003ei_flags\u0027 in \u0027ext4_evict_inode()\u0027 which\nwill lead to access uninit-value.\nTo solve above issue just init \u0027ei-\u003ei_flags\u0027 in \u0027ext4_alloc_inode()\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:09.963Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f0bffdcc7cb14598af2aa706f1e0f2a9054154ba"
},
{
"url": "https://git.kernel.org/stable/c/e431b4fb1fb8c2654b808086e9747a000adb9655"
},
{
"url": "https://git.kernel.org/stable/c/091f85db4c3fb1734a6d7fb4777a2b2831da6631"
},
{
"url": "https://git.kernel.org/stable/c/3c31d8d3ad95aef8cc17a4fcf317e46217148439"
},
{
"url": "https://git.kernel.org/stable/c/56491d60ddca9c697d885394cb0173675b9ab81f"
},
{
"url": "https://git.kernel.org/stable/c/9f966e021c20caae639dd0e404c8761e8281a2c4"
},
{
"url": "https://git.kernel.org/stable/c/7ea71af94eaaaf6d9aed24bc94a05b977a741cb9"
}
],
"title": "ext4: fix uninititialized value in \u0027ext4_evict_inode\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50546",
"datePublished": "2025-10-07T15:21:09.963Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:09.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53672 (GCVE-0-2023-53672)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: output extra debug info if we failed to find an inline backref
[BUG]
Syzbot reported several warning triggered inside
lookup_inline_extent_backref().
[CAUSE]
As usual, the reproducer doesn't reliably trigger locally here, but at
least we know the WARN_ON() is triggered when an inline backref can not
be found, and it can only be triggered when @insert is true. (I.e.
inserting a new inline backref, which means the backref should already
exist)
[ENHANCEMENT]
After the WARN_ON(), dump all the parameters and the extent tree
leaf to help debug.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "376b41524b71e494514720bd6114325b0a2ed19c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "400e08a16604b534fdd82c5a288fa150d04f5f79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7afbfde45d665953b4d5a42a721e15bf0315d89b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b7c3cf2f6c42e6688b1c37215a0b1663f982f915",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6994f806c6d1ae8b59344d3700358547f3b3fe1d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "28062cd6eda04035d8f6ded2001292ac8b496149",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e70ba449b04b40584bdabb383d10455397cbf177",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f72f50547b7af4ddf985b07fc56600a4deba281",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: output extra debug info if we failed to find an inline backref\n\n[BUG]\nSyzbot reported several warning triggered inside\nlookup_inline_extent_backref().\n\n[CAUSE]\nAs usual, the reproducer doesn\u0027t reliably trigger locally here, but at\nleast we know the WARN_ON() is triggered when an inline backref can not\nbe found, and it can only be triggered when @insert is true. (I.e.\ninserting a new inline backref, which means the backref should already\nexist)\n\n[ENHANCEMENT]\nAfter the WARN_ON(), dump all the parameters and the extent tree\nleaf to help debug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:28.975Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/376b41524b71e494514720bd6114325b0a2ed19c"
},
{
"url": "https://git.kernel.org/stable/c/400e08a16604b534fdd82c5a288fa150d04f5f79"
},
{
"url": "https://git.kernel.org/stable/c/7afbfde45d665953b4d5a42a721e15bf0315d89b"
},
{
"url": "https://git.kernel.org/stable/c/b7c3cf2f6c42e6688b1c37215a0b1663f982f915"
},
{
"url": "https://git.kernel.org/stable/c/6994f806c6d1ae8b59344d3700358547f3b3fe1d"
},
{
"url": "https://git.kernel.org/stable/c/28062cd6eda04035d8f6ded2001292ac8b496149"
},
{
"url": "https://git.kernel.org/stable/c/e70ba449b04b40584bdabb383d10455397cbf177"
},
{
"url": "https://git.kernel.org/stable/c/7f72f50547b7af4ddf985b07fc56600a4deba281"
}
],
"title": "btrfs: output extra debug info if we failed to find an inline backref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53672",
"datePublished": "2025-10-07T15:21:28.975Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:28.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53286 (GCVE-0-2023-53286)
Vulnerability from cvelistv5
Published
2025-09-16 08:11
Modified
2025-09-16 08:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Return the firmware result upon destroying QP/RQ
Previously when destroying a QP/RQ, the result of the firmware
destruction function was ignored and upper layers weren't informed
about the failure.
Which in turn could lead to various problems since when upper layer
isn't aware of the failure it continues its operation thinking that the
related QP/RQ was successfully destroyed while it actually wasn't,
which could lead to the below kernel WARN.
Currently, we return the correct firmware destruction status to upper
layers which in case of the RQ would be mlx5_ib_destroy_wq() which
was already capable of handling RQ destruction failure or in case of
a QP to destroy_qp_common(), which now would actually warn upon qp
destruction failure.
WARNING: CPU: 3 PID: 995 at drivers/infiniband/core/rdma_core.c:940 uverbs_destroy_ufile_hw+0xcb/0xe0 [ib_uverbs]
Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core overlay mlx5_core fuse
CPU: 3 PID: 995 Comm: python3 Not tainted 5.16.0-rc5+ #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:uverbs_destroy_ufile_hw+0xcb/0xe0 [ib_uverbs]
Code: 41 5c 41 5d 41 5e e9 44 34 f0 e0 48 89 df e8 4c 77 ff ff 49 8b 86 10 01 00 00 48 85 c0 74 a1 4c 89 e7 ff d0 eb 9a 0f 0b eb c1 <0f> 0b be 04 00 00 00 48 89 df e8 b6 f6 ff ff e9 75 ff ff ff 90 0f
RSP: 0018:ffff8881533e3e78 EFLAGS: 00010287
RAX: ffff88811b2cf3e0 RBX: ffff888106209700 RCX: 0000000000000000
RDX: ffff888106209780 RSI: ffff8881533e3d30 RDI: ffff888109b101a0
RBP: 0000000000000001 R08: ffff888127cb381c R09: 0de9890000000009
R10: ffff888127cb3800 R11: 0000000000000000 R12: ffff888106209780
R13: ffff888106209750 R14: ffff888100f20660 R15: 0000000000000000
FS: 00007f8be353b740(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8bd5b117c0 CR3: 000000012cd8a004 CR4: 0000000000370ea0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ib_uverbs_close+0x1a/0x90 [ib_uverbs]
__fput+0x82/0x230
task_work_run+0x59/0x90
exit_to_user_mode_prepare+0x138/0x140
syscall_exit_to_user_mode+0x1d/0x50
? __x64_sys_close+0xe/0x40
do_syscall_64+0x4a/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f8be3ae0abb
Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 83 43 f9 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 c1 43 f9 ff 8b 44
RSP: 002b:00007ffdb51909c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000557bb7f7c020 RCX: 00007f8be3ae0abb
RDX: 0000557bb7c74010 RSI: 0000557bb7f14ca0 RDI: 0000000000000005
RBP: 0000557bb7fbd598 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000557bb7fbd5b8
R13: 0000557bb7fbd5a8 R14: 0000000000001000 R15: 0000557bb7f7c020
</TASK>
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/qpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73311dd831858d797cf8ebe140654ed519b41c36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a650d3ccd79cdd5796edd864683a6b8dd0bf576",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5fe7815e784bf21061885f8112a7108aef5c45bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "04704c201bb08efaf96d7b1396c6864f8984e244",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "22664c06e997087fe37f9ba208008c948571214a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/qpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Return the firmware result upon destroying QP/RQ\n\nPreviously when destroying a QP/RQ, the result of the firmware\ndestruction function was ignored and upper layers weren\u0027t informed\nabout the failure.\nWhich in turn could lead to various problems since when upper layer\nisn\u0027t aware of the failure it continues its operation thinking that the\nrelated QP/RQ was successfully destroyed while it actually wasn\u0027t,\nwhich could lead to the below kernel WARN.\n\nCurrently, we return the correct firmware destruction status to upper\nlayers which in case of the RQ would be mlx5_ib_destroy_wq() which\nwas already capable of handling RQ destruction failure or in case of\na QP to destroy_qp_common(), which now would actually warn upon qp\ndestruction failure.\n\nWARNING: CPU: 3 PID: 995 at drivers/infiniband/core/rdma_core.c:940 uverbs_destroy_ufile_hw+0xcb/0xe0 [ib_uverbs]\nModules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core overlay mlx5_core fuse\nCPU: 3 PID: 995 Comm: python3 Not tainted 5.16.0-rc5+ #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:uverbs_destroy_ufile_hw+0xcb/0xe0 [ib_uverbs]\nCode: 41 5c 41 5d 41 5e e9 44 34 f0 e0 48 89 df e8 4c 77 ff ff 49 8b 86 10 01 00 00 48 85 c0 74 a1 4c 89 e7 ff d0 eb 9a 0f 0b eb c1 \u003c0f\u003e 0b be 04 00 00 00 48 89 df e8 b6 f6 ff ff e9 75 ff ff ff 90 0f\nRSP: 0018:ffff8881533e3e78 EFLAGS: 00010287\nRAX: ffff88811b2cf3e0 RBX: ffff888106209700 RCX: 0000000000000000\nRDX: ffff888106209780 RSI: ffff8881533e3d30 RDI: ffff888109b101a0\nRBP: 0000000000000001 R08: ffff888127cb381c R09: 0de9890000000009\nR10: ffff888127cb3800 R11: 0000000000000000 R12: ffff888106209780\nR13: ffff888106209750 R14: ffff888100f20660 R15: 0000000000000000\nFS: 00007f8be353b740(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8bd5b117c0 CR3: 000000012cd8a004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ib_uverbs_close+0x1a/0x90 [ib_uverbs]\n __fput+0x82/0x230\n task_work_run+0x59/0x90\n exit_to_user_mode_prepare+0x138/0x140\n syscall_exit_to_user_mode+0x1d/0x50\n ? __x64_sys_close+0xe/0x40\n do_syscall_64+0x4a/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f8be3ae0abb\nCode: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 83 43 f9 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 c1 43 f9 ff 8b 44\nRSP: 002b:00007ffdb51909c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: 0000000000000000 RBX: 0000557bb7f7c020 RCX: 00007f8be3ae0abb\nRDX: 0000557bb7c74010 RSI: 0000557bb7f14ca0 RDI: 0000000000000005\nRBP: 0000557bb7fbd598 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000557bb7fbd5b8\nR13: 0000557bb7fbd5a8 R14: 0000000000001000 R15: 0000557bb7f7c020\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:19.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73311dd831858d797cf8ebe140654ed519b41c36"
},
{
"url": "https://git.kernel.org/stable/c/1a650d3ccd79cdd5796edd864683a6b8dd0bf576"
},
{
"url": "https://git.kernel.org/stable/c/5fe7815e784bf21061885f8112a7108aef5c45bd"
},
{
"url": "https://git.kernel.org/stable/c/04704c201bb08efaf96d7b1396c6864f8984e244"
},
{
"url": "https://git.kernel.org/stable/c/22664c06e997087fe37f9ba208008c948571214a"
}
],
"title": "RDMA/mlx5: Return the firmware result upon destroying QP/RQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53286",
"datePublished": "2025-09-16T08:11:19.426Z",
"dateReserved": "2025-09-16T08:09:37.992Z",
"dateUpdated": "2025-09-16T08:11:19.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53420 (GCVE-0-2023-53420)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()
Here is a BUG report from syzbot:
BUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
BUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
Read of size 1 at addr ffff888021acaf3d by task syz-executor128/3632
Call Trace:
ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
vfs_listxattr fs/xattr.c:457 [inline]
listxattr+0x293/0x2d0 fs/xattr.c:804
Fix the logic of ea_all iteration. When the ea->name_len is 0,
return immediately, or Add2Ptr() would visit invalid memory
in the next loop.
[almaz.alexandrovich@paragon-software.com: lines of the patch have changed]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3380d895e28a32632eb3609f5bd515adee4e5a1",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "c86a2517df6c9304db8fb12b77136ec7a5d85994",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "721b75ea2dfce53a8890dff92ae01afca8e74f88",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "3c675ddffb17a8b1e32efad5c983254af18b12c2",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()\n\nHere is a BUG report from syzbot:\n\nBUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]\nBUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710\nRead of size 1 at addr ffff888021acaf3d by task syz-executor128/3632\n\nCall Trace:\n ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]\n ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710\n vfs_listxattr fs/xattr.c:457 [inline]\n listxattr+0x293/0x2d0 fs/xattr.c:804\n\nFix the logic of ea_all iteration. When the ea-\u003ename_len is 0,\nreturn immediately, or Add2Ptr() would visit invalid memory\nin the next loop.\n\n[almaz.alexandrovich@paragon-software.com: lines of the patch have changed]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:03.754Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3380d895e28a32632eb3609f5bd515adee4e5a1"
},
{
"url": "https://git.kernel.org/stable/c/c86a2517df6c9304db8fb12b77136ec7a5d85994"
},
{
"url": "https://git.kernel.org/stable/c/721b75ea2dfce53a8890dff92ae01afca8e74f88"
},
{
"url": "https://git.kernel.org/stable/c/3c675ddffb17a8b1e32efad5c983254af18b12c2"
}
],
"title": "ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53420",
"datePublished": "2025-09-18T16:04:03.754Z",
"dateReserved": "2025-09-17T14:54:09.741Z",
"dateUpdated": "2025-09-18T16:04:03.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53592 (GCVE-0-2023-53592)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio: sifive: Fix refcount leak in sifive_gpio_probe
of_irq_find_parent() returns a node pointer with refcount incremented,
We should use of_node_put() on it when not needed anymore.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-sifive.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4a2ad1002006548e235255c65a4f1d07312be9d",
"status": "affected",
"version": "96868dce644d002383f6d5eb575a6ce3c8779f39",
"versionType": "git"
},
{
"lessThan": "95da1882ce9372ba20278f87cdb7a34f9812c4b5",
"status": "affected",
"version": "96868dce644d002383f6d5eb575a6ce3c8779f39",
"versionType": "git"
},
{
"lessThan": "f9fb4776ebbc16dfc512adbdc0fe218acb47c7cc",
"status": "affected",
"version": "96868dce644d002383f6d5eb575a6ce3c8779f39",
"versionType": "git"
},
{
"lessThan": "9a402a210798662b04cbe6ca466e916a15efa03a",
"status": "affected",
"version": "96868dce644d002383f6d5eb575a6ce3c8779f39",
"versionType": "git"
},
{
"lessThan": "694175cd8a1643cde3acb45c9294bca44a8e08e9",
"status": "affected",
"version": "96868dce644d002383f6d5eb575a6ce3c8779f39",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-sifive.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: sifive: Fix refcount leak in sifive_gpio_probe\n\nof_irq_find_parent() returns a node pointer with refcount incremented,\nWe should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:06.162Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4a2ad1002006548e235255c65a4f1d07312be9d"
},
{
"url": "https://git.kernel.org/stable/c/95da1882ce9372ba20278f87cdb7a34f9812c4b5"
},
{
"url": "https://git.kernel.org/stable/c/f9fb4776ebbc16dfc512adbdc0fe218acb47c7cc"
},
{
"url": "https://git.kernel.org/stable/c/9a402a210798662b04cbe6ca466e916a15efa03a"
},
{
"url": "https://git.kernel.org/stable/c/694175cd8a1643cde3acb45c9294bca44a8e08e9"
}
],
"title": "gpio: sifive: Fix refcount leak in sifive_gpio_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53592",
"datePublished": "2025-10-04T15:44:06.162Z",
"dateReserved": "2025-10-04T15:40:38.478Z",
"dateUpdated": "2025-10-04T15:44:06.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53357 (GCVE-0-2023-53357)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
will return -EINVAL because 'page >= bitmap->pages', but the return value
was not checked immediately in md_bitmap_get_counter() in order to set
*blocks value and slab-out-of-bounds occurs.
Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and
return directly if true.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ef4256733506f2459a0c436b62267d22a3f0cec6 Version: ef4256733506f2459a0c436b62267d22a3f0cec6 Version: ef4256733506f2459a0c436b62267d22a3f0cec6 Version: ef4256733506f2459a0c436b62267d22a3f0cec6 Version: ef4256733506f2459a0c436b62267d22a3f0cec6 Version: ef4256733506f2459a0c436b62267d22a3f0cec6 Version: ef4256733506f2459a0c436b62267d22a3f0cec6 Version: ef4256733506f2459a0c436b62267d22a3f0cec6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md-bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "374fb914304d9b500721007f3837ea8f1f9a2418",
"status": "affected",
"version": "ef4256733506f2459a0c436b62267d22a3f0cec6",
"versionType": "git"
},
{
"lessThan": "b0b971fe7d61411ede63c3291764dbde1577ef2c",
"status": "affected",
"version": "ef4256733506f2459a0c436b62267d22a3f0cec6",
"versionType": "git"
},
{
"lessThan": "39fa14e824acfd470db4f42c354297456bd82b53",
"status": "affected",
"version": "ef4256733506f2459a0c436b62267d22a3f0cec6",
"versionType": "git"
},
{
"lessThan": "a134dd582c0d5b6068efa308bd485cf1d00b3f65",
"status": "affected",
"version": "ef4256733506f2459a0c436b62267d22a3f0cec6",
"versionType": "git"
},
{
"lessThan": "be1a3ec63a840cc9e59a033acf154f56255699a1",
"status": "affected",
"version": "ef4256733506f2459a0c436b62267d22a3f0cec6",
"versionType": "git"
},
{
"lessThan": "152bb26796ff054af50b2ee1b3ca56e364e4f61b",
"status": "affected",
"version": "ef4256733506f2459a0c436b62267d22a3f0cec6",
"versionType": "git"
},
{
"lessThan": "bea301c046110bf421a3ce153fb868cb8d618e90",
"status": "affected",
"version": "ef4256733506f2459a0c436b62267d22a3f0cec6",
"versionType": "git"
},
{
"lessThan": "301867b1c16805aebbc306aafa6ecdc68b73c7e5",
"status": "affected",
"version": "ef4256733506f2459a0c436b62267d22a3f0cec6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md-bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: check slab-out-of-bounds in md_bitmap_get_counter\n\nIf we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()\nwill return -EINVAL because \u0027page \u003e= bitmap-\u003epages\u0027, but the return value\nwas not checked immediately in md_bitmap_get_counter() in order to set\n*blocks value and slab-out-of-bounds occurs.\n\nMove check of \u0027page \u003e= bitmap-\u003epages\u0027 to md_bitmap_get_counter() and\nreturn directly if true."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:47.171Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/374fb914304d9b500721007f3837ea8f1f9a2418"
},
{
"url": "https://git.kernel.org/stable/c/b0b971fe7d61411ede63c3291764dbde1577ef2c"
},
{
"url": "https://git.kernel.org/stable/c/39fa14e824acfd470db4f42c354297456bd82b53"
},
{
"url": "https://git.kernel.org/stable/c/a134dd582c0d5b6068efa308bd485cf1d00b3f65"
},
{
"url": "https://git.kernel.org/stable/c/be1a3ec63a840cc9e59a033acf154f56255699a1"
},
{
"url": "https://git.kernel.org/stable/c/152bb26796ff054af50b2ee1b3ca56e364e4f61b"
},
{
"url": "https://git.kernel.org/stable/c/bea301c046110bf421a3ce153fb868cb8d618e90"
},
{
"url": "https://git.kernel.org/stable/c/301867b1c16805aebbc306aafa6ecdc68b73c7e5"
}
],
"title": "md/raid10: check slab-out-of-bounds in md_bitmap_get_counter",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53357",
"datePublished": "2025-09-17T14:56:47.171Z",
"dateReserved": "2025-09-16T16:08:59.567Z",
"dateUpdated": "2025-09-17T14:56:47.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39854 (GCVE-0-2025-39854)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix NULL access of tx->in_use in ice_ll_ts_intr
Recent versions of the E810 firmware have support for an extra interrupt to
handle report of the "low latency" Tx timestamps coming from the
specialized low latency firmware interface. Instead of polling the
registers, software can wait until the low latency interrupt is fired.
This logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as
it uses the same "ready" bitmap to track which Tx timestamps complete.
Unfortunately, the ice_ll_ts_intr() function does not check if the
tracker is initialized before its first access. This results in NULL
dereference or use-after-free bugs similar to the issues fixed in the
ice_ptp_ts_irq() function.
Fix this by only checking the in_use bitmap (and other fields) if the
tracker is marked as initialized. The reset flow will clear the init field
under lock before it tears the tracker down, thus preventing any
use-after-free or NULL access.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cde98a02da958357fe240a6ba269b69d913b6ba",
"status": "affected",
"version": "82e71b226e0ef770d7bc143701c8b4960b4eb3d5",
"versionType": "git"
},
{
"lessThan": "923c267bdbb64f65bc1149d184efcf8b047d7d64",
"status": "affected",
"version": "82e71b226e0ef770d7bc143701c8b4960b4eb3d5",
"versionType": "git"
},
{
"lessThan": "f6486338fde3f04ed0ec59fe67a69a208c32734f",
"status": "affected",
"version": "82e71b226e0ef770d7bc143701c8b4960b4eb3d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL access of tx-\u003ein_use in ice_ll_ts_intr\n\nRecent versions of the E810 firmware have support for an extra interrupt to\nhandle report of the \"low latency\" Tx timestamps coming from the\nspecialized low latency firmware interface. Instead of polling the\nregisters, software can wait until the low latency interrupt is fired.\n\nThis logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as\nit uses the same \"ready\" bitmap to track which Tx timestamps complete.\n\nUnfortunately, the ice_ll_ts_intr() function does not check if the\ntracker is initialized before its first access. This results in NULL\ndereference or use-after-free bugs similar to the issues fixed in the\nice_ptp_ts_irq() function.\n\nFix this by only checking the in_use bitmap (and other fields) if the\ntracker is marked as initialized. The reset flow will clear the init field\nunder lock before it tears the tracker down, thus preventing any\nuse-after-free or NULL access."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:07.096Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cde98a02da958357fe240a6ba269b69d913b6ba"
},
{
"url": "https://git.kernel.org/stable/c/923c267bdbb64f65bc1149d184efcf8b047d7d64"
},
{
"url": "https://git.kernel.org/stable/c/f6486338fde3f04ed0ec59fe67a69a208c32734f"
}
],
"title": "ice: fix NULL access of tx-\u003ein_use in ice_ll_ts_intr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39854",
"datePublished": "2025-09-19T15:26:25.989Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-09-29T06:01:07.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53496 (GCVE-0-2023-53496)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/platform/uv: Use alternate source for socket to node data
The UV code attempts to build a set of tables to allow it to do
bidirectional socket<=>node lookups.
But when nr_cpus is set to a smaller number than actually present, the
cpu_to_node() mapping information for unused CPUs is not available to
build_socket_tables(). This results in skipping some nodes or sockets
when creating the tables and leaving some -1's for later code to trip.
over, causing oopses.
The problem is that the socket<=>node lookups are created by doing a
loop over all CPUs, then looking up the CPU's APICID and socket. But
if a CPU is not present, there is no way to start this lookup.
Instead of looping over all CPUs, take CPUs out of the equation
entirely. Loop over all APICIDs which are mapped to a valid NUMA node.
Then just extract the socket-id from the APICID.
This avoid tripping over disabled CPUs.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/x2apic_uv_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d01a0c3046d1545391ef7bb1f114743d00e3793",
"status": "affected",
"version": "8a50c58519271dd24ba760bb282875f6ad66ee71",
"versionType": "git"
},
{
"lessThan": "5290e88ba2c742ca77c5f5b690e5af549cfd8591",
"status": "affected",
"version": "8a50c58519271dd24ba760bb282875f6ad66ee71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/x2apic_uv_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/platform/uv: Use alternate source for socket to node data\n\nThe UV code attempts to build a set of tables to allow it to do\nbidirectional socket\u003c=\u003enode lookups.\n\nBut when nr_cpus is set to a smaller number than actually present, the\ncpu_to_node() mapping information for unused CPUs is not available to\nbuild_socket_tables(). This results in skipping some nodes or sockets\nwhen creating the tables and leaving some -1\u0027s for later code to trip.\nover, causing oopses.\n\nThe problem is that the socket\u003c=\u003enode lookups are created by doing a\nloop over all CPUs, then looking up the CPU\u0027s APICID and socket. But\nif a CPU is not present, there is no way to start this lookup.\n\nInstead of looping over all CPUs, take CPUs out of the equation\nentirely. Loop over all APICIDs which are mapped to a valid NUMA node.\nThen just extract the socket-id from the APICID.\n\nThis avoid tripping over disabled CPUs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:47.807Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d01a0c3046d1545391ef7bb1f114743d00e3793"
},
{
"url": "https://git.kernel.org/stable/c/5290e88ba2c742ca77c5f5b690e5af549cfd8591"
}
],
"title": "x86/platform/uv: Use alternate source for socket to node data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53496",
"datePublished": "2025-10-01T11:45:47.807Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:47.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53727 (GCVE-0-2023-53727)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: fq_pie: avoid stalls in fq_pie_timer()
When setting a high number of flows (limit being 65536),
fq_pie_timer() is currently using too much time as syzbot reported.
Add logic to yield the cpu every 2048 flows (less than 150 usec
on debug kernels).
It should also help by not blocking qdisc fast paths for too long.
Worst case (65536 flows) would need 31 jiffies for a complete scan.
Relevant extract from syzbot report:
rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 0-.... } 2663 jiffies s: 873 root: 0x1/.
rcu: blocking rcu_node structures (internal RCU debug):
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 5177 Comm: syz-executor273 Not tainted 6.5.0-syzkaller-00453-g727dbda16b83 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
RIP: 0010:write_comp_data+0x21/0x90 kernel/kcov.c:236
Code: 2e 0f 1f 84 00 00 00 00 00 65 8b 05 01 b2 7d 7e 49 89 f1 89 c6 49 89 d2 81 e6 00 01 00 00 49 89 f8 65 48 8b 14 25 80 b9 03 00 <a9> 00 01 ff 00 74 0e 85 f6 74 59 8b 82 04 16 00 00 85 c0 74 4f 8b
RSP: 0018:ffffc90000007bb8 EFLAGS: 00000206
RAX: 0000000000000101 RBX: ffffc9000dc0d140 RCX: ffffffff885893b0
RDX: ffff88807c075940 RSI: 0000000000000100 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000dc0d178
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000555555d54380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6b442f6130 CR3: 000000006fe1c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<IRQ>
pie_calculate_probability+0x480/0x850 net/sched/sch_pie.c:415
fq_pie_timer+0x1da/0x4f0 net/sched/sch_fq_pie.c:387
call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_fq_pie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "94d527c3759d76c29220758362f622954612bea7",
"status": "affected",
"version": "ec97ecf1ebe485a17cd8395a5f35e6b80b57665a",
"versionType": "git"
},
{
"lessThan": "973a4c302d7f3804098ff9824d9f56926901f293",
"status": "affected",
"version": "ec97ecf1ebe485a17cd8395a5f35e6b80b57665a",
"versionType": "git"
},
{
"lessThan": "f39b49077abec4c9c3a4c2966532004851c51006",
"status": "affected",
"version": "ec97ecf1ebe485a17cd8395a5f35e6b80b57665a",
"versionType": "git"
},
{
"lessThan": "e093000e7d13569c9cb07d7500acd5142c3c43cb",
"status": "affected",
"version": "ec97ecf1ebe485a17cd8395a5f35e6b80b57665a",
"versionType": "git"
},
{
"lessThan": "8c21ab1bae945686c602c5bfa4e3f3352c2452c5",
"status": "affected",
"version": "ec97ecf1ebe485a17cd8395a5f35e6b80b57665a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_fq_pie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fq_pie: avoid stalls in fq_pie_timer()\n\nWhen setting a high number of flows (limit being 65536),\nfq_pie_timer() is currently using too much time as syzbot reported.\n\nAdd logic to yield the cpu every 2048 flows (less than 150 usec\non debug kernels).\nIt should also help by not blocking qdisc fast paths for too long.\nWorst case (65536 flows) would need 31 jiffies for a complete scan.\n\nRelevant extract from syzbot report:\n\nrcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 0-.... } 2663 jiffies s: 873 root: 0x1/.\nrcu: blocking rcu_node structures (internal RCU debug):\nSending NMI from CPU 1 to CPUs 0:\nNMI backtrace for cpu 0\nCPU: 0 PID: 5177 Comm: syz-executor273 Not tainted 6.5.0-syzkaller-00453-g727dbda16b83 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023\nRIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]\nRIP: 0010:write_comp_data+0x21/0x90 kernel/kcov.c:236\nCode: 2e 0f 1f 84 00 00 00 00 00 65 8b 05 01 b2 7d 7e 49 89 f1 89 c6 49 89 d2 81 e6 00 01 00 00 49 89 f8 65 48 8b 14 25 80 b9 03 00 \u003ca9\u003e 00 01 ff 00 74 0e 85 f6 74 59 8b 82 04 16 00 00 85 c0 74 4f 8b\nRSP: 0018:ffffc90000007bb8 EFLAGS: 00000206\nRAX: 0000000000000101 RBX: ffffc9000dc0d140 RCX: ffffffff885893b0\nRDX: ffff88807c075940 RSI: 0000000000000100 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000dc0d178\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000555555d54380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f6b442f6130 CR3: 000000006fe1c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cNMI\u003e\n \u003c/NMI\u003e\n \u003cIRQ\u003e\n pie_calculate_probability+0x480/0x850 net/sched/sch_pie.c:415\n fq_pie_timer+0x1da/0x4f0 net/sched/sch_fq_pie.c:387\n call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:56.528Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/94d527c3759d76c29220758362f622954612bea7"
},
{
"url": "https://git.kernel.org/stable/c/973a4c302d7f3804098ff9824d9f56926901f293"
},
{
"url": "https://git.kernel.org/stable/c/f39b49077abec4c9c3a4c2966532004851c51006"
},
{
"url": "https://git.kernel.org/stable/c/e093000e7d13569c9cb07d7500acd5142c3c43cb"
},
{
"url": "https://git.kernel.org/stable/c/8c21ab1bae945686c602c5bfa4e3f3352c2452c5"
}
],
"title": "net/sched: fq_pie: avoid stalls in fq_pie_timer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53727",
"datePublished": "2025-10-22T13:23:56.528Z",
"dateReserved": "2025-10-22T13:21:37.348Z",
"dateUpdated": "2025-10-22T13:23:56.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53352 (GCVE-0-2023-53352)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: check null pointer before accessing when swapping
Add a check to avoid null pointer dereference as below:
[ 90.002283] general protection fault, probably for non-canonical
address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 90.002292] KASAN: null-ptr-deref in range
[0x0000000000000000-0x0000000000000007]
[ 90.002346] ? exc_general_protection+0x159/0x240
[ 90.002352] ? asm_exc_general_protection+0x26/0x30
[ 90.002357] ? ttm_bo_evict_swapout_allowable+0x322/0x5e0 [ttm]
[ 90.002365] ? ttm_bo_evict_swapout_allowable+0x42e/0x5e0 [ttm]
[ 90.002373] ttm_bo_swapout+0x134/0x7f0 [ttm]
[ 90.002383] ? __pfx_ttm_bo_swapout+0x10/0x10 [ttm]
[ 90.002391] ? lock_acquire+0x44d/0x4f0
[ 90.002398] ? ttm_device_swapout+0xa5/0x260 [ttm]
[ 90.002412] ? lock_acquired+0x355/0xa00
[ 90.002416] ? do_raw_spin_trylock+0xb6/0x190
[ 90.002421] ? __pfx_lock_acquired+0x10/0x10
[ 90.002426] ? ttm_global_swapout+0x25/0x210 [ttm]
[ 90.002442] ttm_device_swapout+0x198/0x260 [ttm]
[ 90.002456] ? __pfx_ttm_device_swapout+0x10/0x10 [ttm]
[ 90.002472] ttm_global_swapout+0x75/0x210 [ttm]
[ 90.002486] ttm_tt_populate+0x187/0x3f0 [ttm]
[ 90.002501] ttm_bo_handle_move_mem+0x437/0x590 [ttm]
[ 90.002517] ttm_bo_validate+0x275/0x430 [ttm]
[ 90.002530] ? __pfx_ttm_bo_validate+0x10/0x10 [ttm]
[ 90.002544] ? kasan_save_stack+0x33/0x60
[ 90.002550] ? kasan_set_track+0x25/0x30
[ 90.002554] ? __kasan_kmalloc+0x8f/0xa0
[ 90.002558] ? amdgpu_gtt_mgr_new+0x81/0x420 [amdgpu]
[ 90.003023] ? ttm_resource_alloc+0xf6/0x220 [ttm]
[ 90.003038] amdgpu_bo_pin_restricted+0x2dd/0x8b0 [amdgpu]
[ 90.003210] ? __x64_sys_ioctl+0x131/0x1a0
[ 90.003210] ? do_syscall_64+0x60/0x90
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d39971d902d067b4dc366981b75b17c8c57ed5d1",
"status": "affected",
"version": "8996b13051f0c211aaaf243dfd270003f1b67431",
"versionType": "git"
},
{
"lessThan": "8089eb93d6787dbf348863e935698b4610d90321",
"status": "affected",
"version": "da60170558b956c1b45dee1c4423da2425037426",
"versionType": "git"
},
{
"lessThan": "1fdd16d89c01336d9a942b5f03673c17d401da87",
"status": "affected",
"version": "17e188e0feb008bab5f4b083083dff7cdc633ca1",
"versionType": "git"
},
{
"lessThan": "49b3b979e79faef129605018ad82aa0f2258f2f7",
"status": "affected",
"version": "c24d051e6b48015e32f1361cdf67e1784dd14a9f",
"versionType": "git"
},
{
"lessThan": "2dedcf414bb01b8d966eb445db1d181d92304fb2",
"status": "affected",
"version": "a2848d08742c8e8494675892c02c0d22acbe3cf8",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.126",
"status": "affected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThan": "6.1.45",
"status": "affected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThan": "6.4.10",
"status": "affected",
"version": "6.4.8",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.15.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "6.1.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: check null pointer before accessing when swapping\n\nAdd a check to avoid null pointer dereference as below:\n\n[ 90.002283] general protection fault, probably for non-canonical\naddress 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[ 90.002292] KASAN: null-ptr-deref in range\n[0x0000000000000000-0x0000000000000007]\n[ 90.002346] ? exc_general_protection+0x159/0x240\n[ 90.002352] ? asm_exc_general_protection+0x26/0x30\n[ 90.002357] ? ttm_bo_evict_swapout_allowable+0x322/0x5e0 [ttm]\n[ 90.002365] ? ttm_bo_evict_swapout_allowable+0x42e/0x5e0 [ttm]\n[ 90.002373] ttm_bo_swapout+0x134/0x7f0 [ttm]\n[ 90.002383] ? __pfx_ttm_bo_swapout+0x10/0x10 [ttm]\n[ 90.002391] ? lock_acquire+0x44d/0x4f0\n[ 90.002398] ? ttm_device_swapout+0xa5/0x260 [ttm]\n[ 90.002412] ? lock_acquired+0x355/0xa00\n[ 90.002416] ? do_raw_spin_trylock+0xb6/0x190\n[ 90.002421] ? __pfx_lock_acquired+0x10/0x10\n[ 90.002426] ? ttm_global_swapout+0x25/0x210 [ttm]\n[ 90.002442] ttm_device_swapout+0x198/0x260 [ttm]\n[ 90.002456] ? __pfx_ttm_device_swapout+0x10/0x10 [ttm]\n[ 90.002472] ttm_global_swapout+0x75/0x210 [ttm]\n[ 90.002486] ttm_tt_populate+0x187/0x3f0 [ttm]\n[ 90.002501] ttm_bo_handle_move_mem+0x437/0x590 [ttm]\n[ 90.002517] ttm_bo_validate+0x275/0x430 [ttm]\n[ 90.002530] ? __pfx_ttm_bo_validate+0x10/0x10 [ttm]\n[ 90.002544] ? kasan_save_stack+0x33/0x60\n[ 90.002550] ? kasan_set_track+0x25/0x30\n[ 90.002554] ? __kasan_kmalloc+0x8f/0xa0\n[ 90.002558] ? amdgpu_gtt_mgr_new+0x81/0x420 [amdgpu]\n[ 90.003023] ? ttm_resource_alloc+0xf6/0x220 [ttm]\n[ 90.003038] amdgpu_bo_pin_restricted+0x2dd/0x8b0 [amdgpu]\n[ 90.003210] ? __x64_sys_ioctl+0x131/0x1a0\n[ 90.003210] ? do_syscall_64+0x60/0x90"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:42.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d39971d902d067b4dc366981b75b17c8c57ed5d1"
},
{
"url": "https://git.kernel.org/stable/c/8089eb93d6787dbf348863e935698b4610d90321"
},
{
"url": "https://git.kernel.org/stable/c/1fdd16d89c01336d9a942b5f03673c17d401da87"
},
{
"url": "https://git.kernel.org/stable/c/49b3b979e79faef129605018ad82aa0f2258f2f7"
},
{
"url": "https://git.kernel.org/stable/c/2dedcf414bb01b8d966eb445db1d181d92304fb2"
}
],
"title": "drm/ttm: check null pointer before accessing when swapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53352",
"datePublished": "2025-09-17T14:56:42.698Z",
"dateReserved": "2025-09-16T16:08:59.567Z",
"dateUpdated": "2025-09-17T14:56:42.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53214 (GCVE-0-2024-53214)
Vulnerability from cvelistv5
Published
2024-12-27 13:49
Modified
2025-11-03 20:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfio/pci: Properly hide first-in-list PCIe extended capability
There are cases where a PCIe extended capability should be hidden from
the user. For example, an unknown capability (i.e., capability with ID
greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally
chosen to be hidden from the user.
Hiding a capability is done by virtualizing and modifying the 'Next
Capability Offset' field of the previous capability so it points to the
capability after the one that should be hidden.
The special case where the first capability in the list should be hidden
is handled differently because there is no previous capability that can
be modified. In this case, the capability ID and version are zeroed
while leaving the next pointer intact. This hides the capability and
leaves an anchor for the rest of the capability list.
However, today, hiding the first capability in the list is not done
properly if the capability is unknown, as struct
vfio_pci_core_device->pci_config_map is set to the capability ID during
initialization but the capability ID is not properly checked later when
used in vfio_config_do_rw(). This leads to the following warning [1] and
to an out-of-bounds access to ecap_perms array.
Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater
than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct
read only access instead of the ecap_perms array.
Note that this is safe since the above is the only case where cap_id can
exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which
are already checked before).
[1]
WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1
(snip)
Call Trace:
<TASK>
? show_regs+0x69/0x80
? __warn+0x8d/0x140
? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
? report_bug+0x18f/0x1a0
? handle_bug+0x63/0xa0
? exc_invalid_op+0x19/0x70
? asm_exc_invalid_op+0x1b/0x20
? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]
vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]
vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]
vfio_device_fops_read+0x27/0x40 [vfio]
vfs_read+0xbd/0x340
? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]
? __rseq_handle_notify_resume+0xa4/0x4b0
__x64_sys_pread64+0x96/0xc0
x64_sys_call+0x1c3d/0x20d0
do_syscall_64+0x4d/0x120
entry_SYSCALL_64_after_hwframe+0x76/0x7e
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153 Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153 Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153 Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153 Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153 Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153 Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153 Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153 Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:03:33.423876Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129 Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:07:19.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:47:42.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vfio/pci/vfio_pci_config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4464e5aa3aa4574063640f1082f7d7e323af8eb4",
"status": "affected",
"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
"versionType": "git"
},
{
"lessThan": "7d121f66b67921fb3b95e0ea9856bfba53733e91",
"status": "affected",
"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
"versionType": "git"
},
{
"lessThan": "0918f5643fc6c3f7801f4a22397d2cc09ba99207",
"status": "affected",
"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
"versionType": "git"
},
{
"lessThan": "9567bd34aa3b986736c290c5bcba47e0182ac47a",
"status": "affected",
"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
"versionType": "git"
},
{
"lessThan": "6c6502d944168cbd7e03a4a08ad6488f78d73485",
"status": "affected",
"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
"versionType": "git"
},
{
"lessThan": "06f2fcf49854ad05a09d09e0dbee6544fff04695",
"status": "affected",
"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
"versionType": "git"
},
{
"lessThan": "949bee8065a85a5c6607c624dc05b5bc17119699",
"status": "affected",
"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
"versionType": "git"
},
{
"lessThan": "1ef195178fb552478eb2587df4ad3be14ef76507",
"status": "affected",
"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
"versionType": "git"
},
{
"lessThan": "fe4bf8d0b6716a423b16495d55b35d3fe515905d",
"status": "affected",
"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vfio/pci/vfio_pci_config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.325",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.325",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Properly hide first-in-list PCIe extended capability\n\nThere are cases where a PCIe extended capability should be hidden from\nthe user. For example, an unknown capability (i.e., capability with ID\ngreater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally\nchosen to be hidden from the user.\n\nHiding a capability is done by virtualizing and modifying the \u0027Next\nCapability Offset\u0027 field of the previous capability so it points to the\ncapability after the one that should be hidden.\n\nThe special case where the first capability in the list should be hidden\nis handled differently because there is no previous capability that can\nbe modified. In this case, the capability ID and version are zeroed\nwhile leaving the next pointer intact. This hides the capability and\nleaves an anchor for the rest of the capability list.\n\nHowever, today, hiding the first capability in the list is not done\nproperly if the capability is unknown, as struct\nvfio_pci_core_device-\u003epci_config_map is set to the capability ID during\ninitialization but the capability ID is not properly checked later when\nused in vfio_config_do_rw(). This leads to the following warning [1] and\nto an out-of-bounds access to ecap_perms array.\n\nFix it by checking cap_id in vfio_config_do_rw(), and if it is greater\nthan PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct\nread only access instead of the ecap_perms array.\n\nNote that this is safe since the above is the only case where cap_id can\nexceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which\nare already checked before).\n\n[1]\n\nWARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\nCPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1\n(snip)\nCall Trace:\n \u003cTASK\u003e\n ? show_regs+0x69/0x80\n ? __warn+0x8d/0x140\n ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n ? report_bug+0x18f/0x1a0\n ? handle_bug+0x63/0xa0\n ? exc_invalid_op+0x19/0x70\n ? asm_exc_invalid_op+0x1b/0x20\n ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]\n vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]\n vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]\n vfio_device_fops_read+0x27/0x40 [vfio]\n vfs_read+0xbd/0x340\n ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]\n ? __rseq_handle_notify_resume+0xa4/0x4b0\n __x64_sys_pread64+0x96/0xc0\n x64_sys_call+0x1c3d/0x20d0\n do_syscall_64+0x4d/0x120\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:56:06.212Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4464e5aa3aa4574063640f1082f7d7e323af8eb4"
},
{
"url": "https://git.kernel.org/stable/c/7d121f66b67921fb3b95e0ea9856bfba53733e91"
},
{
"url": "https://git.kernel.org/stable/c/0918f5643fc6c3f7801f4a22397d2cc09ba99207"
},
{
"url": "https://git.kernel.org/stable/c/9567bd34aa3b986736c290c5bcba47e0182ac47a"
},
{
"url": "https://git.kernel.org/stable/c/6c6502d944168cbd7e03a4a08ad6488f78d73485"
},
{
"url": "https://git.kernel.org/stable/c/06f2fcf49854ad05a09d09e0dbee6544fff04695"
},
{
"url": "https://git.kernel.org/stable/c/949bee8065a85a5c6607c624dc05b5bc17119699"
},
{
"url": "https://git.kernel.org/stable/c/1ef195178fb552478eb2587df4ad3be14ef76507"
},
{
"url": "https://git.kernel.org/stable/c/fe4bf8d0b6716a423b16495d55b35d3fe515905d"
}
],
"title": "vfio/pci: Properly hide first-in-list PCIe extended capability",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53214",
"datePublished": "2024-12-27T13:49:59.555Z",
"dateReserved": "2024-11-19T17:17:25.023Z",
"dateUpdated": "2025-11-03T20:47:42.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38736 (GCVE-0-2025-38736)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization
Syzbot reported shift-out-of-bounds exception on MDIO bus initialization.
The PHY address should be masked to 5 bits (0-31). Without this
mask, invalid PHY addresses could be used, potentially causing issues
with MDIO bus operations.
Fix this by masking the PHY address with 0x1f (31 decimal) to ensure
it stays within the valid range.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 75947d3200de98a9ded9ad8972e02f1a177097fe Version: 59ed6fbdb1bc03316e09493ffde7066f031c7524 Version: ccef5ee4adf56472aa26bdd1f821a6d0cd06089a Version: ee2cd40b0bb46056949a2319084a729d95389386 Version: ad1f8313aeec0115f9978bd2d002ef4a8d96c773 Version: 4faff70959d51078f9ee8372f8cff0d7045e4114 Version: a754ab53993b1585132e871c5d811167ad3c52ff |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:06.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fcb4ce9f729c1d08e53abf9d449340e24c3edee6",
"status": "affected",
"version": "75947d3200de98a9ded9ad8972e02f1a177097fe",
"versionType": "git"
},
{
"lessThan": "8f141f2a4f2ef8ca865d5921574c3d6535e00a49",
"status": "affected",
"version": "59ed6fbdb1bc03316e09493ffde7066f031c7524",
"versionType": "git"
},
{
"lessThan": "748da80831221ae24b4bc8d7ffb22acd5712a341",
"status": "affected",
"version": "ccef5ee4adf56472aa26bdd1f821a6d0cd06089a",
"versionType": "git"
},
{
"lessThan": "22042ffedd8c2c6db08ccdd6d4273068eddd3c5c",
"status": "affected",
"version": "ee2cd40b0bb46056949a2319084a729d95389386",
"versionType": "git"
},
{
"lessThan": "523eab02fce458fa6d3c51de5bb055800986953e",
"status": "affected",
"version": "ad1f8313aeec0115f9978bd2d002ef4a8d96c773",
"versionType": "git"
},
{
"lessThan": "24ef2f53c07f273bad99173e27ee88d44d135b1c",
"status": "affected",
"version": "4faff70959d51078f9ee8372f8cff0d7045e4114",
"versionType": "git"
},
{
"status": "affected",
"version": "a754ab53993b1585132e871c5d811167ad3c52ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.12.44",
"status": "affected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThan": "6.16.4",
"status": "affected",
"version": "6.16.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix_devices: Fix PHY address mask in MDIO bus initialization\n\nSyzbot reported shift-out-of-bounds exception on MDIO bus initialization.\n\nThe PHY address should be masked to 5 bits (0-31). Without this\nmask, invalid PHY addresses could be used, potentially causing issues\nwith MDIO bus operations.\n\nFix this by masking the PHY address with 0x1f (31 decimal) to ensure\nit stays within the valid range."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:05.681Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fcb4ce9f729c1d08e53abf9d449340e24c3edee6"
},
{
"url": "https://git.kernel.org/stable/c/8f141f2a4f2ef8ca865d5921574c3d6535e00a49"
},
{
"url": "https://git.kernel.org/stable/c/748da80831221ae24b4bc8d7ffb22acd5712a341"
},
{
"url": "https://git.kernel.org/stable/c/22042ffedd8c2c6db08ccdd6d4273068eddd3c5c"
},
{
"url": "https://git.kernel.org/stable/c/523eab02fce458fa6d3c51de5bb055800986953e"
},
{
"url": "https://git.kernel.org/stable/c/24ef2f53c07f273bad99173e27ee88d44d135b1c"
}
],
"title": "net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38736",
"datePublished": "2025-09-05T17:20:36.546Z",
"dateReserved": "2025-04-16T04:51:24.034Z",
"dateUpdated": "2025-11-03T17:42:06.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49179 (GCVE-0-2022-49179)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: don't move oom_bfqq
Our test report a UAF:
[ 2073.019181] ==================================================================
[ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168
[ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584
[ 2073.019192]
[ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5
[ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
[ 2073.019200] Call trace:
[ 2073.019203] dump_backtrace+0x0/0x310
[ 2073.019206] show_stack+0x28/0x38
[ 2073.019210] dump_stack+0xec/0x15c
[ 2073.019216] print_address_description+0x68/0x2d0
[ 2073.019220] kasan_report+0x238/0x2f0
[ 2073.019224] __asan_store8+0x88/0xb0
[ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168
[ 2073.019233] bfq_put_async_queues+0xbc/0x208
[ 2073.019236] bfq_pd_offline+0x178/0x238
[ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420
[ 2073.019244] bfq_exit_queue+0x128/0x178
[ 2073.019249] blk_mq_exit_sched+0x12c/0x160
[ 2073.019252] elevator_exit+0xc8/0xd0
[ 2073.019256] blk_exit_queue+0x50/0x88
[ 2073.019259] blk_cleanup_queue+0x228/0x3d8
[ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk]
[ 2073.019274] null_exit+0x90/0x114 [null_blk]
[ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0
[ 2073.019282] el0_svc_common+0xc8/0x320
[ 2073.019287] el0_svc_handler+0xf8/0x160
[ 2073.019290] el0_svc+0x10/0x218
[ 2073.019291]
[ 2073.019294] Allocated by task 14163:
[ 2073.019301] kasan_kmalloc+0xe0/0x190
[ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418
[ 2073.019308] bfq_pd_alloc+0x54/0x118
[ 2073.019313] blkcg_activate_policy+0x250/0x460
[ 2073.019317] bfq_create_group_hierarchy+0x38/0x110
[ 2073.019321] bfq_init_queue+0x6d0/0x948
[ 2073.019325] blk_mq_init_sched+0x1d8/0x390
[ 2073.019330] elevator_switch_mq+0x88/0x170
[ 2073.019334] elevator_switch+0x140/0x270
[ 2073.019338] elv_iosched_store+0x1a4/0x2a0
[ 2073.019342] queue_attr_store+0x90/0xe0
[ 2073.019348] sysfs_kf_write+0xa8/0xe8
[ 2073.019351] kernfs_fop_write+0x1f8/0x378
[ 2073.019359] __vfs_write+0xe0/0x360
[ 2073.019363] vfs_write+0xf0/0x270
[ 2073.019367] ksys_write+0xdc/0x1b8
[ 2073.019371] __arm64_sys_write+0x50/0x60
[ 2073.019375] el0_svc_common+0xc8/0x320
[ 2073.019380] el0_svc_handler+0xf8/0x160
[ 2073.019383] el0_svc+0x10/0x218
[ 2073.019385]
[ 2073.019387] Freed by task 72584:
[ 2073.019391] __kasan_slab_free+0x120/0x228
[ 2073.019394] kasan_slab_free+0x10/0x18
[ 2073.019397] kfree+0x94/0x368
[ 2073.019400] bfqg_put+0x64/0xb0
[ 2073.019404] bfqg_and_blkg_put+0x90/0xb0
[ 2073.019408] bfq_put_queue+0x220/0x228
[ 2073.019413] __bfq_put_async_bfqq+0x98/0x168
[ 2073.019416] bfq_put_async_queues+0xbc/0x208
[ 2073.019420] bfq_pd_offline+0x178/0x238
[ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420
[ 2073.019429] bfq_exit_queue+0x128/0x178
[ 2073.019433] blk_mq_exit_sched+0x12c/0x160
[ 2073.019437] elevator_exit+0xc8/0xd0
[ 2073.019440] blk_exit_queue+0x50/0x88
[ 2073.019443] blk_cleanup_queue+0x228/0x3d8
[ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk]
[ 2073.019459] null_exit+0x90/0x114 [null_blk]
[ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0
[ 2073.019467] el0_svc_common+0xc8/0x320
[ 2073.019471] el0_svc_handler+0xf8/0x160
[ 2073.019474] el0_svc+0x10/0x218
[ 2073.019475]
[ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00
which belongs to the cache kmalloc-1024 of size 1024
[ 2073.019484] The buggy address is located 552 bytes inside of
1024-byte region [ffff8000ccf63f00, ffff8000ccf64300)
[ 2073.019486] The buggy address belongs to the page:
[ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0
[ 2073.020123] flags: 0x7ffff0000008100(slab|head)
[ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00
[ 2073.020409] ra
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:03.662860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:29.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4f5a678add58a8a0e7ee5e038496b376ea6d205",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "7507ead1e9d42957c2340f2c4a0e9d00034e3366",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "8f34dea99cd7761156a146a5258a67d045d862f7",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "87fdfe8589d43e471dffb4c60f75eeb6f37afc4c",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "c01fced8d38fbccc82787065229578006f28e020",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "8410f70977734f21b8ed45c37e925d311dfda2e7",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: don\u0027t move oom_bfqq\n\nOur test report a UAF:\n\n[ 2073.019181] ==================================================================\n[ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168\n[ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584\n[ 2073.019192]\n[ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5\n[ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n[ 2073.019200] Call trace:\n[ 2073.019203] dump_backtrace+0x0/0x310\n[ 2073.019206] show_stack+0x28/0x38\n[ 2073.019210] dump_stack+0xec/0x15c\n[ 2073.019216] print_address_description+0x68/0x2d0\n[ 2073.019220] kasan_report+0x238/0x2f0\n[ 2073.019224] __asan_store8+0x88/0xb0\n[ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168\n[ 2073.019233] bfq_put_async_queues+0xbc/0x208\n[ 2073.019236] bfq_pd_offline+0x178/0x238\n[ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420\n[ 2073.019244] bfq_exit_queue+0x128/0x178\n[ 2073.019249] blk_mq_exit_sched+0x12c/0x160\n[ 2073.019252] elevator_exit+0xc8/0xd0\n[ 2073.019256] blk_exit_queue+0x50/0x88\n[ 2073.019259] blk_cleanup_queue+0x228/0x3d8\n[ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk]\n[ 2073.019274] null_exit+0x90/0x114 [null_blk]\n[ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0\n[ 2073.019282] el0_svc_common+0xc8/0x320\n[ 2073.019287] el0_svc_handler+0xf8/0x160\n[ 2073.019290] el0_svc+0x10/0x218\n[ 2073.019291]\n[ 2073.019294] Allocated by task 14163:\n[ 2073.019301] kasan_kmalloc+0xe0/0x190\n[ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418\n[ 2073.019308] bfq_pd_alloc+0x54/0x118\n[ 2073.019313] blkcg_activate_policy+0x250/0x460\n[ 2073.019317] bfq_create_group_hierarchy+0x38/0x110\n[ 2073.019321] bfq_init_queue+0x6d0/0x948\n[ 2073.019325] blk_mq_init_sched+0x1d8/0x390\n[ 2073.019330] elevator_switch_mq+0x88/0x170\n[ 2073.019334] elevator_switch+0x140/0x270\n[ 2073.019338] elv_iosched_store+0x1a4/0x2a0\n[ 2073.019342] queue_attr_store+0x90/0xe0\n[ 2073.019348] sysfs_kf_write+0xa8/0xe8\n[ 2073.019351] kernfs_fop_write+0x1f8/0x378\n[ 2073.019359] __vfs_write+0xe0/0x360\n[ 2073.019363] vfs_write+0xf0/0x270\n[ 2073.019367] ksys_write+0xdc/0x1b8\n[ 2073.019371] __arm64_sys_write+0x50/0x60\n[ 2073.019375] el0_svc_common+0xc8/0x320\n[ 2073.019380] el0_svc_handler+0xf8/0x160\n[ 2073.019383] el0_svc+0x10/0x218\n[ 2073.019385]\n[ 2073.019387] Freed by task 72584:\n[ 2073.019391] __kasan_slab_free+0x120/0x228\n[ 2073.019394] kasan_slab_free+0x10/0x18\n[ 2073.019397] kfree+0x94/0x368\n[ 2073.019400] bfqg_put+0x64/0xb0\n[ 2073.019404] bfqg_and_blkg_put+0x90/0xb0\n[ 2073.019408] bfq_put_queue+0x220/0x228\n[ 2073.019413] __bfq_put_async_bfqq+0x98/0x168\n[ 2073.019416] bfq_put_async_queues+0xbc/0x208\n[ 2073.019420] bfq_pd_offline+0x178/0x238\n[ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420\n[ 2073.019429] bfq_exit_queue+0x128/0x178\n[ 2073.019433] blk_mq_exit_sched+0x12c/0x160\n[ 2073.019437] elevator_exit+0xc8/0xd0\n[ 2073.019440] blk_exit_queue+0x50/0x88\n[ 2073.019443] blk_cleanup_queue+0x228/0x3d8\n[ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk]\n[ 2073.019459] null_exit+0x90/0x114 [null_blk]\n[ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0\n[ 2073.019467] el0_svc_common+0xc8/0x320\n[ 2073.019471] el0_svc_handler+0xf8/0x160\n[ 2073.019474] el0_svc+0x10/0x218\n[ 2073.019475]\n[ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00\n which belongs to the cache kmalloc-1024 of size 1024\n[ 2073.019484] The buggy address is located 552 bytes inside of\n 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300)\n[ 2073.019486] The buggy address belongs to the page:\n[ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0\n[ 2073.020123] flags: 0x7ffff0000008100(slab|head)\n[ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00\n[ 2073.020409] ra\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:42.491Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4f5a678add58a8a0e7ee5e038496b376ea6d205"
},
{
"url": "https://git.kernel.org/stable/c/7507ead1e9d42957c2340f2c4a0e9d00034e3366"
},
{
"url": "https://git.kernel.org/stable/c/8f34dea99cd7761156a146a5258a67d045d862f7"
},
{
"url": "https://git.kernel.org/stable/c/87fdfe8589d43e471dffb4c60f75eeb6f37afc4c"
},
{
"url": "https://git.kernel.org/stable/c/c01fced8d38fbccc82787065229578006f28e020"
},
{
"url": "https://git.kernel.org/stable/c/8410f70977734f21b8ed45c37e925d311dfda2e7"
}
],
"title": "block, bfq: don\u0027t move oom_bfqq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49179",
"datePublished": "2025-02-26T01:55:32.100Z",
"dateReserved": "2025-02-26T01:49:39.281Z",
"dateUpdated": "2025-05-04T08:31:42.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39995 (GCVE-0-2025-39995)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe
The state->timer is a cyclic timer that schedules work_i2c_poll and
delayed_work_enable_hotplug, while rearming itself. Using timer_delete()
fails to guarantee the timer isn't still running when destroyed, similarly
cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has
terminated if already executing. During probe failure after timer
initialization, these may continue running as orphans and reference the
already-freed tc358743_state object through tc358743_irq_poll_timer.
The following is the trace captured by KASAN.
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __pfx_sched_balance_find_src_group+0x10/0x10
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? rcu_sched_clock_irq+0xb06/0x27d0
? __pfx___run_timer_base.part.0+0x10/0x10
? try_to_wake_up+0xb15/0x1960
? tmigr_update_events+0x280/0x740
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
tmigr_handle_remote_up+0x603/0x7e0
? __pfx_tmigr_handle_remote_up+0x10/0x10
? sched_balance_trigger+0x98/0x9f0
? sched_tick+0x221/0x5a0
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
? tick_nohz_handler+0x339/0x440
? __pfx_tmigr_handle_remote_up+0x10/0x10
__walk_groups.isra.0+0x42/0x150
tmigr_handle_remote+0x1f4/0x2e0
? __pfx_tmigr_handle_remote+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
? hrtimer_interrupt+0x322/0x780
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 141:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_node_track_caller_noprof+0x198/0x430
devm_kmalloc+0x7b/0x1e0
tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__device_attach_driver+0x174/0x220
bus_for_each_drv+0x100/0x190
__device_attach+0x206/0x370
bus_probe_device+0x123/0x170
device_add+0xd25/0x1470
i2c_new_client_device+0x7a0/0xcd0
do_one_initcall+0x89/0x300
do_init_module+0x29d/0x7f0
load_module+0x4f48/0x69e0
init_module_from_file+0xe4/0x150
idempotent_init_module+0x320/0x670
__x64_sys_finit_module+0xbd/0x120
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 141:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
release_nodes+0xa4/0x100
devres_release_group+0x1b2/0x380
i2c_device_probe+0x694/0x880
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__device_attach_driver+0x174/0x220
bus_for_each_drv+0x100/0x190
__device_attach+0x206/0x370
bus_probe_device+0x123/0x170
device_add+0xd25/0x1470
i2c_new_client_device+0x7a0/0xcd0
do_one_initcall+0x89/0x300
do_init_module+0x29d/0x7f0
load_module+0x4f48/0x69e0
init_module_from_file+0xe4/0x150
idempotent_init_module+0x320/0x670
__x64_sys_finit_module+0xbd/0x120
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace timer_delete() with timer_delete_sync() and cancel_delayed_work()
with cancel_delayed_work_sync() to ensure proper termination of timer and
work items before resource cleanup.
This bug was initially identified through static analysis. For reproduction
and testing, I created a functional emulation of the tc358743 device via a
kernel module and introduced faults through the debugfs interface.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/tc358743.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9205fb6e617a1c596d9a9ad2a160ee696e09d520",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "70913586c717dd25cfbade7a418e92cc9c99398a",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "663faf1179db9663a3793c75e9bc869358bad910",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "3d17701c156579969470e58b3a906511f8bc018d",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "228d06c4cbfc750f1216a3fd91b4693b0766d2f6",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "f92181c0e13cad9671d07b15be695a97fc2534a3",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "f3f3f00bcabbd2ce0a77a2ac7a6797b8646bfd8b",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "2610617effb4454d2f1c434c011ccb5cc7140711",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "79d10f4f21a92e459b2276a77be62c59c1502c9d",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/tc358743.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe\n\nThe state-\u003etimer is a cyclic timer that schedules work_i2c_poll and\ndelayed_work_enable_hotplug, while rearming itself. Using timer_delete()\nfails to guarantee the timer isn\u0027t still running when destroyed, similarly\ncancel_delayed_work() cannot ensure delayed_work_enable_hotplug has\nterminated if already executing. During probe failure after timer\ninitialization, these may continue running as orphans and reference the\nalready-freed tc358743_state object through tc358743_irq_poll_timer.\n\nThe following is the trace captured by KASAN.\n\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff88800ded83c8 by task swapper/1/0\n...\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __pfx_sched_balance_find_src_group+0x10/0x10\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? rcu_sched_clock_irq+0xb06/0x27d0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? try_to_wake_up+0xb15/0x1960\n ? tmigr_update_events+0x280/0x740\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n tmigr_handle_remote_up+0x603/0x7e0\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n ? sched_balance_trigger+0x98/0x9f0\n ? sched_tick+0x221/0x5a0\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n ? tick_nohz_handler+0x339/0x440\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n __walk_groups.isra.0+0x42/0x150\n tmigr_handle_remote+0x1f4/0x2e0\n ? __pfx_tmigr_handle_remote+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n ? hrtimer_interrupt+0x322/0x780\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \u003c/IRQ\u003e\n...\n\nAllocated by task 141:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_node_track_caller_noprof+0x198/0x430\n devm_kmalloc+0x7b/0x1e0\n tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __device_attach_driver+0x174/0x220\n bus_for_each_drv+0x100/0x190\n __device_attach+0x206/0x370\n bus_probe_device+0x123/0x170\n device_add+0xd25/0x1470\n i2c_new_client_device+0x7a0/0xcd0\n do_one_initcall+0x89/0x300\n do_init_module+0x29d/0x7f0\n load_module+0x4f48/0x69e0\n init_module_from_file+0xe4/0x150\n idempotent_init_module+0x320/0x670\n __x64_sys_finit_module+0xbd/0x120\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 141:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n release_nodes+0xa4/0x100\n devres_release_group+0x1b2/0x380\n i2c_device_probe+0x694/0x880\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __device_attach_driver+0x174/0x220\n bus_for_each_drv+0x100/0x190\n __device_attach+0x206/0x370\n bus_probe_device+0x123/0x170\n device_add+0xd25/0x1470\n i2c_new_client_device+0x7a0/0xcd0\n do_one_initcall+0x89/0x300\n do_init_module+0x29d/0x7f0\n load_module+0x4f48/0x69e0\n init_module_from_file+0xe4/0x150\n idempotent_init_module+0x320/0x670\n __x64_sys_finit_module+0xbd/0x120\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace timer_delete() with timer_delete_sync() and cancel_delayed_work()\nwith cancel_delayed_work_sync() to ensure proper termination of timer and\nwork items before resource cleanup.\n\nThis bug was initially identified through static analysis. For reproduction\nand testing, I created a functional emulation of the tc358743 device via a\nkernel module and introduced faults through the debugfs interface."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:12.359Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9205fb6e617a1c596d9a9ad2a160ee696e09d520"
},
{
"url": "https://git.kernel.org/stable/c/70913586c717dd25cfbade7a418e92cc9c99398a"
},
{
"url": "https://git.kernel.org/stable/c/663faf1179db9663a3793c75e9bc869358bad910"
},
{
"url": "https://git.kernel.org/stable/c/3d17701c156579969470e58b3a906511f8bc018d"
},
{
"url": "https://git.kernel.org/stable/c/228d06c4cbfc750f1216a3fd91b4693b0766d2f6"
},
{
"url": "https://git.kernel.org/stable/c/f92181c0e13cad9671d07b15be695a97fc2534a3"
},
{
"url": "https://git.kernel.org/stable/c/f3f3f00bcabbd2ce0a77a2ac7a6797b8646bfd8b"
},
{
"url": "https://git.kernel.org/stable/c/2610617effb4454d2f1c434c011ccb5cc7140711"
},
{
"url": "https://git.kernel.org/stable/c/79d10f4f21a92e459b2276a77be62c59c1502c9d"
}
],
"title": "media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39995",
"datePublished": "2025-10-15T07:58:20.365Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-29T13:19:12.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50386 (GCVE-0-2022-50386)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix user-after-free
This uses l2cap_chan_hold_unless_zero() after calling
__l2cap_get_chan_blah() to prevent the following trace:
Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
*kref)
Bluetooth: chan 0000000023c4974d
Bluetooth: parent 00000000ae861c08
==================================================================
BUG: KASAN: use-after-free in __mutex_waiter_is_first
kernel/locking/mutex.c:191 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common
kernel/locking/mutex.c:671 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
kernel/locking/mutex.c:729
Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11e40d6c0823f699d8ad501e48d1c3ae4be386cd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "843fc4e386dd84b806a7f07fb062d8c3a44e5364",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d91fc2836562f299f34e361e089e9fe154da4f73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d6f9cb24d2b2f6b6370eac074e2e6b1bafdad45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c108cf3ad386e0084277093b55a351c49e0be27",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d1e894f950ad48897d1a7cb05909ea29d8c3810e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ffde6e03085874ae22263ff4cef4869f797e84f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "15fc21695eb606bdc5d483b92118ee42610a952d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix user-after-free\n\nThis uses l2cap_chan_hold_unless_zero() after calling\n__l2cap_get_chan_blah() to prevent the following trace:\n\nBluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref\n*kref)\nBluetooth: chan 0000000023c4974d\nBluetooth: parent 00000000ae861c08\n==================================================================\nBUG: KASAN: use-after-free in __mutex_waiter_is_first\nkernel/locking/mutex.c:191 [inline]\nBUG: KASAN: use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:671 [inline]\nBUG: KASAN: use-after-free in __mutex_lock+0x278/0x400\nkernel/locking/mutex.c:729\nRead of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:07.191Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11e40d6c0823f699d8ad501e48d1c3ae4be386cd"
},
{
"url": "https://git.kernel.org/stable/c/843fc4e386dd84b806a7f07fb062d8c3a44e5364"
},
{
"url": "https://git.kernel.org/stable/c/d91fc2836562f299f34e361e089e9fe154da4f73"
},
{
"url": "https://git.kernel.org/stable/c/7d6f9cb24d2b2f6b6370eac074e2e6b1bafdad45"
},
{
"url": "https://git.kernel.org/stable/c/0c108cf3ad386e0084277093b55a351c49e0be27"
},
{
"url": "https://git.kernel.org/stable/c/d1e894f950ad48897d1a7cb05909ea29d8c3810e"
},
{
"url": "https://git.kernel.org/stable/c/6ffde6e03085874ae22263ff4cef4869f797e84f"
},
{
"url": "https://git.kernel.org/stable/c/15fc21695eb606bdc5d483b92118ee42610a952d"
},
{
"url": "https://git.kernel.org/stable/c/35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f"
}
],
"title": "Bluetooth: L2CAP: Fix user-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50386",
"datePublished": "2025-09-18T13:33:07.191Z",
"dateReserved": "2025-09-17T14:53:06.997Z",
"dateUpdated": "2025-09-18T13:33:07.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53401 (GCVE-0-2023-53401)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()
KCSAN found an issue in obj_stock_flush_required():
stock->cached_objcg can be reset between the check and dereference:
==================================================================
BUG: KCSAN: data-race in drain_all_stock / drain_obj_stock
write to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0:
drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306
refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340
obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408
memcg_slab_free_hook mm/slab.h:587 [inline]
__cache_free mm/slab.c:3373 [inline]
__do_kmem_cache_free mm/slab.c:3577 [inline]
kmem_cache_free+0x105/0x280 mm/slab.c:3602
__d_free fs/dcache.c:298 [inline]
dentry_free fs/dcache.c:375 [inline]
__dentry_kill+0x422/0x4a0 fs/dcache.c:621
dentry_kill+0x8d/0x1e0
dput+0x118/0x1f0 fs/dcache.c:913
__fput+0x3bf/0x570 fs/file_table.c:329
____fput+0x15/0x20 fs/file_table.c:349
task_work_run+0x123/0x160 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171
exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1:
obj_stock_flush_required mm/memcontrol.c:3319 [inline]
drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361
try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703
try_charge mm/memcontrol.c:2837 [inline]
mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290
sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025
sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525
udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692
udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668
__sys_setsockopt+0x1c3/0x230 net/socket.c:2271
__do_sys_setsockopt net/socket.c:2282 [inline]
__se_sys_setsockopt net/socket.c:2279 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2279
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0xffff8881382d52c0 -> 0xffff888138893740
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Fix it by using READ_ONCE()/WRITE_ONCE() for all accesses to
stock->cached_objcg.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memcontrol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33d9490b27e5d8da4444aefd714a4f50189db978",
"status": "affected",
"version": "bf4f059954dcb221384b2f784677e19a13cd4bdb",
"versionType": "git"
},
{
"lessThan": "33391c7e1a2ad612bf3922cc168cb09a46bbe236",
"status": "affected",
"version": "bf4f059954dcb221384b2f784677e19a13cd4bdb",
"versionType": "git"
},
{
"lessThan": "3b8abb3239530c423c0b97e42af7f7e856e1ee96",
"status": "affected",
"version": "bf4f059954dcb221384b2f784677e19a13cd4bdb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memcontrol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()\n\nKCSAN found an issue in obj_stock_flush_required():\nstock-\u003ecached_objcg can be reset between the check and dereference:\n\n==================================================================\nBUG: KCSAN: data-race in drain_all_stock / drain_obj_stock\n\nwrite to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0:\n drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306\n refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340\n obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408\n memcg_slab_free_hook mm/slab.h:587 [inline]\n __cache_free mm/slab.c:3373 [inline]\n __do_kmem_cache_free mm/slab.c:3577 [inline]\n kmem_cache_free+0x105/0x280 mm/slab.c:3602\n __d_free fs/dcache.c:298 [inline]\n dentry_free fs/dcache.c:375 [inline]\n __dentry_kill+0x422/0x4a0 fs/dcache.c:621\n dentry_kill+0x8d/0x1e0\n dput+0x118/0x1f0 fs/dcache.c:913\n __fput+0x3bf/0x570 fs/file_table.c:329\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x123/0x160 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171\n exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296\n do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1:\n obj_stock_flush_required mm/memcontrol.c:3319 [inline]\n drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361\n try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703\n try_charge mm/memcontrol.c:2837 [inline]\n mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290\n sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025\n sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525\n udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692\n udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817\n sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668\n __sys_setsockopt+0x1c3/0x230 net/socket.c:2271\n __do_sys_setsockopt net/socket.c:2282 [inline]\n __se_sys_setsockopt net/socket.c:2279 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0xffff8881382d52c0 -\u003e 0xffff888138893740\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023\n\nFix it by using READ_ONCE()/WRITE_ONCE() for all accesses to\nstock-\u003ecached_objcg."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:41.076Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33d9490b27e5d8da4444aefd714a4f50189db978"
},
{
"url": "https://git.kernel.org/stable/c/33391c7e1a2ad612bf3922cc168cb09a46bbe236"
},
{
"url": "https://git.kernel.org/stable/c/3b8abb3239530c423c0b97e42af7f7e856e1ee96"
}
],
"title": "mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53401",
"datePublished": "2025-09-18T13:33:41.076Z",
"dateReserved": "2025-09-17T14:54:09.738Z",
"dateUpdated": "2025-09-18T13:33:41.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38724 (GCVE-0-2025-38724)
Vulnerability from cvelistv5
Published
2025-09-04 15:33
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Lei Lu recently reported that nfsd4_setclientid_confirm() did not check
the return value from get_client_locked(). a SETCLIENTID_CONFIRM could
race with a confirmed client expiring and fail to get a reference. That
could later lead to a UAF.
Fix this by getting a reference early in the case where there is an
extant confirmed client. If that fails then treat it as if there were no
confirmed client found at all.
In the case where the unconfirmed client is expiring, just fail and
return the result from get_client_locked().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d20c11d86d8f821a64eac7d6c8f296f06d935f4f Version: d20c11d86d8f821a64eac7d6c8f296f06d935f4f Version: d20c11d86d8f821a64eac7d6c8f296f06d935f4f Version: d20c11d86d8f821a64eac7d6c8f296f06d935f4f Version: d20c11d86d8f821a64eac7d6c8f296f06d935f4f Version: d20c11d86d8f821a64eac7d6c8f296f06d935f4f Version: d20c11d86d8f821a64eac7d6c8f296f06d935f4f Version: d20c11d86d8f821a64eac7d6c8f296f06d935f4f Version: d20c11d86d8f821a64eac7d6c8f296f06d935f4f |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:53.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f252a73e81aa01660cb426735eab932e6182e8d",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "d35ac850410966010e92f401f4e21868a9ea4d8b",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "f3aac6cf390d8b80e1d82975faf4ac61175519c0",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "22f45cedf281e6171817c8a3432c44d788c550e1",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "d71abd1ae4e0413707cd42b10c24a11d1aa71772",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "74ad36ed60df561a303a19ecef400c7096b20306",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "36e83eda90e0e4ac52f259f775b40b2841f8a0a3",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
},
{
"lessThan": "908e4ead7f757504d8b345452730636e298cbf68",
"status": "affected",
"version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()\n\nLei Lu recently reported that nfsd4_setclientid_confirm() did not check\nthe return value from get_client_locked(). a SETCLIENTID_CONFIRM could\nrace with a confirmed client expiring and fail to get a reference. That\ncould later lead to a UAF.\n\nFix this by getting a reference early in the case where there is an\nextant confirmed client. If that fails then treat it as if there were no\nconfirmed client found at all.\n\nIn the case where the unconfirmed client is expiring, just fail and\nreturn the result from get_client_locked()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:49.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f252a73e81aa01660cb426735eab932e6182e8d"
},
{
"url": "https://git.kernel.org/stable/c/d35ac850410966010e92f401f4e21868a9ea4d8b"
},
{
"url": "https://git.kernel.org/stable/c/f3aac6cf390d8b80e1d82975faf4ac61175519c0"
},
{
"url": "https://git.kernel.org/stable/c/22f45cedf281e6171817c8a3432c44d788c550e1"
},
{
"url": "https://git.kernel.org/stable/c/d71abd1ae4e0413707cd42b10c24a11d1aa71772"
},
{
"url": "https://git.kernel.org/stable/c/74ad36ed60df561a303a19ecef400c7096b20306"
},
{
"url": "https://git.kernel.org/stable/c/36e83eda90e0e4ac52f259f775b40b2841f8a0a3"
},
{
"url": "https://git.kernel.org/stable/c/571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1"
},
{
"url": "https://git.kernel.org/stable/c/908e4ead7f757504d8b345452730636e298cbf68"
}
],
"title": "nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38724",
"datePublished": "2025-09-04T15:33:22.370Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:53.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53568 (GCVE-0-2023-53568)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/zcrypt: don't leak memory if dev_set_name() fails
When dev_set_name() fails, zcdn_create() doesn't free the newly
allocated resources. Do it.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 00fab2350e6b91e57b3cdcd5d9f01056775a921d Version: 00fab2350e6b91e57b3cdcd5d9f01056775a921d Version: 00fab2350e6b91e57b3cdcd5d9f01056775a921d Version: 00fab2350e6b91e57b3cdcd5d9f01056775a921d Version: 00fab2350e6b91e57b3cdcd5d9f01056775a921d Version: 00fab2350e6b91e57b3cdcd5d9f01056775a921d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/crypto/zcrypt_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b0cb9c055843777b374309503d89eabeb769355",
"status": "affected",
"version": "00fab2350e6b91e57b3cdcd5d9f01056775a921d",
"versionType": "git"
},
{
"lessThan": "0878052579cb2773caee64812a811edcab6b5a55",
"status": "affected",
"version": "00fab2350e6b91e57b3cdcd5d9f01056775a921d",
"versionType": "git"
},
{
"lessThan": "131cd74a8e38d75239f2c81dfee53d6554eb8bf8",
"status": "affected",
"version": "00fab2350e6b91e57b3cdcd5d9f01056775a921d",
"versionType": "git"
},
{
"lessThan": "147d8da33a2c2195ec63acd56cd7d80a3458c253",
"status": "affected",
"version": "00fab2350e6b91e57b3cdcd5d9f01056775a921d",
"versionType": "git"
},
{
"lessThan": "174f11ef1615ec3ab1e2189685864433c0d855a2",
"status": "affected",
"version": "00fab2350e6b91e57b3cdcd5d9f01056775a921d",
"versionType": "git"
},
{
"lessThan": "6252f47b78031979ad919f971dc8468b893488bd",
"status": "affected",
"version": "00fab2350e6b91e57b3cdcd5d9f01056775a921d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/crypto/zcrypt_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: don\u0027t leak memory if dev_set_name() fails\n\nWhen dev_set_name() fails, zcdn_create() doesn\u0027t free the newly\nallocated resources. Do it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:10.044Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b0cb9c055843777b374309503d89eabeb769355"
},
{
"url": "https://git.kernel.org/stable/c/0878052579cb2773caee64812a811edcab6b5a55"
},
{
"url": "https://git.kernel.org/stable/c/131cd74a8e38d75239f2c81dfee53d6554eb8bf8"
},
{
"url": "https://git.kernel.org/stable/c/147d8da33a2c2195ec63acd56cd7d80a3458c253"
},
{
"url": "https://git.kernel.org/stable/c/174f11ef1615ec3ab1e2189685864433c0d855a2"
},
{
"url": "https://git.kernel.org/stable/c/6252f47b78031979ad919f971dc8468b893488bd"
}
],
"title": "s390/zcrypt: don\u0027t leak memory if dev_set_name() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53568",
"datePublished": "2025-10-04T15:17:10.044Z",
"dateReserved": "2025-10-04T15:14:15.924Z",
"dateUpdated": "2025-10-04T15:17:10.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53526 (GCVE-0-2023-53526)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: check 'jh->b_transaction' before removing it from checkpoint
Following process will corrupt ext4 image:
Step 1:
jbd2_journal_commit_transaction
__jbd2_journal_insert_checkpoint(jh, commit_transaction)
// Put jh into trans1->t_checkpoint_list
journal->j_checkpoint_transactions = commit_transaction
// Put trans1 into journal->j_checkpoint_transactions
Step 2:
do_get_write_access
test_clear_buffer_dirty(bh) // clear buffer dirty,set jbd dirty
__jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2
Step 3:
drop_cache
journal_shrink_one_cp_list
jbd2_journal_try_remove_checkpoint
if (!trylock_buffer(bh)) // lock bh, true
if (buffer_dirty(bh)) // buffer is not dirty
__jbd2_journal_remove_checkpoint(jh)
// remove jh from trans1->t_checkpoint_list
Step 4:
jbd2_log_do_checkpoint
trans1 = journal->j_checkpoint_transactions
// jh is not in trans1->t_checkpoint_list
jbd2_cleanup_journal_tail(journal) // trans1 is done
Step 5: Power cut, trans2 is not committed, jh is lost in next mounting.
Fix it by checking 'jh->b_transaction' before remove it from checkpoint.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jbd2/checkpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef5fea70e5915afd64182d155e72bfb4f275e1fc",
"status": "affected",
"version": "b832174b7f89df3ebab02f5b485d00127a0e1a6e",
"versionType": "git"
},
{
"lessThan": "dbafe636db415299e54d9dfefc1003bda9e71c9d",
"status": "affected",
"version": "e5c768d809a85e9efd0274b2efe69d4970cc0014",
"versionType": "git"
},
{
"lessThan": "2298f2589903a8bc03061b54b31fd97985ab6529",
"status": "affected",
"version": "46f881b5b1758dc4a35fba4a643c10717d0cf427",
"versionType": "git"
},
{
"lessThan": "590a809ff743e7bd890ba5fb36bc38e20a36de53",
"status": "affected",
"version": "46f881b5b1758dc4a35fba4a643c10717d0cf427",
"versionType": "git"
},
{
"status": "affected",
"version": "019b59aeb2af6b47d5c8e69c5dc1d731c8df0354",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jbd2/checkpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "6.1.50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: check \u0027jh-\u003eb_transaction\u0027 before removing it from checkpoint\n\nFollowing process will corrupt ext4 image:\nStep 1:\njbd2_journal_commit_transaction\n __jbd2_journal_insert_checkpoint(jh, commit_transaction)\n // Put jh into trans1-\u003et_checkpoint_list\n journal-\u003ej_checkpoint_transactions = commit_transaction\n // Put trans1 into journal-\u003ej_checkpoint_transactions\n\nStep 2:\ndo_get_write_access\n test_clear_buffer_dirty(bh) // clear buffer dirty\uff0cset jbd dirty\n __jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2\n\nStep 3:\ndrop_cache\n journal_shrink_one_cp_list\n jbd2_journal_try_remove_checkpoint\n if (!trylock_buffer(bh)) // lock bh, true\n if (buffer_dirty(bh)) // buffer is not dirty\n __jbd2_journal_remove_checkpoint(jh)\n // remove jh from trans1-\u003et_checkpoint_list\n\nStep 4:\njbd2_log_do_checkpoint\n trans1 = journal-\u003ej_checkpoint_transactions\n // jh is not in trans1-\u003et_checkpoint_list\n jbd2_cleanup_journal_tail(journal) // trans1 is done\n\nStep 5: Power cut, trans2 is not committed, jh is lost in next mounting.\n\nFix it by checking \u0027jh-\u003eb_transaction\u0027 before remove it from checkpoint."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:11.862Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef5fea70e5915afd64182d155e72bfb4f275e1fc"
},
{
"url": "https://git.kernel.org/stable/c/dbafe636db415299e54d9dfefc1003bda9e71c9d"
},
{
"url": "https://git.kernel.org/stable/c/2298f2589903a8bc03061b54b31fd97985ab6529"
},
{
"url": "https://git.kernel.org/stable/c/590a809ff743e7bd890ba5fb36bc38e20a36de53"
}
],
"title": "jbd2: check \u0027jh-\u003eb_transaction\u0027 before removing it from checkpoint",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53526",
"datePublished": "2025-10-01T11:46:11.862Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:11.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40051 (GCVE-0-2025-40051)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost: vringh: Modify the return value check
The return value of copy_from_iter and copy_to_iter can't be negative,
check whether the copied lengths are equal.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vringh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db042925a5ab7a550b710addeadbf6f72e3a8a4b",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "78dc7362662fedaa1928fb8e4f27401c8322905d",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "baa37b1c7e29546f79c39bef0d18c4edc9f39bb1",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "cfa0654402c06d086201a9ff167eb95da5844fc3",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "82a8d0fda55b35361ee7f35b54fa2b66d7847d2b",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vringh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: vringh: Modify the return value check\n\nThe return value of copy_from_iter and copy_to_iter can\u0027t be negative,\ncheck whether the copied lengths are equal."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:27.279Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db042925a5ab7a550b710addeadbf6f72e3a8a4b"
},
{
"url": "https://git.kernel.org/stable/c/78dc7362662fedaa1928fb8e4f27401c8322905d"
},
{
"url": "https://git.kernel.org/stable/c/baa37b1c7e29546f79c39bef0d18c4edc9f39bb1"
},
{
"url": "https://git.kernel.org/stable/c/cfa0654402c06d086201a9ff167eb95da5844fc3"
},
{
"url": "https://git.kernel.org/stable/c/82a8d0fda55b35361ee7f35b54fa2b66d7847d2b"
}
],
"title": "vhost: vringh: Modify the return value check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40051",
"datePublished": "2025-10-28T11:48:27.279Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-10-28T11:48:27.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50543 (GCVE-0-2022-50543)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix mr->map double free
rxe_mr_cleanup() which tries to free mr->map again will be called when
rxe_mr_init_user() fails:
CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x5d
panic+0x19e/0x349
end_report.part.0+0x54/0x7c
kasan_report.cold+0xa/0xf
rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]
__rxe_cleanup+0x10a/0x1e0 [rdma_rxe]
rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]
ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]
ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]
This issue was firstly exposed since commit b18c7da63fcb ("RDMA/rxe: Fix
memory leak in error path code") and then we fixed it in commit
8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") but this
fix was reverted together at last by commit 1e75550648da (Revert
"RDMA/rxe: Create duplicate mapping tables for FMRs")
Simply let rxe_mr_cleanup() always handle freeing the mr->map once it is
successfully allocated.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ce577f09013206e36e674cd27da3707b2278268",
"status": "affected",
"version": "1e75550648da1fa1cd1969e7597355de8fe8caf6",
"versionType": "git"
},
{
"lessThan": "06f73568f553b5be6ba7f6fe274d333ea29fc46d",
"status": "affected",
"version": "1e75550648da1fa1cd1969e7597355de8fe8caf6",
"versionType": "git"
},
{
"lessThan": "7d984dac8f6bf4ebd3398af82b357e1d181ecaac",
"status": "affected",
"version": "1e75550648da1fa1cd1969e7597355de8fe8caf6",
"versionType": "git"
},
{
"status": "affected",
"version": "e004a35e8148ad9fc438b0479884641acf382896",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix mr-\u003emap double free\n\nrxe_mr_cleanup() which tries to free mr-\u003emap again will be called when\nrxe_mr_init_user() fails:\n\n CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x45/0x5d\n panic+0x19e/0x349\n end_report.part.0+0x54/0x7c\n kasan_report.cold+0xa/0xf\n rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]\n __rxe_cleanup+0x10a/0x1e0 [rdma_rxe]\n rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]\n ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]\n ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]\n\nThis issue was firstly exposed since commit b18c7da63fcb (\"RDMA/rxe: Fix\nmemory leak in error path code\") and then we fixed it in commit\n8ff5f5d9d8cf (\"RDMA/rxe: Prevent double freeing rxe_map_set()\") but this\nfix was reverted together at last by commit 1e75550648da (Revert\n\"RDMA/rxe: Create duplicate mapping tables for FMRs\")\n\nSimply let rxe_mr_cleanup() always handle freeing the mr-\u003emap once it is\nsuccessfully allocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:07.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ce577f09013206e36e674cd27da3707b2278268"
},
{
"url": "https://git.kernel.org/stable/c/06f73568f553b5be6ba7f6fe274d333ea29fc46d"
},
{
"url": "https://git.kernel.org/stable/c/7d984dac8f6bf4ebd3398af82b357e1d181ecaac"
}
],
"title": "RDMA/rxe: Fix mr-\u003emap double free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50543",
"datePublished": "2025-10-07T15:21:07.939Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:07.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53305 (GCVE-0-2023-53305)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free
Fix potential use-after-free in l2cap_le_command_rej.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e76bab1b7afa580cd76362540fc37551ada4359b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a40c56e8bff3e424724d78a9a6b3272dd8a371d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fe49aa73cca6608714477b74bfc6874b9db979df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2958cf9f805b9f0bdc4a761bf6ea281eb8d44f8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "548a6b64b3c0688f01119a6fcccceb41f8c984e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "149daab45922ab1ac7f0cbeacab7251a46bf5e63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "255be68150291440657b2cdb09420b69441af3d8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f752a0b334bb95fe9b42ecb511e0864e2768046f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free\n\nFix potential use-after-free in l2cap_le_command_rej."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:44.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e76bab1b7afa580cd76362540fc37551ada4359b"
},
{
"url": "https://git.kernel.org/stable/c/1a40c56e8bff3e424724d78a9a6b3272dd8a371d"
},
{
"url": "https://git.kernel.org/stable/c/fe49aa73cca6608714477b74bfc6874b9db979df"
},
{
"url": "https://git.kernel.org/stable/c/2958cf9f805b9f0bdc4a761bf6ea281eb8d44f8e"
},
{
"url": "https://git.kernel.org/stable/c/548a6b64b3c0688f01119a6fcccceb41f8c984e4"
},
{
"url": "https://git.kernel.org/stable/c/149daab45922ab1ac7f0cbeacab7251a46bf5e63"
},
{
"url": "https://git.kernel.org/stable/c/255be68150291440657b2cdb09420b69441af3d8"
},
{
"url": "https://git.kernel.org/stable/c/f752a0b334bb95fe9b42ecb511e0864e2768046f"
}
],
"title": "Bluetooth: L2CAP: Fix use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53305",
"datePublished": "2025-09-16T16:11:44.845Z",
"dateReserved": "2025-09-16T08:09:37.994Z",
"dateUpdated": "2025-09-16T16:11:44.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50568 (GCVE-0-2022-50568)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: fix f_hidg lifetime vs cdev
The embedded struct cdev does not have its lifetime correctly tied to
the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN
is held open while the gadget is deleted.
This can readily be replicated with libusbgx's example programs (for
conciseness - operating directly via configfs is equivalent):
gadget-hid
exec 3<> /dev/hidg0
gadget-vid-pid-remove
exec 3<&-
Pull the existing device up in to struct f_hidg and make use of the
cdev_device_{add,del}() helpers. This changes the lifetime of the
device object to match struct f_hidg, but note that it is still added
and deleted at the same time.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 71adf118946957839a13aa4d1094183e05c6c094 Version: 71adf118946957839a13aa4d1094183e05c6c094 Version: 71adf118946957839a13aa4d1094183e05c6c094 Version: 71adf118946957839a13aa4d1094183e05c6c094 Version: 71adf118946957839a13aa4d1094183e05c6c094 Version: 71adf118946957839a13aa4d1094183e05c6c094 Version: 71adf118946957839a13aa4d1094183e05c6c094 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1cd7f156f6389918f760687fbbf133c86da93162",
"status": "affected",
"version": "71adf118946957839a13aa4d1094183e05c6c094",
"versionType": "git"
},
{
"lessThan": "c78c87c4e389b62f8892af7f59857447aa6d9797",
"status": "affected",
"version": "71adf118946957839a13aa4d1094183e05c6c094",
"versionType": "git"
},
{
"lessThan": "1b6a53e447ec3d81623610c8c7ec5082b47dfdce",
"status": "affected",
"version": "71adf118946957839a13aa4d1094183e05c6c094",
"versionType": "git"
},
{
"lessThan": "d3136b79705c2e3bba9c76adc5628af0215d798e",
"status": "affected",
"version": "71adf118946957839a13aa4d1094183e05c6c094",
"versionType": "git"
},
{
"lessThan": "9e4b85d815b14bd4db2deea2a54264a23de8b896",
"status": "affected",
"version": "71adf118946957839a13aa4d1094183e05c6c094",
"versionType": "git"
},
{
"lessThan": "9e08b7f5fa00e9d550851352bd0d1ba74ccffef2",
"status": "affected",
"version": "71adf118946957839a13aa4d1094183e05c6c094",
"versionType": "git"
},
{
"lessThan": "89ff3dfac604614287ad5aad9370c3f984ea3f4b",
"status": "affected",
"version": "71adf118946957839a13aa4d1094183e05c6c094",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: fix f_hidg lifetime vs cdev\n\nThe embedded struct cdev does not have its lifetime correctly tied to\nthe enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN\nis held open while the gadget is deleted.\n\nThis can readily be replicated with libusbgx\u0027s example programs (for\nconciseness - operating directly via configfs is equivalent):\n\n\tgadget-hid\n\texec 3\u003c\u003e /dev/hidg0\n\tgadget-vid-pid-remove\n\texec 3\u003c\u0026-\n\nPull the existing device up in to struct f_hidg and make use of the\ncdev_device_{add,del}() helpers. This changes the lifetime of the\ndevice object to match struct f_hidg, but note that it is still added\nand deleted at the same time."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:25.136Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1cd7f156f6389918f760687fbbf133c86da93162"
},
{
"url": "https://git.kernel.org/stable/c/c78c87c4e389b62f8892af7f59857447aa6d9797"
},
{
"url": "https://git.kernel.org/stable/c/1b6a53e447ec3d81623610c8c7ec5082b47dfdce"
},
{
"url": "https://git.kernel.org/stable/c/d3136b79705c2e3bba9c76adc5628af0215d798e"
},
{
"url": "https://git.kernel.org/stable/c/9e4b85d815b14bd4db2deea2a54264a23de8b896"
},
{
"url": "https://git.kernel.org/stable/c/9e08b7f5fa00e9d550851352bd0d1ba74ccffef2"
},
{
"url": "https://git.kernel.org/stable/c/89ff3dfac604614287ad5aad9370c3f984ea3f4b"
}
],
"title": "usb: gadget: f_hid: fix f_hidg lifetime vs cdev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50568",
"datePublished": "2025-10-22T13:23:25.136Z",
"dateReserved": "2025-10-22T13:20:23.760Z",
"dateUpdated": "2025-10-22T13:23:25.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49465 (GCVE-0-2022-49465)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-21 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-throttle: Set BIO_THROTTLED when bio has been throttled
1.In current process, all bio will set the BIO_THROTTLED flag
after __blk_throtl_bio().
2.If bio needs to be throttled, it will start the timer and
stop submit bio directly. Bio will submit in
blk_throtl_dispatch_work_fn() when the timer expires.But in
the current process, if bio is throttled. The BIO_THROTTLED
will be set to bio after timer start. If the bio has been
completed, it may cause use-after-free blow.
BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70
Read of size 2 at addr ffff88801b8902d4 by task fio/26380
dump_stack+0x9b/0xce
print_address_description.constprop.6+0x3e/0x60
kasan_report.cold.9+0x22/0x3a
blk_throtl_bio+0x12f0/0x2c70
submit_bio_checks+0x701/0x1550
submit_bio_noacct+0x83/0xc80
submit_bio+0xa7/0x330
mpage_readahead+0x380/0x500
read_pages+0x1c1/0xbf0
page_cache_ra_unbounded+0x471/0x6f0
do_page_cache_ra+0xda/0x110
ondemand_readahead+0x442/0xae0
page_cache_async_ra+0x210/0x300
generic_file_buffered_read+0x4d9/0x2130
generic_file_read_iter+0x315/0x490
blkdev_read_iter+0x113/0x1b0
aio_read+0x2ad/0x450
io_submit_one+0xc8e/0x1d60
__se_sys_io_submit+0x125/0x350
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 26380:
kasan_save_stack+0x19/0x40
__kasan_kmalloc.constprop.2+0xc1/0xd0
kmem_cache_alloc+0x146/0x440
mempool_alloc+0x125/0x2f0
bio_alloc_bioset+0x353/0x590
mpage_alloc+0x3b/0x240
do_mpage_readpage+0xddf/0x1ef0
mpage_readahead+0x264/0x500
read_pages+0x1c1/0xbf0
page_cache_ra_unbounded+0x471/0x6f0
do_page_cache_ra+0xda/0x110
ondemand_readahead+0x442/0xae0
page_cache_async_ra+0x210/0x300
generic_file_buffered_read+0x4d9/0x2130
generic_file_read_iter+0x315/0x490
blkdev_read_iter+0x113/0x1b0
aio_read+0x2ad/0x450
io_submit_one+0xc8e/0x1d60
__se_sys_io_submit+0x125/0x350
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 0:
kasan_save_stack+0x19/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x1b/0x30
__kasan_slab_free+0x111/0x160
kmem_cache_free+0x94/0x460
mempool_free+0xd6/0x320
bio_free+0xe0/0x130
bio_put+0xab/0xe0
bio_endio+0x3a6/0x5d0
blk_update_request+0x590/0x1370
scsi_end_request+0x7d/0x400
scsi_io_completion+0x1aa/0xe50
scsi_softirq_done+0x11b/0x240
blk_mq_complete_request+0xd4/0x120
scsi_mq_done+0xf0/0x200
virtscsi_vq_done+0xbc/0x150
vring_interrupt+0x179/0x390
__handle_irq_event_percpu+0xf7/0x490
handle_irq_event_percpu+0x7b/0x160
handle_irq_event+0xcc/0x170
handle_edge_irq+0x215/0xb20
common_interrupt+0x60/0x120
asm_common_interrupt+0x1e/0x40
Fix this by move BIO_THROTTLED set into the queue_lock.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:02.824581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:32.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-throttle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cfc8a0fb07cde61915e4a77c4794c47de3114a4",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "935fa666534d7b7185e8c6b0191cd06281be4290",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "5a011f889b4832aa80c2a872a5aade5c48d2756f",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-throttle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: Set BIO_THROTTLED when bio has been throttled\n\n1.In current process, all bio will set the BIO_THROTTLED flag\nafter __blk_throtl_bio().\n\n2.If bio needs to be throttled, it will start the timer and\nstop submit bio directly. Bio will submit in\nblk_throtl_dispatch_work_fn() when the timer expires.But in\nthe current process, if bio is throttled. The BIO_THROTTLED\nwill be set to bio after timer start. If the bio has been\ncompleted, it may cause use-after-free blow.\n\nBUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70\nRead of size 2 at addr ffff88801b8902d4 by task fio/26380\n\n dump_stack+0x9b/0xce\n print_address_description.constprop.6+0x3e/0x60\n kasan_report.cold.9+0x22/0x3a\n blk_throtl_bio+0x12f0/0x2c70\n submit_bio_checks+0x701/0x1550\n submit_bio_noacct+0x83/0xc80\n submit_bio+0xa7/0x330\n mpage_readahead+0x380/0x500\n read_pages+0x1c1/0xbf0\n page_cache_ra_unbounded+0x471/0x6f0\n do_page_cache_ra+0xda/0x110\n ondemand_readahead+0x442/0xae0\n page_cache_async_ra+0x210/0x300\n generic_file_buffered_read+0x4d9/0x2130\n generic_file_read_iter+0x315/0x490\n blkdev_read_iter+0x113/0x1b0\n aio_read+0x2ad/0x450\n io_submit_one+0xc8e/0x1d60\n __se_sys_io_submit+0x125/0x350\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nAllocated by task 26380:\n kasan_save_stack+0x19/0x40\n __kasan_kmalloc.constprop.2+0xc1/0xd0\n kmem_cache_alloc+0x146/0x440\n mempool_alloc+0x125/0x2f0\n bio_alloc_bioset+0x353/0x590\n mpage_alloc+0x3b/0x240\n do_mpage_readpage+0xddf/0x1ef0\n mpage_readahead+0x264/0x500\n read_pages+0x1c1/0xbf0\n page_cache_ra_unbounded+0x471/0x6f0\n do_page_cache_ra+0xda/0x110\n ondemand_readahead+0x442/0xae0\n page_cache_async_ra+0x210/0x300\n generic_file_buffered_read+0x4d9/0x2130\n generic_file_read_iter+0x315/0x490\n blkdev_read_iter+0x113/0x1b0\n aio_read+0x2ad/0x450\n io_submit_one+0xc8e/0x1d60\n __se_sys_io_submit+0x125/0x350\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nFreed by task 0:\n kasan_save_stack+0x19/0x40\n kasan_set_track+0x1c/0x30\n kasan_set_free_info+0x1b/0x30\n __kasan_slab_free+0x111/0x160\n kmem_cache_free+0x94/0x460\n mempool_free+0xd6/0x320\n bio_free+0xe0/0x130\n bio_put+0xab/0xe0\n bio_endio+0x3a6/0x5d0\n blk_update_request+0x590/0x1370\n scsi_end_request+0x7d/0x400\n scsi_io_completion+0x1aa/0xe50\n scsi_softirq_done+0x11b/0x240\n blk_mq_complete_request+0xd4/0x120\n scsi_mq_done+0xf0/0x200\n virtscsi_vq_done+0xbc/0x150\n vring_interrupt+0x179/0x390\n __handle_irq_event_percpu+0xf7/0x490\n handle_irq_event_percpu+0x7b/0x160\n handle_irq_event+0xcc/0x170\n handle_edge_irq+0x215/0xb20\n common_interrupt+0x60/0x120\n asm_common_interrupt+0x1e/0x40\n\nFix this by move BIO_THROTTLED set into the queue_lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:44:07.728Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cfc8a0fb07cde61915e4a77c4794c47de3114a4"
},
{
"url": "https://git.kernel.org/stable/c/935fa666534d7b7185e8c6b0191cd06281be4290"
},
{
"url": "https://git.kernel.org/stable/c/5a011f889b4832aa80c2a872a5aade5c48d2756f"
}
],
"title": "blk-throttle: Set BIO_THROTTLED when bio has been throttled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49465",
"datePublished": "2025-02-26T02:13:10.975Z",
"dateReserved": "2025-02-26T02:08:31.577Z",
"dateUpdated": "2025-05-21T08:44:07.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53151 (GCVE-0-2023-53151)
Vulnerability from cvelistv5
Published
2025-09-15 14:03
Modified
2025-09-15 14:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: prevent soft lockup while flush writes
Currently, there is no limit for raid1/raid10 plugged bio. While flushing
writes, raid1 has cond_resched() while raid10 doesn't, and too many
writes can cause soft lockup.
Follow up soft lockup can be triggered easily with writeback test for
raid10 with ramdisks:
watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293]
Call Trace:
<TASK>
call_rcu+0x16/0x20
put_object+0x41/0x80
__delete_object+0x50/0x90
delete_object_full+0x2b/0x40
kmemleak_free+0x46/0xa0
slab_free_freelist_hook.constprop.0+0xed/0x1a0
kmem_cache_free+0xfd/0x300
mempool_free_slab+0x1f/0x30
mempool_free+0x3a/0x100
bio_free+0x59/0x80
bio_put+0xcf/0x2c0
free_r10bio+0xbf/0xf0
raid_end_bio_io+0x78/0xb0
one_write_done+0x8a/0xa0
raid10_end_write_request+0x1b4/0x430
bio_endio+0x175/0x320
brd_submit_bio+0x3b9/0x9b7 [brd]
__submit_bio+0x69/0xe0
submit_bio_noacct_nocheck+0x1e6/0x5a0
submit_bio_noacct+0x38c/0x7e0
flush_pending_writes+0xf0/0x240
raid10d+0xac/0x1ed0
Fix the problem by adding cond_resched() to raid10 like what raid1 did.
Note that unlimited plugged bio still need to be optimized, for example,
in the case of lots of dirty pages writeback, this will take lots of
memory and io will spend a long time in plug, hence io latency is bad.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f45b2fa7678ab385299de345f7e85d05caea386b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "00ecb6fa67c0f772290c5ea5ae8b46eefd503b83",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d0345f7c7dbc5d42e4e6f1db99c1c1879d7b0eb5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "634daf6b2c81015cc5e28bf694a6a94a50c641cd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "84a578961b2566e475bfa8740beaf0abcc781a6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1d467e10507167eb6dc2c281a87675b731955d86",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fbf50184190d55f8717bd29aa9530c399be96f30",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "010444623e7f4da6b4a4dd603a7da7469981e293",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: prevent soft lockup while flush writes\n\nCurrently, there is no limit for raid1/raid10 plugged bio. While flushing\nwrites, raid1 has cond_resched() while raid10 doesn\u0027t, and too many\nwrites can cause soft lockup.\n\nFollow up soft lockup can be triggered easily with writeback test for\nraid10 with ramdisks:\n\nwatchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293]\nCall Trace:\n \u003cTASK\u003e\n call_rcu+0x16/0x20\n put_object+0x41/0x80\n __delete_object+0x50/0x90\n delete_object_full+0x2b/0x40\n kmemleak_free+0x46/0xa0\n slab_free_freelist_hook.constprop.0+0xed/0x1a0\n kmem_cache_free+0xfd/0x300\n mempool_free_slab+0x1f/0x30\n mempool_free+0x3a/0x100\n bio_free+0x59/0x80\n bio_put+0xcf/0x2c0\n free_r10bio+0xbf/0xf0\n raid_end_bio_io+0x78/0xb0\n one_write_done+0x8a/0xa0\n raid10_end_write_request+0x1b4/0x430\n bio_endio+0x175/0x320\n brd_submit_bio+0x3b9/0x9b7 [brd]\n __submit_bio+0x69/0xe0\n submit_bio_noacct_nocheck+0x1e6/0x5a0\n submit_bio_noacct+0x38c/0x7e0\n flush_pending_writes+0xf0/0x240\n raid10d+0xac/0x1ed0\n\nFix the problem by adding cond_resched() to raid10 like what raid1 did.\n\nNote that unlimited plugged bio still need to be optimized, for example,\nin the case of lots of dirty pages writeback, this will take lots of\nmemory and io will spend a long time in plug, hence io latency is bad."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:03:19.155Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f45b2fa7678ab385299de345f7e85d05caea386b"
},
{
"url": "https://git.kernel.org/stable/c/00ecb6fa67c0f772290c5ea5ae8b46eefd503b83"
},
{
"url": "https://git.kernel.org/stable/c/d0345f7c7dbc5d42e4e6f1db99c1c1879d7b0eb5"
},
{
"url": "https://git.kernel.org/stable/c/634daf6b2c81015cc5e28bf694a6a94a50c641cd"
},
{
"url": "https://git.kernel.org/stable/c/84a578961b2566e475bfa8740beaf0abcc781a6f"
},
{
"url": "https://git.kernel.org/stable/c/1d467e10507167eb6dc2c281a87675b731955d86"
},
{
"url": "https://git.kernel.org/stable/c/fbf50184190d55f8717bd29aa9530c399be96f30"
},
{
"url": "https://git.kernel.org/stable/c/010444623e7f4da6b4a4dd603a7da7469981e293"
}
],
"title": "md/raid10: prevent soft lockup while flush writes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53151",
"datePublished": "2025-09-15T14:03:19.155Z",
"dateReserved": "2025-05-02T15:51:43.565Z",
"dateUpdated": "2025-09-15T14:03:19.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50553 (GCVE-0-2022-50553)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx'
When generate a synthetic event with many params and then create a trace
action for it [1], kernel panic happened [2].
It is because that in trace_action_create() 'data->n_params' is up to
SYNTH_FIELDS_MAX (current value is 64), and array 'data->var_ref_idx'
keeps indices into array 'hist_data->var_refs' for each synthetic event
param, but the length of 'data->var_ref_idx' is TRACING_MAP_VARS_MAX
(current value is 16), so out-of-bound write happened when 'data->n_params'
more than 16. In this case, 'data->match_data.event' is overwritten and
eventually cause the panic.
To solve the issue, adjust the length of 'data->var_ref_idx' to be
SYNTH_FIELDS_MAX and add sanity checks to avoid out-of-bound write.
[1]
# cd /sys/kernel/tracing/
# echo "my_synth_event int v1; int v2; int v3; int v4; int v5; int v6;\
int v7; int v8; int v9; int v10; int v11; int v12; int v13; int v14;\
int v15; int v16; int v17; int v18; int v19; int v20; int v21; int v22;\
int v23; int v24; int v25; int v26; int v27; int v28; int v29; int v30;\
int v31; int v32; int v33; int v34; int v35; int v36; int v37; int v38;\
int v39; int v40; int v41; int v42; int v43; int v44; int v45; int v46;\
int v47; int v48; int v49; int v50; int v51; int v52; int v53; int v54;\
int v55; int v56; int v57; int v58; int v59; int v60; int v61; int v62;\
int v63" >> synthetic_events
# echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm=="bash"' >> \
events/sched/sched_waking/trigger
# echo "hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid)" >> events/sched/sched_switch/trigger
[2]
BUG: unable to handle page fault for address: ffff91c900000000
PGD 61001067 P4D 61001067 PUD 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 322 Comm: bash Tainted: G W 6.1.0-rc8+ #229
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:strcmp+0xc/0x30
Code: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee
c3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14
07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3
RSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000
RBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000
R10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580
R13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538
FS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0
Call Trace:
<TASK>
__find_event_file+0x55/0x90
action_create+0x76c/0x1060
event_hist_trigger_parse+0x146d/0x2060
? event_trigger_write+0x31/0xd0
trigger_process_regex+0xbb/0x110
event_trigger_write+0x6b/0xd0
vfs_write+0xc8/0x3e0
? alloc_fd+0xc0/0x160
? preempt_count_add+0x4d/0xa0
? preempt_count_add+0x70/0xa0
ksys_write+0x5f/0xe0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1d1d0cf077
Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e
fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74
RSP: 002b:00007ffcebb0e568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000143 RCX: 00007f1d1d0cf077
RDX: 0000000000000143 RSI: 00005639265aa7e0 RDI: 0000000000000001
RBP: 00005639265aa7e0 R08: 000000000000000a R09: 0000000000000142
R
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 38b67e60b6b582e81f9db1b2e7176cbbfbd3e574 Version: d380dcde9a07ca5de4805dee11f58a98ec0ad6ff Version: d380dcde9a07ca5de4805dee11f58a98ec0ad6ff Version: d380dcde9a07ca5de4805dee11f58a98ec0ad6ff Version: d380dcde9a07ca5de4805dee11f58a98ec0ad6ff Version: d380dcde9a07ca5de4805dee11f58a98ec0ad6ff Version: c78a2baf5e1fe1b38121d6b54bab77ccb81a1a86 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf79d5410a569dad1d4112b5c3c02383cca8213a",
"status": "affected",
"version": "38b67e60b6b582e81f9db1b2e7176cbbfbd3e574",
"versionType": "git"
},
{
"lessThan": "0cb31bd88361edb96cfc622648717ba348f0f4dc",
"status": "affected",
"version": "d380dcde9a07ca5de4805dee11f58a98ec0ad6ff",
"versionType": "git"
},
{
"lessThan": "15697f653399253f9be4ed2a1e03d795f3cfee94",
"status": "affected",
"version": "d380dcde9a07ca5de4805dee11f58a98ec0ad6ff",
"versionType": "git"
},
{
"lessThan": "b4efdc219fb8cfa066c7042e636ab8ad6d7e7494",
"status": "affected",
"version": "d380dcde9a07ca5de4805dee11f58a98ec0ad6ff",
"versionType": "git"
},
{
"lessThan": "04241956ce8825ff06e06e4083e7b692e9d5f712",
"status": "affected",
"version": "d380dcde9a07ca5de4805dee11f58a98ec0ad6ff",
"versionType": "git"
},
{
"lessThan": "82470f7d9044842618c847a7166de2b7458157a7",
"status": "affected",
"version": "d380dcde9a07ca5de4805dee11f58a98ec0ad6ff",
"versionType": "git"
},
{
"status": "affected",
"version": "c78a2baf5e1fe1b38121d6b54bab77ccb81a1a86",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/hist: Fix out-of-bound write on \u0027action_data.var_ref_idx\u0027\n\nWhen generate a synthetic event with many params and then create a trace\naction for it [1], kernel panic happened [2].\n\nIt is because that in trace_action_create() \u0027data-\u003en_params\u0027 is up to\nSYNTH_FIELDS_MAX (current value is 64), and array \u0027data-\u003evar_ref_idx\u0027\nkeeps indices into array \u0027hist_data-\u003evar_refs\u0027 for each synthetic event\nparam, but the length of \u0027data-\u003evar_ref_idx\u0027 is TRACING_MAP_VARS_MAX\n(current value is 16), so out-of-bound write happened when \u0027data-\u003en_params\u0027\nmore than 16. In this case, \u0027data-\u003ematch_data.event\u0027 is overwritten and\neventually cause the panic.\n\nTo solve the issue, adjust the length of \u0027data-\u003evar_ref_idx\u0027 to be\nSYNTH_FIELDS_MAX and add sanity checks to avoid out-of-bound write.\n\n[1]\n # cd /sys/kernel/tracing/\n # echo \"my_synth_event int v1; int v2; int v3; int v4; int v5; int v6;\\\nint v7; int v8; int v9; int v10; int v11; int v12; int v13; int v14;\\\nint v15; int v16; int v17; int v18; int v19; int v20; int v21; int v22;\\\nint v23; int v24; int v25; int v26; int v27; int v28; int v29; int v30;\\\nint v31; int v32; int v33; int v34; int v35; int v36; int v37; int v38;\\\nint v39; int v40; int v41; int v42; int v43; int v44; int v45; int v46;\\\nint v47; int v48; int v49; int v50; int v51; int v52; int v53; int v54;\\\nint v55; int v56; int v57; int v58; int v59; int v60; int v61; int v62;\\\nint v63\" \u003e\u003e synthetic_events\n # echo \u0027hist:keys=pid:ts0=common_timestamp.usecs if comm==\"bash\"\u0027 \u003e\u003e \\\nevents/sched/sched_waking/trigger\n # echo \"hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid)\" \u003e\u003e events/sched/sched_switch/trigger\n\n[2]\nBUG: unable to handle page fault for address: ffff91c900000000\nPGD 61001067 P4D 61001067 PUD 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 2 PID: 322 Comm: bash Tainted: G W 6.1.0-rc8+ #229\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:strcmp+0xc/0x30\nCode: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee\nc3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 \u003c0f\u003e b6 14\n07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3\nRSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000\nRBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000\nR10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580\nR13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538\nFS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0\nCall Trace:\n \u003cTASK\u003e\n __find_event_file+0x55/0x90\n action_create+0x76c/0x1060\n event_hist_trigger_parse+0x146d/0x2060\n ? event_trigger_write+0x31/0xd0\n trigger_process_regex+0xbb/0x110\n event_trigger_write+0x6b/0xd0\n vfs_write+0xc8/0x3e0\n ? alloc_fd+0xc0/0x160\n ? preempt_count_add+0x4d/0xa0\n ? preempt_count_add+0x70/0xa0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f1d1d0cf077\nCode: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e\nfa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00\nf0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74\nRSP: 002b:00007ffcebb0e568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000143 RCX: 00007f1d1d0cf077\nRDX: 0000000000000143 RSI: 00005639265aa7e0 RDI: 0000000000000001\nRBP: 00005639265aa7e0 R08: 000000000000000a R09: 0000000000000142\nR\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:14.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf79d5410a569dad1d4112b5c3c02383cca8213a"
},
{
"url": "https://git.kernel.org/stable/c/0cb31bd88361edb96cfc622648717ba348f0f4dc"
},
{
"url": "https://git.kernel.org/stable/c/15697f653399253f9be4ed2a1e03d795f3cfee94"
},
{
"url": "https://git.kernel.org/stable/c/b4efdc219fb8cfa066c7042e636ab8ad6d7e7494"
},
{
"url": "https://git.kernel.org/stable/c/04241956ce8825ff06e06e4083e7b692e9d5f712"
},
{
"url": "https://git.kernel.org/stable/c/82470f7d9044842618c847a7166de2b7458157a7"
}
],
"title": "tracing/hist: Fix out-of-bound write on \u0027action_data.var_ref_idx\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50553",
"datePublished": "2025-10-07T15:21:14.729Z",
"dateReserved": "2025-10-07T15:15:38.669Z",
"dateUpdated": "2025-10-07T15:21:14.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50528 (GCVE-0-2022-50528)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix memory leakage
This patch fixes potential memory leakage and seg fault
in _gpuvm_import_dmabuf() function
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8876793e56ec69b3be2a883b4bc440df3dbb1865",
"status": "affected",
"version": "d4ec4bdc0bd5ad352854473ba4dcbdb39fd5bfdd",
"versionType": "git"
},
{
"lessThan": "7356d8e367d0e025a568e369c4cf575722cac60f",
"status": "affected",
"version": "d4ec4bdc0bd5ad352854473ba4dcbdb39fd5bfdd",
"versionType": "git"
},
{
"lessThan": "c65564790048fa416ccd26a8945c7ec0cf9ef0b7",
"status": "affected",
"version": "d4ec4bdc0bd5ad352854473ba4dcbdb39fd5bfdd",
"versionType": "git"
},
{
"lessThan": "75818afff631e1ea785a82c3e8bb82eb0dee539c",
"status": "affected",
"version": "d4ec4bdc0bd5ad352854473ba4dcbdb39fd5bfdd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix memory leakage\n\nThis patch fixes potential memory leakage and seg fault\nin _gpuvm_import_dmabuf() function"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:19.909Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8876793e56ec69b3be2a883b4bc440df3dbb1865"
},
{
"url": "https://git.kernel.org/stable/c/7356d8e367d0e025a568e369c4cf575722cac60f"
},
{
"url": "https://git.kernel.org/stable/c/c65564790048fa416ccd26a8945c7ec0cf9ef0b7"
},
{
"url": "https://git.kernel.org/stable/c/75818afff631e1ea785a82c3e8bb82eb0dee539c"
}
],
"title": "drm/amdkfd: Fix memory leakage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50528",
"datePublished": "2025-10-07T15:19:19.909Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:19.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53192 (GCVE-0-2023-53192)
Vulnerability from cvelistv5
Published
2025-09-15 14:06
Modified
2025-09-15 14:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix nexthop hash size
The nexthop code expects a 31 bit hash, such as what is returned by
fib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash
returned by skb_get_hash() can lead to problems related to the fact that
'int hash' is a negative number when the MSB is set.
In the case of hash threshold nexthop groups, nexthop_select_path_hthr()
will disproportionately select the first nexthop group entry. In the case
of resilient nexthop groups, nexthop_select_path_res() may do an out of
bounds access in nh_buckets[], for example:
hash = -912054133
num_nh_buckets = 2
bucket_index = 65535
which leads to the following panic:
BUG: unable to handle page fault for address: ffffc900025910c8
PGD 100000067 P4D 100000067 PUD 10026b067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
CPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:nexthop_select_path+0x197/0xbf0
Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85
RSP: 0018:ffff88810c36f260 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8
RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219
R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0
R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x1ee/0x5c0
? __pfx_is_prefetch.constprop.0+0x10/0x10
? __pfx_page_fault_oops+0x10/0x10
? search_bpf_extables+0xfe/0x1c0
? fixup_exception+0x3b/0x470
? exc_page_fault+0xf6/0x110
? asm_exc_page_fault+0x26/0x30
? nexthop_select_path+0x197/0xbf0
? nexthop_select_path+0x197/0xbf0
? lock_is_held_type+0xe7/0x140
vxlan_xmit+0x5b2/0x2340
? __lock_acquire+0x92b/0x3370
? __pfx_vxlan_xmit+0x10/0x10
? __pfx___lock_acquire+0x10/0x10
? __pfx_register_lock_class+0x10/0x10
? skb_network_protocol+0xce/0x2d0
? dev_hard_start_xmit+0xca/0x350
? __pfx_vxlan_xmit+0x10/0x10
dev_hard_start_xmit+0xca/0x350
__dev_queue_xmit+0x513/0x1e20
? __pfx___dev_queue_xmit+0x10/0x10
? __pfx_lock_release+0x10/0x10
? mark_held_locks+0x44/0x90
? skb_push+0x4c/0x80
? eth_header+0x81/0xe0
? __pfx_eth_header+0x10/0x10
? neigh_resolve_output+0x215/0x310
? ip6_finish_output2+0x2ba/0xc90
ip6_finish_output2+0x2ba/0xc90
? lock_release+0x236/0x3e0
? ip6_mtu+0xbb/0x240
? __pfx_ip6_finish_output2+0x10/0x10
? find_held_lock+0x83/0xa0
? lock_is_held_type+0xe7/0x140
ip6_finish_output+0x1ee/0x780
ip6_output+0x138/0x460
? __pfx_ip6_output+0x10/0x10
? __pfx___lock_acquire+0x10/0x10
? __pfx_ip6_finish_output+0x10/0x10
NF_HOOK.constprop.0+0xc0/0x420
? __pfx_NF_HOOK.constprop.0+0x10/0x10
? ndisc_send_skb+0x2c0/0x960
? __pfx_lock_release+0x10/0x10
? __local_bh_enable_ip+0x93/0x110
? lock_is_held_type+0xe7/0x140
ndisc_send_skb+0x4be/0x960
? __pfx_ndisc_send_skb+0x10/0x10
? mark_held_locks+0x65/0x90
? find_held_lock+0x83/0xa0
ndisc_send_ns+0xb0/0x110
? __pfx_ndisc_send_ns+0x10/0x10
addrconf_dad_work+0x631/0x8e0
? lock_acquire+0x180/0x3f0
? __pfx_addrconf_dad_work+0x10/0x10
? mark_held_locks+0x24/0x90
process_one_work+0x582/0x9c0
? __pfx_process_one_work+0x10/0x10
? __pfx_do_raw_spin_lock+0x10/0x10
? mark_held_locks+0x24/0x90
worker_thread+0x93/0x630
? __kthread_parkme+0xdc/0x100
? __pfx_worker_thread+0x10/0x10
kthread+0x1a5/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x60
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/vxlan.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c650597647ecb318d02372277bdfd866c6829f78",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "32ef2c0c6cf11a076f0280a7866b9abc47821e19",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "7b8717658dff8b471cbfc124bf9b5ca4229579ed",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "23c195ce6f4aec86e1c9e1ea1c800381c4b465c7",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "0756384fb1bd38adb2ebcfd1307422f433a1d772",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/vxlan.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix nexthop hash size\n\nThe nexthop code expects a 31 bit hash, such as what is returned by\nfib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash\nreturned by skb_get_hash() can lead to problems related to the fact that\n\u0027int hash\u0027 is a negative number when the MSB is set.\n\nIn the case of hash threshold nexthop groups, nexthop_select_path_hthr()\nwill disproportionately select the first nexthop group entry. In the case\nof resilient nexthop groups, nexthop_select_path_res() may do an out of\nbounds access in nh_buckets[], for example:\n hash = -912054133\n num_nh_buckets = 2\n bucket_index = 65535\n\nwhich leads to the following panic:\n\nBUG: unable to handle page fault for address: ffffc900025910c8\nPGD 100000067 P4D 100000067 PUD 10026b067 PMD 0\nOops: 0002 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:nexthop_select_path+0x197/0xbf0\nCode: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff \u003c4d\u003e 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85\nRSP: 0018:ffff88810c36f260 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8\nRBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219\nR10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0\nR13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900\nFS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x23/0x70\n ? page_fault_oops+0x1ee/0x5c0\n ? __pfx_is_prefetch.constprop.0+0x10/0x10\n ? __pfx_page_fault_oops+0x10/0x10\n ? search_bpf_extables+0xfe/0x1c0\n ? fixup_exception+0x3b/0x470\n ? exc_page_fault+0xf6/0x110\n ? asm_exc_page_fault+0x26/0x30\n ? nexthop_select_path+0x197/0xbf0\n ? nexthop_select_path+0x197/0xbf0\n ? lock_is_held_type+0xe7/0x140\n vxlan_xmit+0x5b2/0x2340\n ? __lock_acquire+0x92b/0x3370\n ? __pfx_vxlan_xmit+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx_register_lock_class+0x10/0x10\n ? skb_network_protocol+0xce/0x2d0\n ? dev_hard_start_xmit+0xca/0x350\n ? __pfx_vxlan_xmit+0x10/0x10\n dev_hard_start_xmit+0xca/0x350\n __dev_queue_xmit+0x513/0x1e20\n ? __pfx___dev_queue_xmit+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? mark_held_locks+0x44/0x90\n ? skb_push+0x4c/0x80\n ? eth_header+0x81/0xe0\n ? __pfx_eth_header+0x10/0x10\n ? neigh_resolve_output+0x215/0x310\n ? ip6_finish_output2+0x2ba/0xc90\n ip6_finish_output2+0x2ba/0xc90\n ? lock_release+0x236/0x3e0\n ? ip6_mtu+0xbb/0x240\n ? __pfx_ip6_finish_output2+0x10/0x10\n ? find_held_lock+0x83/0xa0\n ? lock_is_held_type+0xe7/0x140\n ip6_finish_output+0x1ee/0x780\n ip6_output+0x138/0x460\n ? __pfx_ip6_output+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx_ip6_finish_output+0x10/0x10\n NF_HOOK.constprop.0+0xc0/0x420\n ? __pfx_NF_HOOK.constprop.0+0x10/0x10\n ? ndisc_send_skb+0x2c0/0x960\n ? __pfx_lock_release+0x10/0x10\n ? __local_bh_enable_ip+0x93/0x110\n ? lock_is_held_type+0xe7/0x140\n ndisc_send_skb+0x4be/0x960\n ? __pfx_ndisc_send_skb+0x10/0x10\n ? mark_held_locks+0x65/0x90\n ? find_held_lock+0x83/0xa0\n ndisc_send_ns+0xb0/0x110\n ? __pfx_ndisc_send_ns+0x10/0x10\n addrconf_dad_work+0x631/0x8e0\n ? lock_acquire+0x180/0x3f0\n ? __pfx_addrconf_dad_work+0x10/0x10\n ? mark_held_locks+0x24/0x90\n process_one_work+0x582/0x9c0\n ? __pfx_process_one_work+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n ? mark_held_locks+0x24/0x90\n worker_thread+0x93/0x630\n ? __kthread_parkme+0xdc/0x100\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x1a5/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x60\n \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:06:37.241Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c650597647ecb318d02372277bdfd866c6829f78"
},
{
"url": "https://git.kernel.org/stable/c/32ef2c0c6cf11a076f0280a7866b9abc47821e19"
},
{
"url": "https://git.kernel.org/stable/c/7b8717658dff8b471cbfc124bf9b5ca4229579ed"
},
{
"url": "https://git.kernel.org/stable/c/23c195ce6f4aec86e1c9e1ea1c800381c4b465c7"
},
{
"url": "https://git.kernel.org/stable/c/0756384fb1bd38adb2ebcfd1307422f433a1d772"
}
],
"title": "vxlan: Fix nexthop hash size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53192",
"datePublished": "2025-09-15T14:06:37.241Z",
"dateReserved": "2025-09-15T13:59:19.066Z",
"dateUpdated": "2025-09-15T14:06:37.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40012 (GCVE-0-2025-40012)
Vulnerability from cvelistv5
Published
2025-10-20 15:26
Modified
2025-10-20 15:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix warning in smc_rx_splice() when calling get_page()
smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are
later passed to get_page() in smc_rx_splice(). Since kmalloc memory is
not page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents
holding a refcount on the buffer. This can lead to use-after-free if
the memory is released before splice_to_pipe() completes.
Use folio_alloc() instead, ensuring DMBs are page-backed and safe for
get_page().
WARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]
CPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE
Hardware name: IBM 3931 A01 704 (z/VM 7.4.0)
Krnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc])
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
Krnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005
0000000000000001 001cee80007d3006 0007740000001000 001c000000000000
000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000
000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8
Krnl Code: 0007931610326960: af000000 mc 0,0
0007931610326964: a7f4ff43 brc 15,00079316103267ea
#0007931610326968: af000000 mc 0,0
>000793161032696c: a7f4ff3f brc 15,00079316103267ea
0007931610326970: e320f1000004 lg %r2,256(%r15)
0007931610326976: c0e53fd1b5f5 brasl %r14,000793168fd5d560
000793161032697c: a7f4fbb5 brc 15,00079316103260e6
0007931610326980: b904002b lgr %r2,%r11
Call Trace:
smc_rx_splice+0xafc/0xe20 [smc]
smc_rx_splice+0x756/0xe20 [smc])
smc_rx_recvmsg+0xa74/0xe00 [smc]
smc_splice_read+0x1ce/0x3b0 [smc]
sock_splice_read+0xa2/0xf0
do_splice_read+0x198/0x240
splice_file_to_pipe+0x7e/0x110
do_splice+0x59e/0xde0
__do_splice+0x11a/0x2d0
__s390x_sys_splice+0x140/0x1f0
__do_syscall+0x122/0x280
system_call+0x6e/0x90
Last Breaking-Event-Address:
smc_rx_splice+0x960/0xe20 [smc]
---[ end trace 0000000000000000 ]---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_loopback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14fc4fdae42e34d7ee871b292ac2ecc61c2c5de7",
"status": "affected",
"version": "f7a22071dbf316c982fb44308874bd7ad9ac2091",
"versionType": "git"
},
{
"lessThan": "d5411685dc2f6ac7bdf01a0a204d56cae38c6cf6",
"status": "affected",
"version": "f7a22071dbf316c982fb44308874bd7ad9ac2091",
"versionType": "git"
},
{
"lessThan": "a35c04de2565db191726b5741e6b66a35002c652",
"status": "affected",
"version": "f7a22071dbf316c982fb44308874bd7ad9ac2091",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_loopback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix warning in smc_rx_splice() when calling get_page()\n\nsmc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are\nlater passed to get_page() in smc_rx_splice(). Since kmalloc memory is\nnot page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents\nholding a refcount on the buffer. This can lead to use-after-free if\nthe memory is released before splice_to_pipe() completes.\n\nUse folio_alloc() instead, ensuring DMBs are page-backed and safe for\nget_page().\n\nWARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]\nCPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE\nHardware name: IBM 3931 A01 704 (z/VM 7.4.0)\nKrnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc])\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\nKrnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005\n 0000000000000001 001cee80007d3006 0007740000001000 001c000000000000\n 000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000\n 000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8\nKrnl Code: 0007931610326960: af000000\t\tmc\t0,0\n 0007931610326964: a7f4ff43\t\tbrc\t15,00079316103267ea\n #0007931610326968: af000000\t\tmc\t0,0\n \u003e000793161032696c: a7f4ff3f\t\tbrc\t15,00079316103267ea\n 0007931610326970: e320f1000004\tlg\t%r2,256(%r15)\n 0007931610326976: c0e53fd1b5f5\tbrasl\t%r14,000793168fd5d560\n 000793161032697c: a7f4fbb5\t\tbrc\t15,00079316103260e6\n 0007931610326980: b904002b\t\tlgr\t%r2,%r11\nCall Trace:\n smc_rx_splice+0xafc/0xe20 [smc]\n smc_rx_splice+0x756/0xe20 [smc])\n smc_rx_recvmsg+0xa74/0xe00 [smc]\n smc_splice_read+0x1ce/0x3b0 [smc]\n sock_splice_read+0xa2/0xf0\n do_splice_read+0x198/0x240\n splice_file_to_pipe+0x7e/0x110\n do_splice+0x59e/0xde0\n __do_splice+0x11a/0x2d0\n __s390x_sys_splice+0x140/0x1f0\n __do_syscall+0x122/0x280\n system_call+0x6e/0x90\nLast Breaking-Event-Address:\nsmc_rx_splice+0x960/0xe20 [smc]\n---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:57.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14fc4fdae42e34d7ee871b292ac2ecc61c2c5de7"
},
{
"url": "https://git.kernel.org/stable/c/d5411685dc2f6ac7bdf01a0a204d56cae38c6cf6"
},
{
"url": "https://git.kernel.org/stable/c/a35c04de2565db191726b5741e6b66a35002c652"
}
],
"title": "net/smc: fix warning in smc_rx_splice() when calling get_page()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40012",
"datePublished": "2025-10-20T15:26:57.214Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:57.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53703 (GCVE-0-2023-53703)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: amd_sfh: Fix for shift-out-of-bounds
Shift operation of 'exp' and 'shift' variables exceeds the maximum number
of shift values in the u32 range leading to UBSAN shift-out-of-bounds.
...
[ 6.120512] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50
[ 6.120598] shift exponent 104 is too large for 64-bit type 'long unsigned int'
[ 6.120659] CPU: 4 PID: 96 Comm: kworker/4:1 Not tainted 6.4.0amd_1-next-20230519-dirty #10
[ 6.120665] Hardware name: AMD Birman-PHX/Birman-PHX, BIOS SFH_with_HPD_SEN.FD 04/05/2023
[ 6.120667] Workqueue: events amd_sfh_work_buffer [amd_sfh]
[ 6.120687] Call Trace:
[ 6.120690] <TASK>
[ 6.120694] dump_stack_lvl+0x48/0x70
[ 6.120704] dump_stack+0x10/0x20
[ 6.120707] ubsan_epilogue+0x9/0x40
[ 6.120716] __ubsan_handle_shift_out_of_bounds+0x10f/0x170
[ 6.120720] ? psi_group_change+0x25f/0x4b0
[ 6.120729] float_to_int.cold+0x18/0xba [amd_sfh]
[ 6.120739] get_input_rep+0x57/0x340 [amd_sfh]
[ 6.120748] ? __schedule+0xba7/0x1b60
[ 6.120756] ? __pfx_get_input_rep+0x10/0x10 [amd_sfh]
[ 6.120764] amd_sfh_work_buffer+0x91/0x180 [amd_sfh]
[ 6.120772] process_one_work+0x229/0x430
[ 6.120780] worker_thread+0x4a/0x3c0
[ 6.120784] ? __pfx_worker_thread+0x10/0x10
[ 6.120788] kthread+0xf7/0x130
[ 6.120792] ? __pfx_kthread+0x10/0x10
[ 6.120795] ret_from_fork+0x29/0x50
[ 6.120804] </TASK>
...
Fix this by adding the condition to validate shift ranges.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a45ed1ae34bb0e68944471f4bafb68e0a572791",
"status": "affected",
"version": "93ce5e0231d79189be4d9e5f9295807b18941419",
"versionType": "git"
},
{
"lessThan": "1e50bc2c177d4b2953d77037ac46ea0702d6aa1f",
"status": "affected",
"version": "93ce5e0231d79189be4d9e5f9295807b18941419",
"versionType": "git"
},
{
"lessThan": "87854366176403438d01f368b09de3ec2234e0f5",
"status": "affected",
"version": "93ce5e0231d79189be4d9e5f9295807b18941419",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: amd_sfh: Fix for shift-out-of-bounds\n\nShift operation of \u0027exp\u0027 and \u0027shift\u0027 variables exceeds the maximum number\nof shift values in the u32 range leading to UBSAN shift-out-of-bounds.\n\n...\n[ 6.120512] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50\n[ 6.120598] shift exponent 104 is too large for 64-bit type \u0027long unsigned int\u0027\n[ 6.120659] CPU: 4 PID: 96 Comm: kworker/4:1 Not tainted 6.4.0amd_1-next-20230519-dirty #10\n[ 6.120665] Hardware name: AMD Birman-PHX/Birman-PHX, BIOS SFH_with_HPD_SEN.FD 04/05/2023\n[ 6.120667] Workqueue: events amd_sfh_work_buffer [amd_sfh]\n[ 6.120687] Call Trace:\n[ 6.120690] \u003cTASK\u003e\n[ 6.120694] dump_stack_lvl+0x48/0x70\n[ 6.120704] dump_stack+0x10/0x20\n[ 6.120707] ubsan_epilogue+0x9/0x40\n[ 6.120716] __ubsan_handle_shift_out_of_bounds+0x10f/0x170\n[ 6.120720] ? psi_group_change+0x25f/0x4b0\n[ 6.120729] float_to_int.cold+0x18/0xba [amd_sfh]\n[ 6.120739] get_input_rep+0x57/0x340 [amd_sfh]\n[ 6.120748] ? __schedule+0xba7/0x1b60\n[ 6.120756] ? __pfx_get_input_rep+0x10/0x10 [amd_sfh]\n[ 6.120764] amd_sfh_work_buffer+0x91/0x180 [amd_sfh]\n[ 6.120772] process_one_work+0x229/0x430\n[ 6.120780] worker_thread+0x4a/0x3c0\n[ 6.120784] ? __pfx_worker_thread+0x10/0x10\n[ 6.120788] kthread+0xf7/0x130\n[ 6.120792] ? __pfx_kthread+0x10/0x10\n[ 6.120795] ret_from_fork+0x29/0x50\n[ 6.120804] \u003c/TASK\u003e\n...\n\nFix this by adding the condition to validate shift ranges."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:41.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a45ed1ae34bb0e68944471f4bafb68e0a572791"
},
{
"url": "https://git.kernel.org/stable/c/1e50bc2c177d4b2953d77037ac46ea0702d6aa1f"
},
{
"url": "https://git.kernel.org/stable/c/87854366176403438d01f368b09de3ec2234e0f5"
}
],
"title": "HID: amd_sfh: Fix for shift-out-of-bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53703",
"datePublished": "2025-10-22T13:23:41.450Z",
"dateReserved": "2025-10-22T13:21:37.345Z",
"dateUpdated": "2025-10-22T13:23:41.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50327 (GCVE-0-2022-50327)
Vulnerability from cvelistv5
Published
2025-09-15 14:49
Modified
2025-11-03 17:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value
The return value of acpi_fetch_acpi_dev() could be NULL, which would
cause a NULL pointer dereference to occur in acpi_device_hid().
[ rjw: Subject and changelog edits, added empty line after if () ]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:31:03.047Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/processor_idle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e8b5f12ee4ab6f5d252c9ca062a4ada9554e6d9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fdee7a0acc566c4194d40a501b8a1584e86cc208",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ad1190744da9d812da55b76f2afce750afb0a3bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2ecd629c788bbfb96be058edade2e934d3763eaf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b85f0e292f73f353eea915499604fbf50c8238b4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2437513a814b3e93bd02879740a8a06e52e2cf7d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/processor_idle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: idle: Check acpi_fetch_acpi_dev() return value\n\nThe return value of acpi_fetch_acpi_dev() could be NULL, which would\ncause a NULL pointer dereference to occur in acpi_device_hid().\n\n[ rjw: Subject and changelog edits, added empty line after if () ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:49:26.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e8b5f12ee4ab6f5d252c9ca062a4ada9554e6d9"
},
{
"url": "https://git.kernel.org/stable/c/fdee7a0acc566c4194d40a501b8a1584e86cc208"
},
{
"url": "https://git.kernel.org/stable/c/ad1190744da9d812da55b76f2afce750afb0a3bd"
},
{
"url": "https://git.kernel.org/stable/c/2ecd629c788bbfb96be058edade2e934d3763eaf"
},
{
"url": "https://git.kernel.org/stable/c/b85f0e292f73f353eea915499604fbf50c8238b4"
},
{
"url": "https://git.kernel.org/stable/c/2437513a814b3e93bd02879740a8a06e52e2cf7d"
}
],
"title": "ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50327",
"datePublished": "2025-09-15T14:49:26.711Z",
"dateReserved": "2025-09-15T14:18:36.815Z",
"dateUpdated": "2025-11-03T17:31:03.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39772 (GCVE-0-2025-39772)
Vulnerability from cvelistv5
Published
2025-09-11 16:56
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/hisilicon/hibmc: fix the hibmc loaded failed bug
When hibmc loaded failed, the driver use hibmc_unload to free the
resource, but the mutexes in mode.config are not init, which will
access an NULL pointer. Just change goto statement to return, because
hibnc_hw_init() doesn't need to free anything.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 Version: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 Version: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 Version: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 Version: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 Version: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:13.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddf1691f25345699296e642f0f59f2d464722fa3",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
},
{
"lessThan": "c950e1be3a24d021475b56efdb49daa7fbba63a9",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
},
{
"lessThan": "f93032e5d68f459601c701f6ab087b5feb3382e8",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
},
{
"lessThan": "a4f1b9c57092c48bdc7958abd23403ccaed437b2",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
},
{
"lessThan": "d3e774266c28aefab3e9db334fdf568f936cae04",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
},
{
"lessThan": "93a08f856fcc5aaeeecad01f71bef3088588216a",
"status": "affected",
"version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/hisilicon/hibmc: fix the hibmc loaded failed bug\n\nWhen hibmc loaded failed, the driver use hibmc_unload to free the\nresource, but the mutexes in mode.config are not init, which will\naccess an NULL pointer. Just change goto statement to return, because\nhibnc_hw_init() doesn\u0027t need to free anything."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:06.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddf1691f25345699296e642f0f59f2d464722fa3"
},
{
"url": "https://git.kernel.org/stable/c/c950e1be3a24d021475b56efdb49daa7fbba63a9"
},
{
"url": "https://git.kernel.org/stable/c/f93032e5d68f459601c701f6ab087b5feb3382e8"
},
{
"url": "https://git.kernel.org/stable/c/a4f1b9c57092c48bdc7958abd23403ccaed437b2"
},
{
"url": "https://git.kernel.org/stable/c/d3e774266c28aefab3e9db334fdf568f936cae04"
},
{
"url": "https://git.kernel.org/stable/c/93a08f856fcc5aaeeecad01f71bef3088588216a"
}
],
"title": "drm/hisilicon/hibmc: fix the hibmc loaded failed bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39772",
"datePublished": "2025-09-11T16:56:26.130Z",
"dateReserved": "2025-04-16T07:20:57.128Z",
"dateUpdated": "2025-11-03T17:43:13.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50562 (GCVE-0-2022-50562)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: acpi: Call acpi_put_table() to fix memory leak
The start and length of the event log area are obtained from
TPM2 or TCPA table, so we call acpi_get_table() to get the
ACPI information, but the acpi_get_table() should be coupled with
acpi_put_table() to release the ACPI memory, add the acpi_put_table()
properly to fix the memory leak.
While we are at it, remove the redundant empty line at the
end of the tpm_read_log_acpi().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/eventlog/acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ddc48068ac85740d3d5f9f3b0b323e733a35b33",
"status": "affected",
"version": "0bfb23746052168620c5b52f49d8a47c3bb022fa",
"versionType": "git"
},
{
"lessThan": "638cd298dfebce46919cbd6cf1884701215f506d",
"status": "affected",
"version": "0bfb23746052168620c5b52f49d8a47c3bb022fa",
"versionType": "git"
},
{
"lessThan": "694a3d66f493afd77c704c6de91d9be4d6e004e4",
"status": "affected",
"version": "0bfb23746052168620c5b52f49d8a47c3bb022fa",
"versionType": "git"
},
{
"lessThan": "bf31e3f8077af539feaf4e9bbf82e8eb51e7e5a8",
"status": "affected",
"version": "0bfb23746052168620c5b52f49d8a47c3bb022fa",
"versionType": "git"
},
{
"lessThan": "8740a12ca2e2959531ad253bac99ada338b33d80",
"status": "affected",
"version": "0bfb23746052168620c5b52f49d8a47c3bb022fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/eventlog/acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: acpi: Call acpi_put_table() to fix memory leak\n\nThe start and length of the event log area are obtained from\nTPM2 or TCPA table, so we call acpi_get_table() to get the\nACPI information, but the acpi_get_table() should be coupled with\nacpi_put_table() to release the ACPI memory, add the acpi_put_table()\nproperly to fix the memory leak.\n\nWhile we are at it, remove the redundant empty line at the\nend of the tpm_read_log_acpi()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:21.421Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ddc48068ac85740d3d5f9f3b0b323e733a35b33"
},
{
"url": "https://git.kernel.org/stable/c/638cd298dfebce46919cbd6cf1884701215f506d"
},
{
"url": "https://git.kernel.org/stable/c/694a3d66f493afd77c704c6de91d9be4d6e004e4"
},
{
"url": "https://git.kernel.org/stable/c/bf31e3f8077af539feaf4e9bbf82e8eb51e7e5a8"
},
{
"url": "https://git.kernel.org/stable/c/8740a12ca2e2959531ad253bac99ada338b33d80"
}
],
"title": "tpm: acpi: Call acpi_put_table() to fix memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50562",
"datePublished": "2025-10-22T13:23:21.421Z",
"dateReserved": "2025-10-22T13:20:23.759Z",
"dateUpdated": "2025-10-22T13:23:21.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53312 (GCVE-0-2023-53312)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix net_dev_start_xmit trace event vs skb_transport_offset()
After blamed commit, we must be more careful about using
skb_transport_offset(), as reminded us by syzbot:
WARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 skb_transport_offset include/linux/skbuff.h:2977 [inline]
WARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14
Modules linked in:
CPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
RIP: 0010:skb_transport_header include/linux/skbuff.h:2868 [inline]
RIP: 0010:skb_transport_offset include/linux/skbuff.h:2977 [inline]
RIP: 0010:perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14
Code: 8b 04 25 28 00 00 00 48 3b 84 24 c0 00 00 00 0f 85 4e 04 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc e8 56 22 01 fd <0f> 0b e9 f6 fc ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 86 f9 ff
RSP: 0018:ffffc900002bf700 EFLAGS: 00010293
RAX: ffffffff8485d8ca RBX: 000000000000ffff RCX: ffff888100914280
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffffc900002bf818 R08: ffffffff8485d5b6 R09: fffffbfff0f8fb5e
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff110217d8f67
R13: ffff88810bec7b3a R14: dffffc0000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f96cf6d52f0 CR3: 000000012224c000 CR4: 0000000000350ef0
Call Trace:
<TASK>
[<ffffffff84715e35>] trace_net_dev_start_xmit include/trace/events/net.h:14 [inline]
[<ffffffff84715e35>] xmit_one net/core/dev.c:3643 [inline]
[<ffffffff84715e35>] dev_hard_start_xmit+0x705/0x980 net/core/dev.c:3660
[<ffffffff8471a232>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
[<ffffffff85416493>] dev_queue_xmit include/linux/netdevice.h:3030 [inline]
[<ffffffff85416493>] batadv_send_skb_packet+0x3f3/0x680 net/batman-adv/send.c:108
[<ffffffff85416744>] batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127
[<ffffffff853bc52a>] batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
[<ffffffff853bc52a>] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline]
[<ffffffff853bc52a>] batadv_iv_send_outstanding_bat_ogm_packet+0x69a/0x840 net/batman-adv/bat_iv_ogm.c:1701
[<ffffffff8151023c>] process_one_work+0x8ac/0x1170 kernel/workqueue.c:2289
[<ffffffff81511938>] worker_thread+0xaa8/0x12d0 kernel/workqueue.c:2436
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/trace/events/net.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ced61418f46993d571385812bafed3a7d4ab6918",
"status": "affected",
"version": "66e4c8d950083df8e12981babca788e1635c92b6",
"versionType": "git"
},
{
"lessThan": "58f9e88eb247263c74383b4ee8858abac15cdbe0",
"status": "affected",
"version": "66e4c8d950083df8e12981babca788e1635c92b6",
"versionType": "git"
},
{
"lessThan": "f88fcb1d7d961b4b402d675109726f94db87571c",
"status": "affected",
"version": "66e4c8d950083df8e12981babca788e1635c92b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/trace/events/net.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix net_dev_start_xmit trace event vs skb_transport_offset()\n\nAfter blamed commit, we must be more careful about using\nskb_transport_offset(), as reminded us by syzbot:\n\nWARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 skb_transport_offset include/linux/skbuff.h:2977 [inline]\nWARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14\nModules linked in:\nCPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 6.1.30-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nWorkqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet\nRIP: 0010:skb_transport_header include/linux/skbuff.h:2868 [inline]\nRIP: 0010:skb_transport_offset include/linux/skbuff.h:2977 [inline]\nRIP: 0010:perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14\nCode: 8b 04 25 28 00 00 00 48 3b 84 24 c0 00 00 00 0f 85 4e 04 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc e8 56 22 01 fd \u003c0f\u003e 0b e9 f6 fc ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 86 f9 ff\nRSP: 0018:ffffc900002bf700 EFLAGS: 00010293\nRAX: ffffffff8485d8ca RBX: 000000000000ffff RCX: ffff888100914280\nRDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff\nRBP: ffffc900002bf818 R08: ffffffff8485d5b6 R09: fffffbfff0f8fb5e\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff110217d8f67\nR13: ffff88810bec7b3a R14: dffffc0000000000 R15: dffffc0000000000\nFS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f96cf6d52f0 CR3: 000000012224c000 CR4: 0000000000350ef0\nCall Trace:\n\u003cTASK\u003e\n[\u003cffffffff84715e35\u003e] trace_net_dev_start_xmit include/trace/events/net.h:14 [inline]\n[\u003cffffffff84715e35\u003e] xmit_one net/core/dev.c:3643 [inline]\n[\u003cffffffff84715e35\u003e] dev_hard_start_xmit+0x705/0x980 net/core/dev.c:3660\n[\u003cffffffff8471a232\u003e] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[\u003cffffffff85416493\u003e] dev_queue_xmit include/linux/netdevice.h:3030 [inline]\n[\u003cffffffff85416493\u003e] batadv_send_skb_packet+0x3f3/0x680 net/batman-adv/send.c:108\n[\u003cffffffff85416744\u003e] batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127\n[\u003cffffffff853bc52a\u003e] batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]\n[\u003cffffffff853bc52a\u003e] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline]\n[\u003cffffffff853bc52a\u003e] batadv_iv_send_outstanding_bat_ogm_packet+0x69a/0x840 net/batman-adv/bat_iv_ogm.c:1701\n[\u003cffffffff8151023c\u003e] process_one_work+0x8ac/0x1170 kernel/workqueue.c:2289\n[\u003cffffffff81511938\u003e] worker_thread+0xaa8/0x12d0 kernel/workqueue.c:2436"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:49.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ced61418f46993d571385812bafed3a7d4ab6918"
},
{
"url": "https://git.kernel.org/stable/c/58f9e88eb247263c74383b4ee8858abac15cdbe0"
},
{
"url": "https://git.kernel.org/stable/c/f88fcb1d7d961b4b402d675109726f94db87571c"
}
],
"title": "net: fix net_dev_start_xmit trace event vs skb_transport_offset()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53312",
"datePublished": "2025-09-16T16:11:49.832Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:49.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53615 (GCVE-0-2023-53615)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix deletion race condition
System crash when using debug kernel due to link list corruption. The cause
of the link list corruption is due to session deletion was allowed to queue
up twice. Here's the internal trace that show the same port was allowed to
double queue for deletion on different cpu.
20808683956 015 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1
20808683957 027 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1
Move the clearing/setting of deleted flag lock.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 726b85487067d7f5b23495bc33c484b8517c4074 Version: 726b85487067d7f5b23495bc33c484b8517c4074 Version: 726b85487067d7f5b23495bc33c484b8517c4074 Version: 726b85487067d7f5b23495bc33c484b8517c4074 Version: 726b85487067d7f5b23495bc33c484b8517c4074 Version: 726b85487067d7f5b23495bc33c484b8517c4074 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_init.c",
"drivers/scsi/qla2xxx/qla_target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4628a5b98e4c6d905e1f7638242612d7db7d9c2",
"status": "affected",
"version": "726b85487067d7f5b23495bc33c484b8517c4074",
"versionType": "git"
},
{
"lessThan": "4d7da12483e98c451a51bd294a3d3494f0aee5eb",
"status": "affected",
"version": "726b85487067d7f5b23495bc33c484b8517c4074",
"versionType": "git"
},
{
"lessThan": "f1ea164be545629bf442c22f508ad9e7b94ac100",
"status": "affected",
"version": "726b85487067d7f5b23495bc33c484b8517c4074",
"versionType": "git"
},
{
"lessThan": "cd06c45b326e44f0d21dc1b3fa23e71f46847e28",
"status": "affected",
"version": "726b85487067d7f5b23495bc33c484b8517c4074",
"versionType": "git"
},
{
"lessThan": "b05017cb4ff75eea783583f3d400059507510ab1",
"status": "affected",
"version": "726b85487067d7f5b23495bc33c484b8517c4074",
"versionType": "git"
},
{
"lessThan": "6dfe4344c168c6ca20fe7640649aacfcefcccb26",
"status": "affected",
"version": "726b85487067d7f5b23495bc33c484b8517c4074",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_init.c",
"drivers/scsi/qla2xxx/qla_target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.258",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix deletion race condition\n\nSystem crash when using debug kernel due to link list corruption. The cause\nof the link list corruption is due to session deletion was allowed to queue\nup twice. Here\u0027s the internal trace that show the same port was allowed to\ndouble queue for deletion on different cpu.\n\n20808683956 015 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1\n20808683957 027 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1\n\nMove the clearing/setting of deleted flag lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:22.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4628a5b98e4c6d905e1f7638242612d7db7d9c2"
},
{
"url": "https://git.kernel.org/stable/c/4d7da12483e98c451a51bd294a3d3494f0aee5eb"
},
{
"url": "https://git.kernel.org/stable/c/f1ea164be545629bf442c22f508ad9e7b94ac100"
},
{
"url": "https://git.kernel.org/stable/c/cd06c45b326e44f0d21dc1b3fa23e71f46847e28"
},
{
"url": "https://git.kernel.org/stable/c/b05017cb4ff75eea783583f3d400059507510ab1"
},
{
"url": "https://git.kernel.org/stable/c/6dfe4344c168c6ca20fe7640649aacfcefcccb26"
}
],
"title": "scsi: qla2xxx: Fix deletion race condition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53615",
"datePublished": "2025-10-04T15:44:22.376Z",
"dateReserved": "2025-10-04T15:40:38.481Z",
"dateUpdated": "2025-10-04T15:44:22.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50574 (GCVE-0-2022-50574)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/omap: dss: Fix refcount leak bugs
In dss_init_ports() and __dss_uninit_ports(), we should call
of_node_put() for the reference returned by of_graph_get_port_by_id()
in fail path or when it is not used anymore.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 09bffa6e519256c6fa1552d6ba1f5d594337a464 Version: 09bffa6e519256c6fa1552d6ba1f5d594337a464 Version: 09bffa6e519256c6fa1552d6ba1f5d594337a464 Version: 09bffa6e519256c6fa1552d6ba1f5d594337a464 Version: 09bffa6e519256c6fa1552d6ba1f5d594337a464 Version: 09bffa6e519256c6fa1552d6ba1f5d594337a464 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/omapdrm/dss/dss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d7af9b1624dd70b67354972d7297429e6372091",
"status": "affected",
"version": "09bffa6e519256c6fa1552d6ba1f5d594337a464",
"versionType": "git"
},
{
"lessThan": "1f340e1c1c74d11c45a6e32663829b26acd4f47b",
"status": "affected",
"version": "09bffa6e519256c6fa1552d6ba1f5d594337a464",
"versionType": "git"
},
{
"lessThan": "a5ce83e85d795ec98697039ecc518b21d5810adc",
"status": "affected",
"version": "09bffa6e519256c6fa1552d6ba1f5d594337a464",
"versionType": "git"
},
{
"lessThan": "e55261beb86a15c190b2ff9090cb47bc06765353",
"status": "affected",
"version": "09bffa6e519256c6fa1552d6ba1f5d594337a464",
"versionType": "git"
},
{
"lessThan": "8f7c4114db841497e1148598e22548dd1f700b22",
"status": "affected",
"version": "09bffa6e519256c6fa1552d6ba1f5d594337a464",
"versionType": "git"
},
{
"lessThan": "8b42057e62120813ebe9274f508fa785b7cab33a",
"status": "affected",
"version": "09bffa6e519256c6fa1552d6ba1f5d594337a464",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/omapdrm/dss/dss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/omap: dss: Fix refcount leak bugs\n\nIn dss_init_ports() and __dss_uninit_ports(), we should call\nof_node_put() for the reference returned by of_graph_get_port_by_id()\nin fail path or when it is not used anymore."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:29.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d7af9b1624dd70b67354972d7297429e6372091"
},
{
"url": "https://git.kernel.org/stable/c/1f340e1c1c74d11c45a6e32663829b26acd4f47b"
},
{
"url": "https://git.kernel.org/stable/c/a5ce83e85d795ec98697039ecc518b21d5810adc"
},
{
"url": "https://git.kernel.org/stable/c/e55261beb86a15c190b2ff9090cb47bc06765353"
},
{
"url": "https://git.kernel.org/stable/c/8f7c4114db841497e1148598e22548dd1f700b22"
},
{
"url": "https://git.kernel.org/stable/c/8b42057e62120813ebe9274f508fa785b7cab33a"
}
],
"title": "drm/omap: dss: Fix refcount leak bugs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50574",
"datePublished": "2025-10-22T13:23:29.027Z",
"dateReserved": "2025-10-22T13:20:23.761Z",
"dateUpdated": "2025-10-22T13:23:29.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53587 (GCVE-0-2023-53587)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Sync IRQ works before buffer destruction
If something was written to the buffer just before destruction,
it may be possible (maybe not in a real system, but it did
happen in ARCH=um with time-travel) to destroy the ringbuffer
before the IRQ work ran, leading this KASAN report (or a crash
without KASAN):
BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a
Read of size 8 at addr 000000006d640a48 by task swapper/0
CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7
Stack:
60c4f20f 0c203d48 41b58ab3 60f224fc
600477fa 60f35687 60c4f20f 601273dd
00000008 6101eb00 6101eab0 615be548
Call Trace:
[<60047a58>] show_stack+0x25e/0x282
[<60c609e0>] dump_stack_lvl+0x96/0xfd
[<60c50d4c>] print_report+0x1a7/0x5a8
[<603078d3>] kasan_report+0xc1/0xe9
[<60308950>] __asan_report_load8_noabort+0x1b/0x1d
[<60232844>] irq_work_run_list+0x11a/0x13a
[<602328b4>] irq_work_tick+0x24/0x34
[<6017f9dc>] update_process_times+0x162/0x196
[<6019f335>] tick_sched_handle+0x1a4/0x1c3
[<6019fd9e>] tick_sched_timer+0x79/0x10c
[<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695
[<60182913>] hrtimer_interrupt+0x16c/0x2c4
[<600486a3>] um_timer+0x164/0x183
[...]
Allocated by task 411:
save_stack_trace+0x99/0xb5
stack_trace_save+0x81/0x9b
kasan_save_stack+0x2d/0x54
kasan_set_track+0x34/0x3e
kasan_save_alloc_info+0x25/0x28
____kasan_kmalloc+0x8b/0x97
__kasan_kmalloc+0x10/0x12
__kmalloc+0xb2/0xe8
load_elf_phdrs+0xee/0x182
[...]
The buggy address belongs to the object at 000000006d640800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 584 bytes inside of
freed 1024-byte region [000000006d640800, 000000006d640c00)
Add the appropriate irq_work_sync() so the work finishes before
the buffers are destroyed.
Prior to the commit in the Fixes tag below, there was only a
single global IRQ work, so this issue didn't exist.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 15693458c4bc0693fd63a50d60f35b628fcf4e29 Version: 15693458c4bc0693fd63a50d60f35b628fcf4e29 Version: 15693458c4bc0693fd63a50d60f35b628fcf4e29 Version: 15693458c4bc0693fd63a50d60f35b628fcf4e29 Version: 15693458c4bc0693fd63a50d60f35b628fcf4e29 Version: 15693458c4bc0693fd63a50d60f35b628fcf4e29 Version: 15693458c4bc0693fd63a50d60f35b628fcf4e29 Version: 15693458c4bc0693fd63a50d60f35b628fcf4e29 Version: 15693458c4bc0693fd63a50d60f35b628fcf4e29 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "372c5ee537b8366b64b691ba29e9335525e1655e",
"status": "affected",
"version": "15693458c4bc0693fd63a50d60f35b628fcf4e29",
"versionType": "git"
},
{
"lessThan": "2702b67f59d455072a08dc40312f9b090d4dec04",
"status": "affected",
"version": "15693458c4bc0693fd63a50d60f35b628fcf4e29",
"versionType": "git"
},
{
"lessThan": "2399b1fda025e939b6fb1ac94505bcf718534e65",
"status": "affected",
"version": "15693458c4bc0693fd63a50d60f35b628fcf4e29",
"versionType": "git"
},
{
"lessThan": "1c99f65d6af2a454bfd5207b4f6a97c8474a1191",
"status": "affected",
"version": "15693458c4bc0693fd63a50d60f35b628fcf4e29",
"versionType": "git"
},
{
"lessThan": "c63741e872fcfb10e153517750f7908f0c00f60d",
"status": "affected",
"version": "15693458c4bc0693fd63a50d60f35b628fcf4e29",
"versionType": "git"
},
{
"lessThan": "d9834abd8b24d1fe8092859e436fe1e0fd467c61",
"status": "affected",
"version": "15693458c4bc0693fd63a50d60f35b628fcf4e29",
"versionType": "git"
},
{
"lessThan": "fc6858b7f8e1221f62ce8c6ff8a13a349c32cd76",
"status": "affected",
"version": "15693458c4bc0693fd63a50d60f35b628fcf4e29",
"versionType": "git"
},
{
"lessThan": "0a65165bd24ee9231191597b7c232376fcd70cdb",
"status": "affected",
"version": "15693458c4bc0693fd63a50d60f35b628fcf4e29",
"versionType": "git"
},
{
"lessThan": "675751bb20634f981498c7d66161584080cc061e",
"status": "affected",
"version": "15693458c4bc0693fd63a50d60f35b628fcf4e29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Sync IRQ works before buffer destruction\n\nIf something was written to the buffer just before destruction,\nit may be possible (maybe not in a real system, but it did\nhappen in ARCH=um with time-travel) to destroy the ringbuffer\nbefore the IRQ work ran, leading this KASAN report (or a crash\nwithout KASAN):\n\n BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a\n Read of size 8 at addr 000000006d640a48 by task swapper/0\n\n CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7\n Stack:\n 60c4f20f 0c203d48 41b58ab3 60f224fc\n 600477fa 60f35687 60c4f20f 601273dd\n 00000008 6101eb00 6101eab0 615be548\n Call Trace:\n [\u003c60047a58\u003e] show_stack+0x25e/0x282\n [\u003c60c609e0\u003e] dump_stack_lvl+0x96/0xfd\n [\u003c60c50d4c\u003e] print_report+0x1a7/0x5a8\n [\u003c603078d3\u003e] kasan_report+0xc1/0xe9\n [\u003c60308950\u003e] __asan_report_load8_noabort+0x1b/0x1d\n [\u003c60232844\u003e] irq_work_run_list+0x11a/0x13a\n [\u003c602328b4\u003e] irq_work_tick+0x24/0x34\n [\u003c6017f9dc\u003e] update_process_times+0x162/0x196\n [\u003c6019f335\u003e] tick_sched_handle+0x1a4/0x1c3\n [\u003c6019fd9e\u003e] tick_sched_timer+0x79/0x10c\n [\u003c601812b9\u003e] __hrtimer_run_queues.constprop.0+0x425/0x695\n [\u003c60182913\u003e] hrtimer_interrupt+0x16c/0x2c4\n [\u003c600486a3\u003e] um_timer+0x164/0x183\n [...]\n\n Allocated by task 411:\n save_stack_trace+0x99/0xb5\n stack_trace_save+0x81/0x9b\n kasan_save_stack+0x2d/0x54\n kasan_set_track+0x34/0x3e\n kasan_save_alloc_info+0x25/0x28\n ____kasan_kmalloc+0x8b/0x97\n __kasan_kmalloc+0x10/0x12\n __kmalloc+0xb2/0xe8\n load_elf_phdrs+0xee/0x182\n [...]\n\n The buggy address belongs to the object at 000000006d640800\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 584 bytes inside of\n freed 1024-byte region [000000006d640800, 000000006d640c00)\n\nAdd the appropriate irq_work_sync() so the work finishes before\nthe buffers are destroyed.\n\nPrior to the commit in the Fixes tag below, there was only a\nsingle global IRQ work, so this issue didn\u0027t exist."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:02.679Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/372c5ee537b8366b64b691ba29e9335525e1655e"
},
{
"url": "https://git.kernel.org/stable/c/2702b67f59d455072a08dc40312f9b090d4dec04"
},
{
"url": "https://git.kernel.org/stable/c/2399b1fda025e939b6fb1ac94505bcf718534e65"
},
{
"url": "https://git.kernel.org/stable/c/1c99f65d6af2a454bfd5207b4f6a97c8474a1191"
},
{
"url": "https://git.kernel.org/stable/c/c63741e872fcfb10e153517750f7908f0c00f60d"
},
{
"url": "https://git.kernel.org/stable/c/d9834abd8b24d1fe8092859e436fe1e0fd467c61"
},
{
"url": "https://git.kernel.org/stable/c/fc6858b7f8e1221f62ce8c6ff8a13a349c32cd76"
},
{
"url": "https://git.kernel.org/stable/c/0a65165bd24ee9231191597b7c232376fcd70cdb"
},
{
"url": "https://git.kernel.org/stable/c/675751bb20634f981498c7d66161584080cc061e"
}
],
"title": "ring-buffer: Sync IRQ works before buffer destruction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53587",
"datePublished": "2025-10-04T15:44:02.679Z",
"dateReserved": "2025-10-04T15:40:38.477Z",
"dateUpdated": "2025-10-04T15:44:02.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39948 (GCVE-0-2025-39948)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix Rx page leak on multi-buffer frames
The ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each
buffer in the current frame. This function was introduced as part of
handling multi-buffer XDP support in the ice driver.
It works by iterating over the buffers from first_desc up to 1 plus the
total number of fragments in the frame, cached from before the XDP program
was executed.
If the hardware posts a descriptor with a size of 0, the logic used in
ice_put_rx_mbuf() breaks. Such descriptors get skipped and don't get added
as fragments in ice_add_xdp_frag. Since the buffer isn't counted as a
fragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don't
call ice_put_rx_buf().
Because we don't call ice_put_rx_buf(), we don't attempt to re-use the
page or free it. This leaves a stale page in the ring, as we don't
increment next_to_alloc.
The ice_reuse_rx_page() assumes that the next_to_alloc has been incremented
properly, and that it always points to a buffer with a NULL page. Since
this function doesn't check, it will happily recycle a page over the top
of the next_to_alloc buffer, losing track of the old page.
Note that this leak only occurs for multi-buffer frames. The
ice_put_rx_mbuf() function always handles at least one buffer, so a
single-buffer frame will always get handled correctly. It is not clear
precisely why the hardware hands us descriptors with a size of 0 sometimes,
but it happens somewhat regularly with "jumbo frames" used by 9K MTU.
To fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() on
all buffers between first_desc and next_to_clean. Borrow the logic of a
similar function in i40e used for this same purpose. Use the same logic
also in ice_get_pgcnts().
Instead of iterating over just the number of fragments, use a loop which
iterates until the current index reaches to the next_to_clean element just
past the current frame. Unlike i40e, the ice_put_rx_mbuf() function does
call ice_put_rx_buf() on the last buffer of the frame indicating the end of
packet.
For non-linear (multi-buffer) frames, we need to take care when adjusting
the pagecnt_bias. An XDP program might release fragments from the tail of
the frame, in which case that fragment page is already released. Only
update the pagecnt_bias for the first descriptor and fragments still
remaining post-XDP program. Take care to only access the shared info for
fragmented buffers, as this avoids a significant cache miss.
The xdp_xmit value only needs to be updated if an XDP program is run, and
only once per packet. Drop the xdp_xmit pointer argument from
ice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() function
directly. This avoids needing to pass the argument and avoids an extra
bit-wise OR for each buffer in the frame.
Move the increment of the ntc local variable to ensure its updated *before*
all calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logic
requires the index of the element just after the current frame.
Now that we use an index pointer in the ring to identify the packet, we no
longer need to track or cache the number of fragments in the rx_ring.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_txrx.c",
"drivers/net/ethernet/intel/ice/ice_txrx.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80555adb5c892f0e21d243ae96ed997ee520aea9",
"status": "affected",
"version": "311813ed013c016d4b0b0985a9ee41f778489077",
"versionType": "git"
},
{
"lessThan": "fcb5718ebfe7fd64144e3399280440cce361a3ae",
"status": "affected",
"version": "743bbd93cf29f653fae0e1416a31f03231689911",
"versionType": "git"
},
{
"lessThan": "84bf1ac85af84d354c7a2fdbdc0d4efc8aaec34b",
"status": "affected",
"version": "743bbd93cf29f653fae0e1416a31f03231689911",
"versionType": "git"
},
{
"status": "affected",
"version": "ac1728cf370bec2e74fe6a2adf05b4629980d2b3",
"versionType": "git"
},
{
"status": "affected",
"version": "d445b59d30415bb56f4803f622d566bca06e0abc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_txrx.c",
"drivers/net/ethernet/intel/ice/ice_txrx.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "6.12.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix Rx page leak on multi-buffer frames\n\nThe ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each\nbuffer in the current frame. This function was introduced as part of\nhandling multi-buffer XDP support in the ice driver.\n\nIt works by iterating over the buffers from first_desc up to 1 plus the\ntotal number of fragments in the frame, cached from before the XDP program\nwas executed.\n\nIf the hardware posts a descriptor with a size of 0, the logic used in\nice_put_rx_mbuf() breaks. Such descriptors get skipped and don\u0027t get added\nas fragments in ice_add_xdp_frag. Since the buffer isn\u0027t counted as a\nfragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don\u0027t\ncall ice_put_rx_buf().\n\nBecause we don\u0027t call ice_put_rx_buf(), we don\u0027t attempt to re-use the\npage or free it. This leaves a stale page in the ring, as we don\u0027t\nincrement next_to_alloc.\n\nThe ice_reuse_rx_page() assumes that the next_to_alloc has been incremented\nproperly, and that it always points to a buffer with a NULL page. Since\nthis function doesn\u0027t check, it will happily recycle a page over the top\nof the next_to_alloc buffer, losing track of the old page.\n\nNote that this leak only occurs for multi-buffer frames. The\nice_put_rx_mbuf() function always handles at least one buffer, so a\nsingle-buffer frame will always get handled correctly. It is not clear\nprecisely why the hardware hands us descriptors with a size of 0 sometimes,\nbut it happens somewhat regularly with \"jumbo frames\" used by 9K MTU.\n\nTo fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() on\nall buffers between first_desc and next_to_clean. Borrow the logic of a\nsimilar function in i40e used for this same purpose. Use the same logic\nalso in ice_get_pgcnts().\n\nInstead of iterating over just the number of fragments, use a loop which\niterates until the current index reaches to the next_to_clean element just\npast the current frame. Unlike i40e, the ice_put_rx_mbuf() function does\ncall ice_put_rx_buf() on the last buffer of the frame indicating the end of\npacket.\n\nFor non-linear (multi-buffer) frames, we need to take care when adjusting\nthe pagecnt_bias. An XDP program might release fragments from the tail of\nthe frame, in which case that fragment page is already released. Only\nupdate the pagecnt_bias for the first descriptor and fragments still\nremaining post-XDP program. Take care to only access the shared info for\nfragmented buffers, as this avoids a significant cache miss.\n\nThe xdp_xmit value only needs to be updated if an XDP program is run, and\nonly once per packet. Drop the xdp_xmit pointer argument from\nice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() function\ndirectly. This avoids needing to pass the argument and avoids an extra\nbit-wise OR for each buffer in the frame.\n\nMove the increment of the ntc local variable to ensure its updated *before*\nall calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logic\nrequires the index of the element just after the current frame.\n\nNow that we use an index pointer in the ring to identify the packet, we no\nlonger need to track or cache the number of fragments in the rx_ring."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:09.403Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80555adb5c892f0e21d243ae96ed997ee520aea9"
},
{
"url": "https://git.kernel.org/stable/c/fcb5718ebfe7fd64144e3399280440cce361a3ae"
},
{
"url": "https://git.kernel.org/stable/c/84bf1ac85af84d354c7a2fdbdc0d4efc8aaec34b"
}
],
"title": "ice: fix Rx page leak on multi-buffer frames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39948",
"datePublished": "2025-10-04T07:31:09.403Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:09.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39724 (GCVE-0-2025-39724)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: 8250: fix panic due to PSLVERR
When the PSLVERR_RESP_EN parameter is set to 1, the device generates
an error response if an attempt is made to read an empty RBR (Receive
Buffer Register) while the FIFO is enabled.
In serial8250_do_startup(), calling serial_port_out(port, UART_LCR,
UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes
dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter
function enables the FIFO via serial_out(p, UART_FCR, p->fcr).
Execution proceeds to the serial_port_in(port, UART_RX).
This satisfies the PSLVERR trigger condition.
When another CPU (e.g., using printk()) is accessing the UART (UART
is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) ==
(lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter
dw8250_force_idle().
Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock
to fix this issue.
Panic backtrace:
[ 0.442336] Oops - unknown exception [#1]
[ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a
[ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e
...
[ 0.442416] console_on_rootfs+0x26/0x70
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c49436b657d0a56a6ad90d14a7c3041add7cf64d Version: c49436b657d0a56a6ad90d14a7c3041add7cf64d Version: c49436b657d0a56a6ad90d14a7c3041add7cf64d Version: c49436b657d0a56a6ad90d14a7c3041add7cf64d Version: c49436b657d0a56a6ad90d14a7c3041add7cf64d Version: c49436b657d0a56a6ad90d14a7c3041add7cf64d Version: c49436b657d0a56a6ad90d14a7c3041add7cf64d Version: c49436b657d0a56a6ad90d14a7c3041add7cf64d Version: 6d5e79331417886196cb3a733bdb6645ba85bc42 Version: 2401577586898b3590db80f8b97a26f81f0f6d4e |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:46.902Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_port.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b882f00655afefbc7729c6b5aec86f7a5473a3d",
"status": "affected",
"version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
"versionType": "git"
},
{
"lessThan": "b8ca8e3f75ede308b4d49a6ca5081460be01bdb5",
"status": "affected",
"version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
"versionType": "git"
},
{
"lessThan": "68c4613e89f000e8198f9ace643082c697921c9f",
"status": "affected",
"version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
"versionType": "git"
},
{
"lessThan": "c826943abf473a3f7260fbadfad65e44db475460",
"status": "affected",
"version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
"versionType": "git"
},
{
"lessThan": "cb7b3633ed749db8e56f475f43c960652cbd6882",
"status": "affected",
"version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
"versionType": "git"
},
{
"lessThan": "8e2739478c164147d0774802008528d9e03fb802",
"status": "affected",
"version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
"versionType": "git"
},
{
"lessThan": "38c0ea484dedb58cb3a4391229933e16be0d1031",
"status": "affected",
"version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
"versionType": "git"
},
{
"lessThan": "7f8fdd4dbffc05982b96caf586f77a014b2a9353",
"status": "affected",
"version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
"versionType": "git"
},
{
"status": "affected",
"version": "6d5e79331417886196cb3a733bdb6645ba85bc42",
"versionType": "git"
},
{
"status": "affected",
"version": "2401577586898b3590db80f8b97a26f81f0f6d4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_port.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: fix panic due to PSLVERR\n\nWhen the PSLVERR_RESP_EN parameter is set to 1, the device generates\nan error response if an attempt is made to read an empty RBR (Receive\nBuffer Register) while the FIFO is enabled.\n\nIn serial8250_do_startup(), calling serial_port_out(port, UART_LCR,\nUART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes\ndw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter\nfunction enables the FIFO via serial_out(p, UART_FCR, p-\u003efcr).\nExecution proceeds to the serial_port_in(port, UART_RX).\nThis satisfies the PSLVERR trigger condition.\n\nWhen another CPU (e.g., using printk()) is accessing the UART (UART\nis busy), the current CPU fails the check (value \u0026 ~UART_LCR_SPAR) ==\n(lcr \u0026 ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter\ndw8250_force_idle().\n\nPut serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port-\u003elock\nto fix this issue.\n\nPanic backtrace:\n[ 0.442336] Oops - unknown exception [#1]\n[ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a\n[ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e\n...\n[ 0.442416] console_on_rootfs+0x26/0x70"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:11.937Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b882f00655afefbc7729c6b5aec86f7a5473a3d"
},
{
"url": "https://git.kernel.org/stable/c/b8ca8e3f75ede308b4d49a6ca5081460be01bdb5"
},
{
"url": "https://git.kernel.org/stable/c/68c4613e89f000e8198f9ace643082c697921c9f"
},
{
"url": "https://git.kernel.org/stable/c/c826943abf473a3f7260fbadfad65e44db475460"
},
{
"url": "https://git.kernel.org/stable/c/cb7b3633ed749db8e56f475f43c960652cbd6882"
},
{
"url": "https://git.kernel.org/stable/c/8e2739478c164147d0774802008528d9e03fb802"
},
{
"url": "https://git.kernel.org/stable/c/38c0ea484dedb58cb3a4391229933e16be0d1031"
},
{
"url": "https://git.kernel.org/stable/c/7f8fdd4dbffc05982b96caf586f77a014b2a9353"
}
],
"title": "serial: 8250: fix panic due to PSLVERR",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39724",
"datePublished": "2025-09-05T17:21:32.005Z",
"dateReserved": "2025-04-16T07:20:57.117Z",
"dateUpdated": "2025-11-03T17:42:46.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39907 (GCVE-0-2025-39907)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
Avoid below overlapping mappings by using a contiguous
non-cacheable buffer.
[ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST,
overlapping mappings aren't supported
[ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300
[ 4.097071] Modules linked in:
[ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1
[ 4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT)
[ 4.118824] Workqueue: events_unbound deferred_probe_work_func
[ 4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4.131624] pc : add_dma_entry+0x23c/0x300
[ 4.135658] lr : add_dma_entry+0x23c/0x300
[ 4.139792] sp : ffff800009dbb490
[ 4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000
[ 4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8
[ 4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20
[ 4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006
[ 4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e
[ 4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec
[ 4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58
[ 4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000
[ 4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000
[ 4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40
[ 4.214185] Call trace:
[ 4.216605] add_dma_entry+0x23c/0x300
[ 4.220338] debug_dma_map_sg+0x198/0x350
[ 4.224373] __dma_map_sg_attrs+0xa0/0x110
[ 4.228411] dma_map_sg_attrs+0x10/0x2c
[ 4.232247] stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc
[ 4.237088] stm32_fmc2_nfc_seq_read_page+0xc8/0x174
[ 4.242127] nand_read_oob+0x1d4/0x8e0
[ 4.245861] mtd_read_oob_std+0x58/0x84
[ 4.249596] mtd_read_oob+0x90/0x150
[ 4.253231] mtd_read+0x68/0xac
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:34.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/stm32_fmc2_nand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc1c6e60993b93b87604eb11266ac72e1a3be9e0",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "dfe2ac47a6ee0ab50393694517c54ef1e276dda3",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "e32a2ea52b51368774d014e5bcd9b86110a2b727",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "75686c49574dd5f171ca682c18717787f1d8d55e",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "06d8ef8f853752fea88c8d5bb093a40e71b330cf",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "26adba1e7d7924174e15a3ba4b1132990786300b",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "f6fd98d961fa6f97347cead4f08ed862cbbb91ff",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "513c40e59d5a414ab763a9c84797534b5e8c208d",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/stm32_fmc2_nand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer\n\nAvoid below overlapping mappings by using a contiguous\nnon-cacheable buffer.\n\n[ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST,\noverlapping mappings aren\u0027t supported\n[ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300\n[ 4.097071] Modules linked in:\n[ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1\n[ 4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT)\n[ 4.118824] Workqueue: events_unbound deferred_probe_work_func\n[ 4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 4.131624] pc : add_dma_entry+0x23c/0x300\n[ 4.135658] lr : add_dma_entry+0x23c/0x300\n[ 4.139792] sp : ffff800009dbb490\n[ 4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000\n[ 4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8\n[ 4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20\n[ 4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006\n[ 4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e\n[ 4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec\n[ 4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58\n[ 4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000\n[ 4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40\n[ 4.214185] Call trace:\n[ 4.216605] add_dma_entry+0x23c/0x300\n[ 4.220338] debug_dma_map_sg+0x198/0x350\n[ 4.224373] __dma_map_sg_attrs+0xa0/0x110\n[ 4.228411] dma_map_sg_attrs+0x10/0x2c\n[ 4.232247] stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc\n[ 4.237088] stm32_fmc2_nfc_seq_read_page+0xc8/0x174\n[ 4.242127] nand_read_oob+0x1d4/0x8e0\n[ 4.245861] mtd_read_oob_std+0x58/0x84\n[ 4.249596] mtd_read_oob+0x90/0x150\n[ 4.253231] mtd_read+0x68/0xac"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:38.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc1c6e60993b93b87604eb11266ac72e1a3be9e0"
},
{
"url": "https://git.kernel.org/stable/c/dfe2ac47a6ee0ab50393694517c54ef1e276dda3"
},
{
"url": "https://git.kernel.org/stable/c/e32a2ea52b51368774d014e5bcd9b86110a2b727"
},
{
"url": "https://git.kernel.org/stable/c/75686c49574dd5f171ca682c18717787f1d8d55e"
},
{
"url": "https://git.kernel.org/stable/c/06d8ef8f853752fea88c8d5bb093a40e71b330cf"
},
{
"url": "https://git.kernel.org/stable/c/26adba1e7d7924174e15a3ba4b1132990786300b"
},
{
"url": "https://git.kernel.org/stable/c/f6fd98d961fa6f97347cead4f08ed862cbbb91ff"
},
{
"url": "https://git.kernel.org/stable/c/513c40e59d5a414ab763a9c84797534b5e8c208d"
}
],
"title": "mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39907",
"datePublished": "2025-10-01T07:44:30.864Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-11-03T17:44:34.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53442 (GCVE-0-2023-53442)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Block switchdev mode when ADQ is active and vice versa
ADQ and switchdev are not supported simultaneously. Enabling both at the
same time can result in nullptr dereference.
To prevent this, check if ADQ is active when changing devlink mode to
switchdev mode, and check if switchdev is active when enabling ADQ.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_eswitch.c",
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c82d1b736ce85e77fd4da05eca6f1f4a52a2bc3",
"status": "affected",
"version": "fbc7b27af0f9fb181811424e29caf6825594a841",
"versionType": "git"
},
{
"lessThan": "24f0d69da35d812b3a1104918014a29627140cb1",
"status": "affected",
"version": "fbc7b27af0f9fb181811424e29caf6825594a841",
"versionType": "git"
},
{
"lessThan": "43d00e102d9ecbe2635d7e3f2e14d2e90183d6af",
"status": "affected",
"version": "fbc7b27af0f9fb181811424e29caf6825594a841",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_eswitch.c",
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Block switchdev mode when ADQ is active and vice versa\n\nADQ and switchdev are not supported simultaneously. Enabling both at the\nsame time can result in nullptr dereference.\n\nTo prevent this, check if ADQ is active when changing devlink mode to\nswitchdev mode, and check if switchdev is active when enabling ADQ."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:19.192Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c82d1b736ce85e77fd4da05eca6f1f4a52a2bc3"
},
{
"url": "https://git.kernel.org/stable/c/24f0d69da35d812b3a1104918014a29627140cb1"
},
{
"url": "https://git.kernel.org/stable/c/43d00e102d9ecbe2635d7e3f2e14d2e90183d6af"
}
],
"title": "ice: Block switchdev mode when ADQ is active and vice versa",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53442",
"datePublished": "2025-09-18T16:04:19.192Z",
"dateReserved": "2025-09-17T14:54:09.752Z",
"dateUpdated": "2025-09-18T16:04:19.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53602 (GCVE-0-2023-53602)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-06 09:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix memory leak in WMI firmware stats
Memory allocated for firmware pdev, vdev and beacon statistics
are not released during rmmod.
Fix it by calling ath11k_fw_stats_free() function before hardware
unregister.
While at it, avoid calling ath11k_fw_stats_free() while processing
the firmware stats received in the WMI event because the local list
is getting spliced and reinitialised and hence there are no elements
in the list after splicing.
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86f9330a49d1464849482298dd34d361859183eb",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "55248d36beb79d3a61c9fb3122dc377fff523c89",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "6aafa1c2d3e3fea2ebe84c018003f2a91722e607",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix memory leak in WMI firmware stats\n\nMemory allocated for firmware pdev, vdev and beacon statistics\nare not released during rmmod.\n\nFix it by calling ath11k_fw_stats_free() function before hardware\nunregister.\n\nWhile at it, avoid calling ath11k_fw_stats_free() while processing\nthe firmware stats received in the WMI event because the local list\nis getting spliced and reinitialised and hence there are no elements\nin the list after splicing.\n\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T09:07:20.856Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86f9330a49d1464849482298dd34d361859183eb"
},
{
"url": "https://git.kernel.org/stable/c/55248d36beb79d3a61c9fb3122dc377fff523c89"
},
{
"url": "https://git.kernel.org/stable/c/6aafa1c2d3e3fea2ebe84c018003f2a91722e607"
}
],
"title": "wifi: ath11k: fix memory leak in WMI firmware stats",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53602",
"datePublished": "2025-10-04T15:44:13.155Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-06T09:07:20.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50530 (GCVE-0-2022-50530)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()
Our syzkaller report a null pointer dereference, root cause is
following:
__blk_mq_alloc_map_and_rqs
set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs
blk_mq_alloc_map_and_rqs
blk_mq_alloc_rqs
// failed due to oom
alloc_pages_node
// set->tags[hctx_idx] is still NULL
blk_mq_free_rqs
drv_tags = set->tags[hctx_idx];
// null pointer dereference is triggered
blk_mq_clear_rq_mapping(drv_tags, ...)
This is because commit 63064be150e4 ("blk-mq:
Add blk_mq_alloc_map_and_rqs()") merged the two steps:
1) set->tags[hctx_idx] = blk_mq_alloc_rq_map()
2) blk_mq_alloc_rqs(..., set->tags[hctx_idx])
into one step:
set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs()
Since tags is not initialized yet in this case, fix the problem by
checking if tags is NULL pointer in blk_mq_clear_rq_mapping().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6a440e6d04431e774dc084abe88c106e2a474c1a",
"status": "affected",
"version": "63064be150e4b1ba1e4af594ef5aa81adf21a52d",
"versionType": "git"
},
{
"lessThan": "76dd298094f484c6250ebd076fa53287477b2328",
"status": "affected",
"version": "63064be150e4b1ba1e4af594ef5aa81adf21a52d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()\n\nOur syzkaller report a null pointer dereference, root cause is\nfollowing:\n\n__blk_mq_alloc_map_and_rqs\n set-\u003etags[hctx_idx] = blk_mq_alloc_map_and_rqs\n blk_mq_alloc_map_and_rqs\n blk_mq_alloc_rqs\n // failed due to oom\n alloc_pages_node\n // set-\u003etags[hctx_idx] is still NULL\n blk_mq_free_rqs\n drv_tags = set-\u003etags[hctx_idx];\n // null pointer dereference is triggered\n blk_mq_clear_rq_mapping(drv_tags, ...)\n\nThis is because commit 63064be150e4 (\"blk-mq:\nAdd blk_mq_alloc_map_and_rqs()\") merged the two steps:\n\n1) set-\u003etags[hctx_idx] = blk_mq_alloc_rq_map()\n2) blk_mq_alloc_rqs(..., set-\u003etags[hctx_idx])\n\ninto one step:\n\nset-\u003etags[hctx_idx] = blk_mq_alloc_map_and_rqs()\n\nSince tags is not initialized yet in this case, fix the problem by\nchecking if tags is NULL pointer in blk_mq_clear_rq_mapping()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:21.259Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6a440e6d04431e774dc084abe88c106e2a474c1a"
},
{
"url": "https://git.kernel.org/stable/c/76dd298094f484c6250ebd076fa53287477b2328"
}
],
"title": "blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50530",
"datePublished": "2025-10-07T15:19:21.259Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:21.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53426 (GCVE-0-2023-53426)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xsk: Fix xsk_diag use-after-free error during socket cleanup
Fix a use-after-free error that is possible if the xsk_diag interface
is used after the socket has been unbound from the device. This can
happen either due to the socket being closed or the device
disappearing. In the early days of AF_XDP, the way we tested that a
socket was not bound to a device was to simply check if the netdevice
pointer in the xsk socket structure was NULL. Later, a better system
was introduced by having an explicit state variable in the xsk socket
struct. For example, the state of a socket that is on the way to being
closed and has been unbound from the device is XSK_UNBOUND.
The commit in the Fixes tag below deleted the old way of signalling
that a socket is unbound, setting dev to NULL. This in the belief that
all code using the old way had been exterminated. That was
unfortunately not true as the xsk diagnostics code was still using the
old way and thus does not work as intended when a socket is going
down. Fix this by introducing a test against the state variable. If
the socket is in the state XSK_UNBOUND, simply abort the diagnostic's
netlink operation.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ad7219cd8751bd258b9d1e69ae0654ec00f71875 Version: 18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 Version: 18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 Version: 18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 Version: d1579253ffce39986e7a6ab757ac93b2680a665f Version: 8a2dea162b92c322f3e42eae0c4a74b8d20aa7a9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk_diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5979985f2d6b565b6cf0f79a62670a2855c0e96c",
"status": "affected",
"version": "ad7219cd8751bd258b9d1e69ae0654ec00f71875",
"versionType": "git"
},
{
"lessThan": "6436973164ea5506a495f39e56be5aea375e7832",
"status": "affected",
"version": "18b1ab7aa76bde181bdb1ab19a87fa9523c32f21",
"versionType": "git"
},
{
"lessThan": "595931912357fa3507e522a7f8a0a76e423c23e4",
"status": "affected",
"version": "18b1ab7aa76bde181bdb1ab19a87fa9523c32f21",
"versionType": "git"
},
{
"lessThan": "3e019d8a05a38abb5c85d4f1e85fda964610aa14",
"status": "affected",
"version": "18b1ab7aa76bde181bdb1ab19a87fa9523c32f21",
"versionType": "git"
},
{
"status": "affected",
"version": "d1579253ffce39986e7a6ab757ac93b2680a665f",
"versionType": "git"
},
{
"status": "affected",
"version": "8a2dea162b92c322f3e42eae0c4a74b8d20aa7a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk_diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix xsk_diag use-after-free error during socket cleanup\n\nFix a use-after-free error that is possible if the xsk_diag interface\nis used after the socket has been unbound from the device. This can\nhappen either due to the socket being closed or the device\ndisappearing. In the early days of AF_XDP, the way we tested that a\nsocket was not bound to a device was to simply check if the netdevice\npointer in the xsk socket structure was NULL. Later, a better system\nwas introduced by having an explicit state variable in the xsk socket\nstruct. For example, the state of a socket that is on the way to being\nclosed and has been unbound from the device is XSK_UNBOUND.\n\nThe commit in the Fixes tag below deleted the old way of signalling\nthat a socket is unbound, setting dev to NULL. This in the belief that\nall code using the old way had been exterminated. That was\nunfortunately not true as the xsk diagnostics code was still using the\nold way and thus does not work as intended when a socket is going\ndown. Fix this by introducing a test against the state variable. If\nthe socket is in the state XSK_UNBOUND, simply abort the diagnostic\u0027s\nnetlink operation."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:08.192Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5979985f2d6b565b6cf0f79a62670a2855c0e96c"
},
{
"url": "https://git.kernel.org/stable/c/6436973164ea5506a495f39e56be5aea375e7832"
},
{
"url": "https://git.kernel.org/stable/c/595931912357fa3507e522a7f8a0a76e423c23e4"
},
{
"url": "https://git.kernel.org/stable/c/3e019d8a05a38abb5c85d4f1e85fda964610aa14"
}
],
"title": "xsk: Fix xsk_diag use-after-free error during socket cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53426",
"datePublished": "2025-09-18T16:04:08.192Z",
"dateReserved": "2025-09-17T14:54:09.743Z",
"dateUpdated": "2025-09-18T16:04:08.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39732 (GCVE-0-2025-39732)
Vulnerability from cvelistv5
Published
2025-09-07 15:16
Modified
2025-09-29 05:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()
ath11k_mac_disable_peer_fixed_rate() is passed as the iterator to
ieee80211_iterate_stations_atomic(). Note in this case the iterator is
required to be atomic, however ath11k_mac_disable_peer_fixed_rate() does
not follow it as it might sleep. Consequently below warning is seen:
BUG: sleeping function called from invalid context at wmi.c:304
Call Trace:
<TASK>
dump_stack_lvl
__might_resched.cold
ath11k_wmi_cmd_send
ath11k_wmi_set_peer_param
ath11k_mac_disable_peer_fixed_rate
ieee80211_iterate_stations_atomic
ath11k_mac_op_set_bitrate_mask.cold
Change to ieee80211_iterate_stations_mtx() to fix this issue.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c0e3144924c7db701575a73af341d33184afeaf",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "7d4d0db0dc9424de2bdc0b45e919e4892603356f",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "6bdef22d540258ca06f079f7b6ae100669a19b47",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "65c12b104cb942d588a1a093acc4537fb3d3b129",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()\n\nath11k_mac_disable_peer_fixed_rate() is passed as the iterator to\nieee80211_iterate_stations_atomic(). Note in this case the iterator is\nrequired to be atomic, however ath11k_mac_disable_peer_fixed_rate() does\nnot follow it as it might sleep. Consequently below warning is seen:\n\nBUG: sleeping function called from invalid context at wmi.c:304\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl\n __might_resched.cold\n ath11k_wmi_cmd_send\n ath11k_wmi_set_peer_param\n ath11k_mac_disable_peer_fixed_rate\n ieee80211_iterate_stations_atomic\n ath11k_mac_op_set_bitrate_mask.cold\n\nChange to ieee80211_iterate_stations_mtx() to fix this issue.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:18.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c0e3144924c7db701575a73af341d33184afeaf"
},
{
"url": "https://git.kernel.org/stable/c/7d4d0db0dc9424de2bdc0b45e919e4892603356f"
},
{
"url": "https://git.kernel.org/stable/c/6bdef22d540258ca06f079f7b6ae100669a19b47"
},
{
"url": "https://git.kernel.org/stable/c/65c12b104cb942d588a1a093acc4537fb3d3b129"
}
],
"title": "wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39732",
"datePublished": "2025-09-07T15:16:20.684Z",
"dateReserved": "2025-04-16T07:20:57.118Z",
"dateUpdated": "2025-09-29T05:58:18.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39828 (GCVE-0-2025-39828)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().
syzbot reported the splat below. [0]
When atmtcp_v_open() or atmtcp_v_close() is called via connect()
or close(), atmtcp_send_control() is called to send an in-kernel
special message.
The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.
Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc.
The notable thing is struct atmtcp_control is uAPI but has a
space for an in-kernel pointer.
struct atmtcp_control {
struct atmtcp_hdr hdr; /* must be first */
...
atm_kptr_t vcc; /* both directions */
...
} __ATM_API_ALIGN;
typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;
The special message is processed in atmtcp_recv_control() called
from atmtcp_c_send().
atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths:
1. .ndo_start_xmit() (vcc->send() == atm_send_aal0())
2. vcc_sendmsg()
The problem is sendmsg() does not validate the message length and
userspace can abuse atmtcp_recv_control() to overwrite any kptr
by atmtcp_control.
Let's add a new ->pre_send() hook to validate messages from sendmsg().
[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]
CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]
RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297
Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c
RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203
RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c
RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd
R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000
R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff
FS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0
Call Trace:
<TASK>
vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:729
____sys_sendmsg+0x505/0x830 net/socket.c:2614
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
__sys_sendmsg net/socket.c:2700 [inline]
__do_sys_sendmsg net/socket.c:2705 [inline]
__se_sys_sendmsg net/socket.c:2703 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8d7e96a4a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9
RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005
RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac
R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250
</TASK>
Modules linked in:
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:50.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/atm/atmtcp.c",
"include/linux/atmdev.h",
"net/atm/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b502f16bad8f0a4cfbd023452766f21bfda39dde",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0a6a6d4fb333f7afe22e59ffed18511a7a98efc8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "62f368472b0aa4b5d91d9b983152855c6b6d8925",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "51872b26429077be611b0a1816e0e722278015c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/atm/atmtcp.c",
"include/linux/atmdev.h",
"net/atm/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().\n\nsyzbot reported the splat below. [0]\n\nWhen atmtcp_v_open() or atmtcp_v_close() is called via connect()\nor close(), atmtcp_send_control() is called to send an in-kernel\nspecial message.\n\nThe message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.\nAlso, a pointer of struct atm_vcc is set to atmtcp_control.vcc.\n\nThe notable thing is struct atmtcp_control is uAPI but has a\nspace for an in-kernel pointer.\n\n struct atmtcp_control {\n \tstruct atmtcp_hdr hdr;\t/* must be first */\n ...\n \tatm_kptr_t vcc;\t\t/* both directions */\n ...\n } __ATM_API_ALIGN;\n\n typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;\n\nThe special message is processed in atmtcp_recv_control() called\nfrom atmtcp_c_send().\n\natmtcp_c_send() is vcc-\u003edev-\u003eops-\u003esend() and called from 2 paths:\n\n 1. .ndo_start_xmit() (vcc-\u003esend() == atm_send_aal0())\n 2. vcc_sendmsg()\n\nThe problem is sendmsg() does not validate the message length and\nuserspace can abuse atmtcp_recv_control() to overwrite any kptr\nby atmtcp_control.\n\nLet\u0027s add a new -\u003epre_send() hook to validate messages from sendmsg().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI\nKASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]\nCPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]\nRIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297\nCode: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 \u003c42\u003e 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c\nRSP: 0018:ffffc90003f5f810 EFLAGS: 00010203\nRAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c\nRBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd\nR10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000\nR13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff\nFS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:729\n ____sys_sendmsg+0x505/0x830 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f8d7e96a4a9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9\nRDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005\nRBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac\nR13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250\n \u003c/TASK\u003e\nModules linked in:"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:30.190Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b502f16bad8f0a4cfbd023452766f21bfda39dde"
},
{
"url": "https://git.kernel.org/stable/c/0a6a6d4fb333f7afe22e59ffed18511a7a98efc8"
},
{
"url": "https://git.kernel.org/stable/c/62f368472b0aa4b5d91d9b983152855c6b6d8925"
},
{
"url": "https://git.kernel.org/stable/c/51872b26429077be611b0a1816e0e722278015c3"
},
{
"url": "https://git.kernel.org/stable/c/3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b"
},
{
"url": "https://git.kernel.org/stable/c/33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b"
},
{
"url": "https://git.kernel.org/stable/c/3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe"
},
{
"url": "https://git.kernel.org/stable/c/ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a"
}
],
"title": "atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39828",
"datePublished": "2025-09-16T13:00:26.433Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-11-03T17:43:50.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53371 (GCVE-0-2023-53371)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: fix memory leak in mlx5e_fs_tt_redirect_any_create
The memory pointed to by the fs->any pointer is not freed in the error
path of mlx5e_fs_tt_redirect_any_create, which can lead to a memory leak.
Fix by freeing the memory in the error path, thereby making the error path
identical to mlx5e_fs_tt_redirect_any_destroy().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75df2fe6d160e16be880aacacd521b135d7177c9",
"status": "affected",
"version": "0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6",
"versionType": "git"
},
{
"lessThan": "8a75a6f169c3df3a94802314aa61282772ac75b8",
"status": "affected",
"version": "0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6",
"versionType": "git"
},
{
"lessThan": "3250affdc658557a41df9c5fb567723e421f8bf2",
"status": "affected",
"version": "0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix memory leak in mlx5e_fs_tt_redirect_any_create\n\nThe memory pointed to by the fs-\u003eany pointer is not freed in the error\npath of mlx5e_fs_tt_redirect_any_create, which can lead to a memory leak.\nFix by freeing the memory in the error path, thereby making the error path\nidentical to mlx5e_fs_tt_redirect_any_destroy()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:18.838Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75df2fe6d160e16be880aacacd521b135d7177c9"
},
{
"url": "https://git.kernel.org/stable/c/8a75a6f169c3df3a94802314aa61282772ac75b8"
},
{
"url": "https://git.kernel.org/stable/c/3250affdc658557a41df9c5fb567723e421f8bf2"
}
],
"title": "net/mlx5e: fix memory leak in mlx5e_fs_tt_redirect_any_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53371",
"datePublished": "2025-09-18T13:33:18.838Z",
"dateReserved": "2025-09-17T14:54:09.734Z",
"dateUpdated": "2025-09-18T13:33:18.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53618 (GCVE-0-2023-53618)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: reject invalid reloc tree root keys with stack dump
[BUG]
Syzbot reported a crash that an ASSERT() got triggered inside
prepare_to_merge().
That ASSERT() makes sure the reloc tree is properly pointed back by its
subvolume tree.
[CAUSE]
After more debugging output, it turns out we had an invalid reloc tree:
BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
Note the above root key is (TREE_RELOC_OBJECTID, ROOT_ITEM,
QUOTA_TREE_OBJECTID), meaning it's a reloc tree for quota tree.
But reloc trees can only exist for subvolumes, as for non-subvolume
trees, we just COW the involved tree block, no need to create a reloc
tree since those tree blocks won't be shared with other trees.
Only subvolumes tree can share tree blocks with other trees (thus they
have BTRFS_ROOT_SHAREABLE flag).
Thus this new debug output proves my previous assumption that corrupted
on-disk data can trigger that ASSERT().
[FIX]
Besides the dedicated fix and the graceful exit, also let tree-checker to
check such root keys, to make sure reloc trees can only exist for subvolumes.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c",
"fs/btrfs/tree-checker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "314135b7bae9618a317874ae195272682cf2d5d4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ae93b316ca4b8b3c33798ef1d210355f2fb9318",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "84256e00eeca73c529fc6196e478cc89b8098157",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ebcd021c92b8e4b904552e4d87283032100796d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c",
"fs/btrfs/tree-checker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject invalid reloc tree root keys with stack dump\n\n[BUG]\nSyzbot reported a crash that an ASSERT() got triggered inside\nprepare_to_merge().\n\nThat ASSERT() makes sure the reloc tree is properly pointed back by its\nsubvolume tree.\n\n[CAUSE]\nAfter more debugging output, it turns out we had an invalid reloc tree:\n\n BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17\n\nNote the above root key is (TREE_RELOC_OBJECTID, ROOT_ITEM,\nQUOTA_TREE_OBJECTID), meaning it\u0027s a reloc tree for quota tree.\n\nBut reloc trees can only exist for subvolumes, as for non-subvolume\ntrees, we just COW the involved tree block, no need to create a reloc\ntree since those tree blocks won\u0027t be shared with other trees.\n\nOnly subvolumes tree can share tree blocks with other trees (thus they\nhave BTRFS_ROOT_SHAREABLE flag).\n\nThus this new debug output proves my previous assumption that corrupted\non-disk data can trigger that ASSERT().\n\n[FIX]\nBesides the dedicated fix and the graceful exit, also let tree-checker to\ncheck such root keys, to make sure reloc trees can only exist for subvolumes."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:25.303Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/314135b7bae9618a317874ae195272682cf2d5d4"
},
{
"url": "https://git.kernel.org/stable/c/3ae93b316ca4b8b3c33798ef1d210355f2fb9318"
},
{
"url": "https://git.kernel.org/stable/c/84256e00eeca73c529fc6196e478cc89b8098157"
},
{
"url": "https://git.kernel.org/stable/c/6ebcd021c92b8e4b904552e4d87283032100796d"
}
],
"title": "btrfs: reject invalid reloc tree root keys with stack dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53618",
"datePublished": "2025-10-07T15:19:25.303Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:25.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39863 (GCVE-0-2025-39863)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
runs as timer handler, sets timer_on to false. This creates critical
race conditions:
1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()
is executing, it may observe timer_on as false and skip the call to
timer_shutdown_sync().
2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info
worker after the cancel_work_sync() has been executed, resulting in
use-after-free bugs.
The use-after-free bugs occur in two distinct scenarios, depending on
the timing of when the brcmf_btcoex_info struct is freed relative to
the execution of its worker thread.
Scenario 1: Freed before the worker is scheduled
The brcmf_btcoex_info is deallocated before the worker is scheduled.
A race condition can occur when schedule_work(&bt_local->work) is
called after the target memory has been freed. The sequence of events
is detailed below:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... |
kfree(cfg->btcoex); // FREE |
| schedule_work(&bt_local->work); // USE
Scenario 2: Freed after the worker is scheduled
The brcmf_btcoex_info is freed after the worker has been scheduled
but before or during its execution. In this case, statements within
the brcmf_btcoex_handler() — such as the container_of macro and
subsequent dereferences of the brcmf_btcoex_info object will cause
a use-after-free access. The following timeline illustrates this
scenario:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... | schedule_work(); // Reschedule
|
kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker
/* | btci = container_of(....); // USE
The kfree() above could | ...
also occur at any point | btci-> // USE
during the worker's execution|
*/ |
To resolve the race conditions, drop the conditional check and call
timer_shutdown_sync() directly. It can deactivate the timer reliably,
regardless of its current state. Once stopped, the timer_on state is
then set to false.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1150153c4e5940fe49ab51136343c5b4fe49d63",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
},
{
"lessThan": "3e789f8475f6c857c88de5c5bf4b24b11a477dd7",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
},
{
"lessThan": "2f6fbc8e04ca1d1d5c560be694199f847229c625",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
},
{
"lessThan": "9cb83d4be0b9b697eae93d321e0da999f9cdfcfc",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work\n\nThe brcmf_btcoex_detach() only shuts down the btcoex timer, if the\nflag timer_on is false. However, the brcmf_btcoex_timerfunc(), which\nruns as timer handler, sets timer_on to false. This creates critical\nrace conditions:\n\n1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()\nis executing, it may observe timer_on as false and skip the call to\ntimer_shutdown_sync().\n\n2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info\nworker after the cancel_work_sync() has been executed, resulting in\nuse-after-free bugs.\n\nThe use-after-free bugs occur in two distinct scenarios, depending on\nthe timing of when the brcmf_btcoex_info struct is freed relative to\nthe execution of its worker thread.\n\nScenario 1: Freed before the worker is scheduled\n\nThe brcmf_btcoex_info is deallocated before the worker is scheduled.\nA race condition can occur when schedule_work(\u0026bt_local-\u003ework) is\ncalled after the target memory has been freed. The sequence of events\nis detailed below:\n\nCPU0 | CPU1\nbrcmf_btcoex_detach | brcmf_btcoex_timerfunc\n | bt_local-\u003etimer_on = false;\n if (cfg-\u003ebtcoex-\u003etimer_on) |\n ... |\n cancel_work_sync(); |\n ... |\n kfree(cfg-\u003ebtcoex); // FREE |\n | schedule_work(\u0026bt_local-\u003ework); // USE\n\nScenario 2: Freed after the worker is scheduled\n\nThe brcmf_btcoex_info is freed after the worker has been scheduled\nbut before or during its execution. In this case, statements within\nthe brcmf_btcoex_handler() \u2014 such as the container_of macro and\nsubsequent dereferences of the brcmf_btcoex_info object will cause\na use-after-free access. The following timeline illustrates this\nscenario:\n\nCPU0 | CPU1\nbrcmf_btcoex_detach | brcmf_btcoex_timerfunc\n | bt_local-\u003etimer_on = false;\n if (cfg-\u003ebtcoex-\u003etimer_on) |\n ... |\n cancel_work_sync(); |\n ... | schedule_work(); // Reschedule\n |\n kfree(cfg-\u003ebtcoex); // FREE | brcmf_btcoex_handler() // Worker\n /* | btci = container_of(....); // USE\n The kfree() above could | ...\n also occur at any point | btci-\u003e // USE\n during the worker\u0027s execution|\n */ |\n\nTo resolve the race conditions, drop the conditional check and call\ntimer_shutdown_sync() directly. It can deactivate the timer reliably,\nregardless of its current state. Once stopped, the timer_on state is\nthen set to false."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:18.732Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1150153c4e5940fe49ab51136343c5b4fe49d63"
},
{
"url": "https://git.kernel.org/stable/c/3e789f8475f6c857c88de5c5bf4b24b11a477dd7"
},
{
"url": "https://git.kernel.org/stable/c/2f6fbc8e04ca1d1d5c560be694199f847229c625"
},
{
"url": "https://git.kernel.org/stable/c/9cb83d4be0b9b697eae93d321e0da999f9cdfcfc"
}
],
"title": "wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39863",
"datePublished": "2025-09-19T15:26:33.069Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-09-29T06:01:18.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53350 (GCVE-0-2023-53350)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: Fix slicing memory leak
The temporary buffer storing slicing configuration data from user is only
freed on error. This is a memory leak. Free the buffer unconditionally.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df45c3e46cdb41f486eecb4277fbcc4c1ffbf9be",
"status": "affected",
"version": "ff13be8303336ead5621712f2c55012d738878b5",
"versionType": "git"
},
{
"lessThan": "2d956177b7c96e62fac762a3b7da4318cde27a73",
"status": "affected",
"version": "ff13be8303336ead5621712f2c55012d738878b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Fix slicing memory leak\n\nThe temporary buffer storing slicing configuration data from user is only\nfreed on error. This is a memory leak. Free the buffer unconditionally."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:41.212Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df45c3e46cdb41f486eecb4277fbcc4c1ffbf9be"
},
{
"url": "https://git.kernel.org/stable/c/2d956177b7c96e62fac762a3b7da4318cde27a73"
}
],
"title": "accel/qaic: Fix slicing memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53350",
"datePublished": "2025-09-17T14:56:41.212Z",
"dateReserved": "2025-09-16T16:08:59.566Z",
"dateUpdated": "2025-09-17T14:56:41.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40016 (GCVE-0-2025-40016)
Vulnerability from cvelistv5
Published
2025-10-20 15:29
Modified
2025-10-20 15:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero
unique ID.
```
Each Unit and Terminal within the video function is assigned a unique
identification number, the Unit ID (UID) or Terminal ID (TID), contained in
the bUnitID or bTerminalID field of the descriptor. The value 0x00 is
reserved for undefined ID,
```
If we add a new entity with id 0 or a duplicated ID, it will be marked
as UVC_INVALID_ENTITY_ID.
In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require
entities to have a non-zero unique ID"), we ignored all the invalid units,
this broke a lot of non-compatible cameras. Hopefully we are more lucky
this time.
This also prevents some syzkaller reproducers from triggering warnings due
to a chain of entities referring to themselves. In one particular case, an
Output Unit is connected to an Input Unit, both with the same ID of 1. But
when looking up for the source ID of the Output Unit, that same entity is
found instead of the input entity, which leads to such warnings.
In another case, a backward chain was considered finished as the source ID
was 0. Later on, that entity was found, but its pads were not valid.
Here is a sample stack trace for one of those cases.
[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 20.830206] usb 1-1: Using ep0 maxpacket: 8
[ 20.833501] usb 1-1: config 0 descriptor??
[ 21.038518] usb 1-1: string descriptor 0 read error: -71
[ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201)
[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!
[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!
[ 21.042218] ------------[ cut here ]------------
[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0
[ 21.043195] Modules linked in:
[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444
[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[ 21.044639] Workqueue: usb_hub_wq hub_event
[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0
[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00
[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246
[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1
[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290
[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000
[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003
[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000
[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0
[ 21.051136] PKRU: 55555554
[ 21.051331] Call Trace:
[ 21.051480] <TASK>
[ 21.051611] ? __warn+0xc4/0x210
[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0
[ 21.052252] ? report_bug+0x11b/0x1a0
[ 21.052540] ? trace_hardirqs_on+0x31/0x40
[ 21.052901] ? handle_bug+0x3d/0x70
[ 21.053197] ? exc_invalid_op+0x1a/0x50
[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20
[ 21.053924] ? media_create_pad_link+0x91/0x2e0
[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0
[ 21.054834] ? media_create_pad_link+0x91/0x2e0
[ 21.055131] ? _raw_spin_unlock+0x1e/0x40
[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210
[ 21.055837] uvc_mc_register_entities+0x358/0x400
[ 21.056144] uvc_register_chains+0x1
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f617d515d66c05e9aebc787a8fe48b7163fc7b70",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "000b2a6bed7f30e0aadfb19bce9af6458d879304",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "15c0e136bd8cd70a1136a11c7876d6aae0eef8c8",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "0f140cede24334b3ee55e3e1127071266cbb8287",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "0e2ee70291e64a30fe36960c85294726d34a103e",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID\n\nPer UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero\nunique ID.\n\n```\nEach Unit and Terminal within the video function is assigned a unique\nidentification number, the Unit ID (UID) or Terminal ID (TID), contained in\nthe bUnitID or bTerminalID field of the descriptor. The value 0x00 is\nreserved for undefined ID,\n```\n\nIf we add a new entity with id 0 or a duplicated ID, it will be marked\nas UVC_INVALID_ENTITY_ID.\n\nIn a previous attempt commit 3dd075fe8ebb (\"media: uvcvideo: Require\nentities to have a non-zero unique ID\"), we ignored all the invalid units,\nthis broke a lot of non-compatible cameras. Hopefully we are more lucky\nthis time.\n\nThis also prevents some syzkaller reproducers from triggering warnings due\nto a chain of entities referring to themselves. In one particular case, an\nOutput Unit is connected to an Input Unit, both with the same ID of 1. But\nwhen looking up for the source ID of the Output Unit, that same entity is\nfound instead of the input entity, which leads to such warnings.\n\nIn another case, a backward chain was considered finished as the source ID\nwas 0. Later on, that entity was found, but its pads were not valid.\n\nHere is a sample stack trace for one of those cases.\n\n[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd\n[ 20.830206] usb 1-1: Using ep0 maxpacket: 8\n[ 20.833501] usb 1-1: config 0 descriptor??\n[ 21.038518] usb 1-1: string descriptor 0 read error: -71\n[ 21.038893] usb 1-1: Found UVC 0.00 device \u003cunnamed\u003e (2833:0201)\n[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!\n[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!\n[ 21.042218] ------------[ cut here ]------------\n[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0\n[ 21.043195] Modules linked in:\n[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444\n[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n[ 21.044639] Workqueue: usb_hub_wq hub_event\n[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0\n[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 \u003c0f\u003e 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00\n[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246\n[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1\n[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290\n[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000\n[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003\n[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000\n[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000\n[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0\n[ 21.051136] PKRU: 55555554\n[ 21.051331] Call Trace:\n[ 21.051480] \u003cTASK\u003e\n[ 21.051611] ? __warn+0xc4/0x210\n[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0\n[ 21.052252] ? report_bug+0x11b/0x1a0\n[ 21.052540] ? trace_hardirqs_on+0x31/0x40\n[ 21.052901] ? handle_bug+0x3d/0x70\n[ 21.053197] ? exc_invalid_op+0x1a/0x50\n[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20\n[ 21.053924] ? media_create_pad_link+0x91/0x2e0\n[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0\n[ 21.054834] ? media_create_pad_link+0x91/0x2e0\n[ 21.055131] ? _raw_spin_unlock+0x1e/0x40\n[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210\n[ 21.055837] uvc_mc_register_entities+0x358/0x400\n[ 21.056144] uvc_register_chains+0x1\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:29:10.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f617d515d66c05e9aebc787a8fe48b7163fc7b70"
},
{
"url": "https://git.kernel.org/stable/c/000b2a6bed7f30e0aadfb19bce9af6458d879304"
},
{
"url": "https://git.kernel.org/stable/c/15c0e136bd8cd70a1136a11c7876d6aae0eef8c8"
},
{
"url": "https://git.kernel.org/stable/c/0f140cede24334b3ee55e3e1127071266cbb8287"
},
{
"url": "https://git.kernel.org/stable/c/0e2ee70291e64a30fe36960c85294726d34a103e"
}
],
"title": "media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40016",
"datePublished": "2025-10-20T15:29:10.376Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:29:10.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53538 (GCVE-0-2023-53538)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: insert tree mod log move in push_node_left
There is a fairly unlikely race condition in tree mod log rewind that
can result in a kernel panic which has the following trace:
[530.569] BTRFS critical (device sda3): unable to find logical 0 length 4096
[530.585] BTRFS critical (device sda3): unable to find logical 0 length 4096
[530.602] BUG: kernel NULL pointer dereference, address: 0000000000000002
[530.618] #PF: supervisor read access in kernel mode
[530.629] #PF: error_code(0x0000) - not-present page
[530.641] PGD 0 P4D 0
[530.647] Oops: 0000 [#1] SMP
[530.654] CPU: 30 PID: 398973 Comm: below Kdump: loaded Tainted: G S O K 5.12.0-0_fbk13_clang_7455_gb24de3bdb045 #1
[530.680] Hardware name: Quanta Mono Lake-M.2 SATA 1HY9U9Z001G/Mono Lake-M.2 SATA, BIOS F20_3A15 08/16/2017
[530.703] RIP: 0010:__btrfs_map_block+0xaa/0xd00
[530.755] RSP: 0018:ffffc9002c2f7600 EFLAGS: 00010246
[530.767] RAX: ffffffffffffffea RBX: ffff888292e41000 RCX: f2702d8b8be15100
[530.784] RDX: ffff88885fda6fb8 RSI: ffff88885fd973c8 RDI: ffff88885fd973c8
[530.800] RBP: ffff888292e410d0 R08: ffffffff82fd7fd0 R09: 00000000fffeffff
[530.816] R10: ffffffff82e57fd0 R11: ffffffff82e57d70 R12: 0000000000000000
[530.832] R13: 0000000000001000 R14: 0000000000001000 R15: ffffc9002c2f76f0
[530.848] FS: 00007f38d64af000(0000) GS:ffff88885fd80000(0000) knlGS:0000000000000000
[530.866] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[530.880] CR2: 0000000000000002 CR3: 00000002b6770004 CR4: 00000000003706e0
[530.896] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[530.912] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[530.928] Call Trace:
[530.934] ? btrfs_printk+0x13b/0x18c
[530.943] ? btrfs_bio_counter_inc_blocked+0x3d/0x130
[530.955] btrfs_map_bio+0x75/0x330
[530.963] ? kmem_cache_alloc+0x12a/0x2d0
[530.973] ? btrfs_submit_metadata_bio+0x63/0x100
[530.984] btrfs_submit_metadata_bio+0xa4/0x100
[530.995] submit_extent_page+0x30f/0x360
[531.004] read_extent_buffer_pages+0x49e/0x6d0
[531.015] ? submit_extent_page+0x360/0x360
[531.025] btree_read_extent_buffer_pages+0x5f/0x150
[531.037] read_tree_block+0x37/0x60
[531.046] read_block_for_search+0x18b/0x410
[531.056] btrfs_search_old_slot+0x198/0x2f0
[531.066] resolve_indirect_ref+0xfe/0x6f0
[531.076] ? ulist_alloc+0x31/0x60
[531.084] ? kmem_cache_alloc_trace+0x12e/0x2b0
[531.095] find_parent_nodes+0x720/0x1830
[531.105] ? ulist_alloc+0x10/0x60
[531.113] iterate_extent_inodes+0xea/0x370
[531.123] ? btrfs_previous_extent_item+0x8f/0x110
[531.134] ? btrfs_search_path_in_tree+0x240/0x240
[531.146] iterate_inodes_from_logical+0x98/0xd0
[531.157] ? btrfs_search_path_in_tree+0x240/0x240
[531.168] btrfs_ioctl_logical_to_ino+0xd9/0x180
[531.179] btrfs_ioctl+0xe2/0x2eb0
This occurs when logical inode resolution takes a tree mod log sequence
number, and then while backref walking hits a rewind on a busy node
which has the following sequence of tree mod log operations (numbers
filled in from a specific example, but they are somewhat arbitrary)
REMOVE_WHILE_FREEING slot 532
REMOVE_WHILE_FREEING slot 531
REMOVE_WHILE_FREEING slot 530
...
REMOVE_WHILE_FREEING slot 0
REMOVE slot 455
REMOVE slot 454
REMOVE slot 453
...
REMOVE slot 0
ADD slot 455
ADD slot 454
ADD slot 453
...
ADD slot 0
MOVE src slot 0 -> dst slot 456 nritems 533
REMOVE slot 455
REMOVE slot 454
REMOVE slot 453
...
REMOVE slot 0
When this sequence gets applied via btrfs_tree_mod_log_rewind, it
allocates a fresh rewind eb, and first inserts the correct key info for
the 533 elements, then overwrites the first 456 of them, then decrements
the count by 456 via the add ops, then rewinds the move by doing a
memmove from 456:988->0:532. We have never written anything past 532,
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ctree.c",
"fs/btrfs/tree-mod-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11f14402fe3437852cb44945b3b9f1bdb4032956",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5cead5422a0e3d13b0bcee986c0f5c4ebb94100b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ctree.c",
"fs/btrfs/tree-mod-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: insert tree mod log move in push_node_left\n\nThere is a fairly unlikely race condition in tree mod log rewind that\ncan result in a kernel panic which has the following trace:\n\n [530.569] BTRFS critical (device sda3): unable to find logical 0 length 4096\n [530.585] BTRFS critical (device sda3): unable to find logical 0 length 4096\n [530.602] BUG: kernel NULL pointer dereference, address: 0000000000000002\n [530.618] #PF: supervisor read access in kernel mode\n [530.629] #PF: error_code(0x0000) - not-present page\n [530.641] PGD 0 P4D 0\n [530.647] Oops: 0000 [#1] SMP\n [530.654] CPU: 30 PID: 398973 Comm: below Kdump: loaded Tainted: G S O K 5.12.0-0_fbk13_clang_7455_gb24de3bdb045 #1\n [530.680] Hardware name: Quanta Mono Lake-M.2 SATA 1HY9U9Z001G/Mono Lake-M.2 SATA, BIOS F20_3A15 08/16/2017\n [530.703] RIP: 0010:__btrfs_map_block+0xaa/0xd00\n [530.755] RSP: 0018:ffffc9002c2f7600 EFLAGS: 00010246\n [530.767] RAX: ffffffffffffffea RBX: ffff888292e41000 RCX: f2702d8b8be15100\n [530.784] RDX: ffff88885fda6fb8 RSI: ffff88885fd973c8 RDI: ffff88885fd973c8\n [530.800] RBP: ffff888292e410d0 R08: ffffffff82fd7fd0 R09: 00000000fffeffff\n [530.816] R10: ffffffff82e57fd0 R11: ffffffff82e57d70 R12: 0000000000000000\n [530.832] R13: 0000000000001000 R14: 0000000000001000 R15: ffffc9002c2f76f0\n [530.848] FS: 00007f38d64af000(0000) GS:ffff88885fd80000(0000) knlGS:0000000000000000\n [530.866] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [530.880] CR2: 0000000000000002 CR3: 00000002b6770004 CR4: 00000000003706e0\n [530.896] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [530.912] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [530.928] Call Trace:\n [530.934] ? btrfs_printk+0x13b/0x18c\n [530.943] ? btrfs_bio_counter_inc_blocked+0x3d/0x130\n [530.955] btrfs_map_bio+0x75/0x330\n [530.963] ? kmem_cache_alloc+0x12a/0x2d0\n [530.973] ? btrfs_submit_metadata_bio+0x63/0x100\n [530.984] btrfs_submit_metadata_bio+0xa4/0x100\n [530.995] submit_extent_page+0x30f/0x360\n [531.004] read_extent_buffer_pages+0x49e/0x6d0\n [531.015] ? submit_extent_page+0x360/0x360\n [531.025] btree_read_extent_buffer_pages+0x5f/0x150\n [531.037] read_tree_block+0x37/0x60\n [531.046] read_block_for_search+0x18b/0x410\n [531.056] btrfs_search_old_slot+0x198/0x2f0\n [531.066] resolve_indirect_ref+0xfe/0x6f0\n [531.076] ? ulist_alloc+0x31/0x60\n [531.084] ? kmem_cache_alloc_trace+0x12e/0x2b0\n [531.095] find_parent_nodes+0x720/0x1830\n [531.105] ? ulist_alloc+0x10/0x60\n [531.113] iterate_extent_inodes+0xea/0x370\n [531.123] ? btrfs_previous_extent_item+0x8f/0x110\n [531.134] ? btrfs_search_path_in_tree+0x240/0x240\n [531.146] iterate_inodes_from_logical+0x98/0xd0\n [531.157] ? btrfs_search_path_in_tree+0x240/0x240\n [531.168] btrfs_ioctl_logical_to_ino+0xd9/0x180\n [531.179] btrfs_ioctl+0xe2/0x2eb0\n\nThis occurs when logical inode resolution takes a tree mod log sequence\nnumber, and then while backref walking hits a rewind on a busy node\nwhich has the following sequence of tree mod log operations (numbers\nfilled in from a specific example, but they are somewhat arbitrary)\n\n REMOVE_WHILE_FREEING slot 532\n REMOVE_WHILE_FREEING slot 531\n REMOVE_WHILE_FREEING slot 530\n ...\n REMOVE_WHILE_FREEING slot 0\n REMOVE slot 455\n REMOVE slot 454\n REMOVE slot 453\n ...\n REMOVE slot 0\n ADD slot 455\n ADD slot 454\n ADD slot 453\n ...\n ADD slot 0\n MOVE src slot 0 -\u003e dst slot 456 nritems 533\n REMOVE slot 455\n REMOVE slot 454\n REMOVE slot 453\n ...\n REMOVE slot 0\n\nWhen this sequence gets applied via btrfs_tree_mod_log_rewind, it\nallocates a fresh rewind eb, and first inserts the correct key info for\nthe 533 elements, then overwrites the first 456 of them, then decrements\nthe count by 456 via the add ops, then rewinds the move by doing a\nmemmove from 456:988-\u003e0:532. We have never written anything past 532,\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:48.694Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11f14402fe3437852cb44945b3b9f1bdb4032956"
},
{
"url": "https://git.kernel.org/stable/c/5cead5422a0e3d13b0bcee986c0f5c4ebb94100b"
}
],
"title": "btrfs: insert tree mod log move in push_node_left",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53538",
"datePublished": "2025-10-04T15:16:48.694Z",
"dateReserved": "2025-10-04T15:14:15.919Z",
"dateUpdated": "2025-10-04T15:16:48.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39675 (GCVE-0-2025-39675)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
The function mod_hdcp_hdcp1_create_session() calls the function
get_first_active_display(), but does not check its return value.
The return value is a null pointer if the display list is empty.
This will lead to a null pointer dereference.
Add a null pointer check for get_first_active_display() and return
MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.
This is similar to the commit c3e9826a2202
("drm/amd/display: Add null pointer check for get_first_active_display()").
(cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893)
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2deade5ede56581722c0d7672f28b09548dc0fc4 Version: 2deade5ede56581722c0d7672f28b09548dc0fc4 Version: 2deade5ede56581722c0d7672f28b09548dc0fc4 Version: 2deade5ede56581722c0d7672f28b09548dc0fc4 Version: 2deade5ede56581722c0d7672f28b09548dc0fc4 Version: 2deade5ede56581722c0d7672f28b09548dc0fc4 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:08.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2af45aadb7b5d3852c76e2d1e985289ada6f48bf",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
},
{
"lessThan": "ee0373b20bb67b1f00a1b25ccd24c8ac996b6446",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
},
{
"lessThan": "857b8387a9777e42b36e0400be99b54c251eaf9a",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
},
{
"lessThan": "97fc94c5fd3c6ac5a13e457d38ee247737b8c4bd",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
},
{
"lessThan": "2ee86b764c54e0d6a5464fb023b630fdf20869cd",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
},
{
"lessThan": "7a2ca2ea64b1b63c8baa94a8f5deb70b2248d119",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()\n\nThe function mod_hdcp_hdcp1_create_session() calls the function\nget_first_active_display(), but does not check its return value.\nThe return value is a null pointer if the display list is empty.\nThis will lead to a null pointer dereference.\n\nAdd a null pointer check for get_first_active_display() and return\nMOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.\n\nThis is similar to the commit c3e9826a2202\n(\"drm/amd/display: Add null pointer check for get_first_active_display()\").\n\n(cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:10.647Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2af45aadb7b5d3852c76e2d1e985289ada6f48bf"
},
{
"url": "https://git.kernel.org/stable/c/ee0373b20bb67b1f00a1b25ccd24c8ac996b6446"
},
{
"url": "https://git.kernel.org/stable/c/857b8387a9777e42b36e0400be99b54c251eaf9a"
},
{
"url": "https://git.kernel.org/stable/c/97fc94c5fd3c6ac5a13e457d38ee247737b8c4bd"
},
{
"url": "https://git.kernel.org/stable/c/2ee86b764c54e0d6a5464fb023b630fdf20869cd"
},
{
"url": "https://git.kernel.org/stable/c/7a2ca2ea64b1b63c8baa94a8f5deb70b2248d119"
}
],
"title": "drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39675",
"datePublished": "2025-09-05T17:20:41.179Z",
"dateReserved": "2025-04-16T07:20:57.112Z",
"dateUpdated": "2025-11-03T17:42:08.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38685 (GCVE-0-2025-38685)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
This issue triggers when a userspace program does an ioctl
FBIOPUT_CON2FBMAP by passing console number and frame buffer number.
Ideally this maps console to frame buffer and updates the screen if
console is visible.
As part of mapping it has to do resize of console according to frame
buffer info. if this resize fails and returns from vc_do_resize() and
continues further. At this point console and new frame buffer are mapped
and sets display vars. Despite failure still it continue to proceed
updating the screen at later stages where vc_data is related to previous
frame buffer and frame buffer info and display vars are mapped to new
frame buffer and eventully leading to out-of-bounds write in
fast_imageblit(). This bheviour is excepted only when fg_console is
equal to requested console which is a visible console and updates screen
with invalid struct references in fbcon_putcs().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:12.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "078e62bffca4b7e72e8f3550eb063ab981c36c7a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c4d7ddaf1d43780b106bedc692679f965dc5a3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "27b118aebdd84161c8ff5ce49d9d536f2af10754",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed9b8e5016230868c8d813d9179523f729fec8c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "56701bf9eeb63219e378cb7fcbd066ea4eaeeb50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cfec17721265e72e50cc69c6004fe3475cd38df2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af0db3c1f898144846d4c172531a199bb3ca375d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix vmalloc out-of-bounds write in fast_imageblit\n\nThis issue triggers when a userspace program does an ioctl\nFBIOPUT_CON2FBMAP by passing console number and frame buffer number.\nIdeally this maps console to frame buffer and updates the screen if\nconsole is visible.\n\nAs part of mapping it has to do resize of console according to frame\nbuffer info. if this resize fails and returns from vc_do_resize() and\ncontinues further. At this point console and new frame buffer are mapped\nand sets display vars. Despite failure still it continue to proceed\nupdating the screen at later stages where vc_data is related to previous\nframe buffer and frame buffer info and display vars are mapped to new\nframe buffer and eventully leading to out-of-bounds write in\nfast_imageblit(). This bheviour is excepted only when fg_console is\nequal to requested console which is a visible console and updates screen\nwith invalid struct references in fbcon_putcs()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:57.553Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/078e62bffca4b7e72e8f3550eb063ab981c36c7a"
},
{
"url": "https://git.kernel.org/stable/c/4c4d7ddaf1d43780b106bedc692679f965dc5a3a"
},
{
"url": "https://git.kernel.org/stable/c/27b118aebdd84161c8ff5ce49d9d536f2af10754"
},
{
"url": "https://git.kernel.org/stable/c/ed9b8e5016230868c8d813d9179523f729fec8c6"
},
{
"url": "https://git.kernel.org/stable/c/56701bf9eeb63219e378cb7fcbd066ea4eaeeb50"
},
{
"url": "https://git.kernel.org/stable/c/cfec17721265e72e50cc69c6004fe3475cd38df2"
},
{
"url": "https://git.kernel.org/stable/c/af0db3c1f898144846d4c172531a199bb3ca375d"
}
],
"title": "fbdev: Fix vmalloc out-of-bounds write in fast_imageblit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38685",
"datePublished": "2025-09-04T15:32:39.856Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:12.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50484 (GCVE-0-2022-50484)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix potential memory leaks
When the driver hits -ENOMEM at allocating a URB or a buffer, it
aborts and goes to the error path that releases the all previously
allocated resources. However, when -ENOMEM hits at the middle of the
sync EP URB allocation loop, the partially allocated URBs might be
left without released, because ep->nurbs is still zero at that point.
Fix it by setting ep->nurbs at first, so that the error handler loops
over the full URB list.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0604e5e5537af099ea2f6dfd892afe5c92db8a80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "28d8d267af5d73f91d7640cbdb4024703256e36c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "46f0aed47673e275d682af60ed26dcc28add8eae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "988ec0cd0a2643c25c1658f7c33de2e15a5a2e31",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bc1d16d282bca421c6fc31de4b8fd412010f01bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0672215994e2347a9b4f145e2bc1709b1e01cee3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "faa8c1ed77d0169955b9b3516b714cc5fb512f27",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e4442410f76d66b9f7e854010bce04853f665324",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6382da0828995af87aa8b8bef28cc61aceb4aff3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential memory leaks\n\nWhen the driver hits -ENOMEM at allocating a URB or a buffer, it\naborts and goes to the error path that releases the all previously\nallocated resources. However, when -ENOMEM hits at the middle of the\nsync EP URB allocation loop, the partially allocated URBs might be\nleft without released, because ep-\u003enurbs is still zero at that point.\n\nFix it by setting ep-\u003enurbs at first, so that the error handler loops\nover the full URB list."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:42.385Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0604e5e5537af099ea2f6dfd892afe5c92db8a80"
},
{
"url": "https://git.kernel.org/stable/c/28d8d267af5d73f91d7640cbdb4024703256e36c"
},
{
"url": "https://git.kernel.org/stable/c/46f0aed47673e275d682af60ed26dcc28add8eae"
},
{
"url": "https://git.kernel.org/stable/c/988ec0cd0a2643c25c1658f7c33de2e15a5a2e31"
},
{
"url": "https://git.kernel.org/stable/c/bc1d16d282bca421c6fc31de4b8fd412010f01bd"
},
{
"url": "https://git.kernel.org/stable/c/0672215994e2347a9b4f145e2bc1709b1e01cee3"
},
{
"url": "https://git.kernel.org/stable/c/faa8c1ed77d0169955b9b3516b714cc5fb512f27"
},
{
"url": "https://git.kernel.org/stable/c/e4442410f76d66b9f7e854010bce04853f665324"
},
{
"url": "https://git.kernel.org/stable/c/6382da0828995af87aa8b8bef28cc61aceb4aff3"
}
],
"title": "ALSA: usb-audio: Fix potential memory leaks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50484",
"datePublished": "2025-10-04T15:16:42.385Z",
"dateReserved": "2025-10-04T15:13:33.468Z",
"dateUpdated": "2025-10-04T15:16:42.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39197 (GCVE-0-2023-39197)
Vulnerability from cvelistv5
Published
2024-01-23 03:04
Modified
2025-11-20 19:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Out-of-bounds Read
Summary
An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:02:05.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-39197"
},
{
"name": "RHBZ#2218342",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218342"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:53:09.997061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:20:05.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2023-11-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T19:52:50.631Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-39197"
},
{
"name": "RHBZ#2218342",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218342"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-28T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-11-08T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Kernel: dccp: conntrack out-of-bounds read in nf_conntrack_dccp_packet()",
"x_redhatCweChain": "CWE-125: Out-of-bounds Read"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-39197",
"datePublished": "2024-01-23T03:04:26.950Z",
"dateReserved": "2023-07-25T17:04:34.810Z",
"dateUpdated": "2025-11-20T19:52:50.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39978 (GCVE-0-2025-39978)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node"
and then dereferences it on the next line. Two lines later, we take
a mutex so I don't think this is an RCU safe region. Re-order it to do
the dereferences before queuing up the free.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5723120423a753a220b8b2954b273838b9d7e74a",
"status": "affected",
"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac",
"versionType": "git"
},
{
"lessThan": "df2c071061ed52d2225d97b212d27ecedf456b8a",
"status": "affected",
"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac",
"versionType": "git"
},
{
"lessThan": "c41b2941a024d4ec7c768e16ffb10a74b188fced",
"status": "affected",
"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac",
"versionType": "git"
},
{
"lessThan": "a8a63f27c3a8a3714210d32b12fd0f16d0337414",
"status": "affected",
"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac",
"versionType": "git"
},
{
"lessThan": "d9c70e93ec5988ab07ad2a92d9f9d12867f02c56",
"status": "affected",
"version": "68fbff68dbea35f9e6f7649dd22fce492a5aedac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix potential use after free in otx2_tc_add_flow()\n\nThis code calls kfree_rcu(new_node, rcu) and then dereferences \"new_node\"\nand then dereferences it on the next line. Two lines later, we take\na mutex so I don\u0027t think this is an RCU safe region. Re-order it to do\nthe dereferences before queuing up the free."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:58.949Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5723120423a753a220b8b2954b273838b9d7e74a"
},
{
"url": "https://git.kernel.org/stable/c/df2c071061ed52d2225d97b212d27ecedf456b8a"
},
{
"url": "https://git.kernel.org/stable/c/c41b2941a024d4ec7c768e16ffb10a74b188fced"
},
{
"url": "https://git.kernel.org/stable/c/a8a63f27c3a8a3714210d32b12fd0f16d0337414"
},
{
"url": "https://git.kernel.org/stable/c/d9c70e93ec5988ab07ad2a92d9f9d12867f02c56"
}
],
"title": "octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39978",
"datePublished": "2025-10-15T07:55:58.949Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:55:58.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53328 (GCVE-0-2023-53328)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-17 11:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Enhance sanity check while generating attr_list
ni_create_attr_list uses WARN_ON to catch error cases while generating
attribute list, which only prints out stack trace and may not be enough.
This repalces them with more proper error handling flow.
[ 59.666332] BUG: kernel NULL pointer dereference, address: 000000000000000e
[ 59.673268] #PF: supervisor read access in kernel mode
[ 59.678354] #PF: error_code(0x0000) - not-present page
[ 59.682831] PGD 8000000005ff1067 P4D 8000000005ff1067 PUD 7dee067 PMD 0
[ 59.688556] Oops: 0000 [#1] PREEMPT SMP KASAN PTI
[ 59.692642] CPU: 0 PID: 198 Comm: poc Tainted: G B W 6.2.0-rc1+ #4
[ 59.698868] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 59.708795] RIP: 0010:ni_create_attr_list+0x505/0x860
[ 59.713657] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8
[ 59.731559] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282
[ 59.735691] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe
[ 59.741792] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0
[ 59.748423] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9
[ 59.754654] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180
[ 59.761552] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050
[ 59.768323] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000
[ 59.776027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 59.781395] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0
[ 59.787607] Call Trace:
[ 59.790271] <TASK>
[ 59.792488] ? __pfx_ni_create_attr_list+0x10/0x10
[ 59.797235] ? kernel_text_address+0xd3/0xe0
[ 59.800856] ? unwind_get_return_address+0x3e/0x60
[ 59.805101] ? __kasan_check_write+0x18/0x20
[ 59.809296] ? preempt_count_sub+0x1c/0xd0
[ 59.813421] ni_ins_attr_ext+0x52c/0x5c0
[ 59.817034] ? __pfx_ni_ins_attr_ext+0x10/0x10
[ 59.821926] ? __vfs_setxattr+0x121/0x170
[ 59.825718] ? __vfs_setxattr_noperm+0x97/0x300
[ 59.829562] ? __vfs_setxattr_locked+0x145/0x170
[ 59.833987] ? vfs_setxattr+0x137/0x2a0
[ 59.836732] ? do_setxattr+0xce/0x150
[ 59.839807] ? setxattr+0x126/0x140
[ 59.842353] ? path_setxattr+0x164/0x180
[ 59.845275] ? __x64_sys_setxattr+0x71/0x90
[ 59.848838] ? do_syscall_64+0x3f/0x90
[ 59.851898] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 59.857046] ? stack_depot_save+0x17/0x20
[ 59.860299] ni_insert_attr+0x1ba/0x420
[ 59.863104] ? __pfx_ni_insert_attr+0x10/0x10
[ 59.867069] ? preempt_count_sub+0x1c/0xd0
[ 59.869897] ? _raw_spin_unlock_irqrestore+0x2b/0x50
[ 59.874088] ? __create_object+0x3ae/0x5d0
[ 59.877865] ni_insert_resident+0xc4/0x1c0
[ 59.881430] ? __pfx_ni_insert_resident+0x10/0x10
[ 59.886355] ? kasan_save_alloc_info+0x1f/0x30
[ 59.891117] ? __kasan_kmalloc+0x8b/0xa0
[ 59.894383] ntfs_set_ea+0x90d/0xbf0
[ 59.897703] ? __pfx_ntfs_set_ea+0x10/0x10
[ 59.901011] ? kernel_text_address+0xd3/0xe0
[ 59.905308] ? __kernel_text_address+0x16/0x50
[ 59.909811] ? unwind_get_return_address+0x3e/0x60
[ 59.914898] ? __pfx_stack_trace_consume_entry+0x10/0x10
[ 59.920250] ? arch_stack_walk+0xa2/0x100
[ 59.924560] ? filter_irq_stacks+0x27/0x80
[ 59.928722] ntfs_setxattr+0x405/0x440
[ 59.932512] ? __pfx_ntfs_setxattr+0x10/0x10
[ 59.936634] ? kvmalloc_node+0x2d/0x120
[ 59.940378] ? kasan_save_stack+0x41/0x60
[ 59.943870] ? kasan_save_stack+0x2a/0x60
[ 59.947719] ? kasan_set_track+0x29/0x40
[ 59.951417] ? kasan_save_alloc_info+0x1f/0x30
[ 59.955733] ? __kasan_kmalloc+0x8b/0xa0
[ 59.959598] ? __kmalloc_node+0x68/0x150
[ 59.963163] ? kvmalloc_node+0x2d/0x120
[ 59.966490] ? vmemdup_user+0x2b/0xa0
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/frecord.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7799bb4dbe26bfb665f29ea87981708fd6012d8",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "4246bbef0442f4a1e974df0ab091f4f33ac69451",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "64fab8bce5237ca225ee1ec9dff5cc8c31b0631f",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "fdec309c7672cbee4dc0229ee4cbb33c948a1bdd",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/frecord.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Enhance sanity check while generating attr_list\n\nni_create_attr_list uses WARN_ON to catch error cases while generating\nattribute list, which only prints out stack trace and may not be enough.\nThis repalces them with more proper error handling flow.\n\n[ 59.666332] BUG: kernel NULL pointer dereference, address: 000000000000000e\n[ 59.673268] #PF: supervisor read access in kernel mode\n[ 59.678354] #PF: error_code(0x0000) - not-present page\n[ 59.682831] PGD 8000000005ff1067 P4D 8000000005ff1067 PUD 7dee067 PMD 0\n[ 59.688556] Oops: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 59.692642] CPU: 0 PID: 198 Comm: poc Tainted: G B W 6.2.0-rc1+ #4\n[ 59.698868] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 59.708795] RIP: 0010:ni_create_attr_list+0x505/0x860\n[ 59.713657] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8\n[ 59.731559] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282\n[ 59.735691] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe\n[ 59.741792] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0\n[ 59.748423] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9\n[ 59.754654] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180\n[ 59.761552] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050\n[ 59.768323] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000\n[ 59.776027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 59.781395] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0\n[ 59.787607] Call Trace:\n[ 59.790271] \u003cTASK\u003e\n[ 59.792488] ? __pfx_ni_create_attr_list+0x10/0x10\n[ 59.797235] ? kernel_text_address+0xd3/0xe0\n[ 59.800856] ? unwind_get_return_address+0x3e/0x60\n[ 59.805101] ? __kasan_check_write+0x18/0x20\n[ 59.809296] ? preempt_count_sub+0x1c/0xd0\n[ 59.813421] ni_ins_attr_ext+0x52c/0x5c0\n[ 59.817034] ? __pfx_ni_ins_attr_ext+0x10/0x10\n[ 59.821926] ? __vfs_setxattr+0x121/0x170\n[ 59.825718] ? __vfs_setxattr_noperm+0x97/0x300\n[ 59.829562] ? __vfs_setxattr_locked+0x145/0x170\n[ 59.833987] ? vfs_setxattr+0x137/0x2a0\n[ 59.836732] ? do_setxattr+0xce/0x150\n[ 59.839807] ? setxattr+0x126/0x140\n[ 59.842353] ? path_setxattr+0x164/0x180\n[ 59.845275] ? __x64_sys_setxattr+0x71/0x90\n[ 59.848838] ? do_syscall_64+0x3f/0x90\n[ 59.851898] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[ 59.857046] ? stack_depot_save+0x17/0x20\n[ 59.860299] ni_insert_attr+0x1ba/0x420\n[ 59.863104] ? __pfx_ni_insert_attr+0x10/0x10\n[ 59.867069] ? preempt_count_sub+0x1c/0xd0\n[ 59.869897] ? _raw_spin_unlock_irqrestore+0x2b/0x50\n[ 59.874088] ? __create_object+0x3ae/0x5d0\n[ 59.877865] ni_insert_resident+0xc4/0x1c0\n[ 59.881430] ? __pfx_ni_insert_resident+0x10/0x10\n[ 59.886355] ? kasan_save_alloc_info+0x1f/0x30\n[ 59.891117] ? __kasan_kmalloc+0x8b/0xa0\n[ 59.894383] ntfs_set_ea+0x90d/0xbf0\n[ 59.897703] ? __pfx_ntfs_set_ea+0x10/0x10\n[ 59.901011] ? kernel_text_address+0xd3/0xe0\n[ 59.905308] ? __kernel_text_address+0x16/0x50\n[ 59.909811] ? unwind_get_return_address+0x3e/0x60\n[ 59.914898] ? __pfx_stack_trace_consume_entry+0x10/0x10\n[ 59.920250] ? arch_stack_walk+0xa2/0x100\n[ 59.924560] ? filter_irq_stacks+0x27/0x80\n[ 59.928722] ntfs_setxattr+0x405/0x440\n[ 59.932512] ? __pfx_ntfs_setxattr+0x10/0x10\n[ 59.936634] ? kvmalloc_node+0x2d/0x120\n[ 59.940378] ? kasan_save_stack+0x41/0x60\n[ 59.943870] ? kasan_save_stack+0x2a/0x60\n[ 59.947719] ? kasan_set_track+0x29/0x40\n[ 59.951417] ? kasan_save_alloc_info+0x1f/0x30\n[ 59.955733] ? __kasan_kmalloc+0x8b/0xa0\n[ 59.959598] ? __kmalloc_node+0x68/0x150\n[ 59.963163] ? kvmalloc_node+0x2d/0x120\n[ 59.966490] ? vmemdup_user+0x2b/0xa0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T11:02:55.849Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7799bb4dbe26bfb665f29ea87981708fd6012d8"
},
{
"url": "https://git.kernel.org/stable/c/4246bbef0442f4a1e974df0ab091f4f33ac69451"
},
{
"url": "https://git.kernel.org/stable/c/64fab8bce5237ca225ee1ec9dff5cc8c31b0631f"
},
{
"url": "https://git.kernel.org/stable/c/fdec309c7672cbee4dc0229ee4cbb33c948a1bdd"
}
],
"title": "fs/ntfs3: Enhance sanity check while generating attr_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53328",
"datePublished": "2025-09-16T16:12:04.352Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-17T11:02:55.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39851 (GCVE-0-2025-39851)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
VXLAN FDB entries can point to either a remote destination or an FDB
nexthop group. The latter is usually used in EVPN deployments where
learning is disabled.
However, when learning is enabled, an incoming packet might try to
refresh an FDB entry that points to an FDB nexthop group and therefore
does not have a remote. Such packets should be dropped, but they are
only dropped after dereferencing the non-existent remote, resulting in a
NPD [1] which can be reproduced using [2].
Fix by dropping such packets earlier. Remove the misleading comment from
first_remote_rcu().
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
CPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:vxlan_snoop+0x98/0x1e0
[...]
Call Trace:
<TASK>
vxlan_encap_bypass+0x209/0x240
encap_bypass_if_local+0xb1/0x100
vxlan_xmit_one+0x1375/0x17e0
vxlan_xmit+0x6b4/0x15f0
dev_hard_start_xmit+0x5d/0x1c0
__dev_queue_xmit+0x246/0xfd0
packet_sendmsg+0x113a/0x1850
__sock_sendmsg+0x38/0x70
__sys_sendto+0x126/0x180
__x64_sys_sendto+0x24/0x30
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2]
#!/bin/bash
ip address add 192.0.2.1/32 dev lo
ip address add 192.0.2.2/32 dev lo
ip nexthop add id 1 via 192.0.2.3 fdb
ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass
ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning
bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020
bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10
mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c",
"drivers/net/vxlan/vxlan_private.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ff4f3104da6507e0f118c63c4560dfdeb59dce3",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "0e8630f24c14d9c655d19eabe2e52a9e9f713307",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
},
{
"lessThan": "6ead38147ebb813f08be6ea8ef547a0e4c09559a",
"status": "affected",
"version": "1274e1cc42264d4e629841e4f182795cb0becfd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c",
"drivers/net/vxlan/vxlan_private.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD when refreshing an FDB entry with a nexthop object\n\nVXLAN FDB entries can point to either a remote destination or an FDB\nnexthop group. The latter is usually used in EVPN deployments where\nlearning is disabled.\n\nHowever, when learning is enabled, an incoming packet might try to\nrefresh an FDB entry that points to an FDB nexthop group and therefore\ndoes not have a remote. Such packets should be dropped, but they are\nonly dropped after dereferencing the non-existent remote, resulting in a\nNPD [1] which can be reproduced using [2].\n\nFix by dropping such packets earlier. Remove the misleading comment from\nfirst_remote_rcu().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:vxlan_snoop+0x98/0x1e0\n[...]\nCall Trace:\n \u003cTASK\u003e\n vxlan_encap_bypass+0x209/0x240\n encap_bypass_if_local+0xb1/0x100\n vxlan_xmit_one+0x1375/0x17e0\n vxlan_xmit+0x6b4/0x15f0\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n packet_sendmsg+0x113a/0x1850\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n #!/bin/bash\n\n ip address add 192.0.2.1/32 dev lo\n ip address add 192.0.2.2/32 dev lo\n\n ip nexthop add id 1 via 192.0.2.3 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass\n ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020\n bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10\n\n mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:03.191Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ff4f3104da6507e0f118c63c4560dfdeb59dce3"
},
{
"url": "https://git.kernel.org/stable/c/0e8630f24c14d9c655d19eabe2e52a9e9f713307"
},
{
"url": "https://git.kernel.org/stable/c/6ead38147ebb813f08be6ea8ef547a0e4c09559a"
}
],
"title": "vxlan: Fix NPD when refreshing an FDB entry with a nexthop object",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39851",
"datePublished": "2025-09-19T15:26:23.576Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-09-29T06:01:03.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47684 (GCVE-0-2024-47684)
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2025-11-03 22:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: check skb is non-NULL in tcp_rto_delta_us()
We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic
kernel that are running ceph and recently hit a null ptr dereference in
tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also
saw it getting hit from the RACK case as well. Here are examples of the oops
messages we saw in each of those cases:
Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020
Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode
Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page
Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0
Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI
Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu
Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160
Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554
Jul 26 15:05:02 rx [11061395.916786] Call Trace:
Jul 26 15:05:02 rx [11061395.919488]
Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f
Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9
Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380
Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50
Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0
Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20
Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450
Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140
Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90
Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0
Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40
Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160
Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160
Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220
Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240
Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0
Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240
Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130
Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280
Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10
Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30
Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_even
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: 42a858e036bb26cb559157393b7890cabe70bfc2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47684",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T13:06:54.270421Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T13:14:16.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:20:50.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tcp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad4f0a14d6856e68f023fc4e5017cfd881a3dfbc",
"status": "affected",
"version": "e1a10ef7fa876f8510aaec36ea5c0cf34baba410",
"versionType": "git"
},
{
"lessThan": "16e0387d87fc858e34449fdf2b14ed5837f761db",
"status": "affected",
"version": "e1a10ef7fa876f8510aaec36ea5c0cf34baba410",
"versionType": "git"
},
{
"lessThan": "ec31cf42fc4e35bb1248ce6eb1de6de9f851ac86",
"status": "affected",
"version": "e1a10ef7fa876f8510aaec36ea5c0cf34baba410",
"versionType": "git"
},
{
"lessThan": "5c4c03288a4aea705e36aa44119c13d7ee4dce99",
"status": "affected",
"version": "e1a10ef7fa876f8510aaec36ea5c0cf34baba410",
"versionType": "git"
},
{
"lessThan": "96c4983eab2a5da235f7fff90beaf17b008ba029",
"status": "affected",
"version": "e1a10ef7fa876f8510aaec36ea5c0cf34baba410",
"versionType": "git"
},
{
"lessThan": "570f7d8c9bf14f041152ba8353d4330ef7575915",
"status": "affected",
"version": "e1a10ef7fa876f8510aaec36ea5c0cf34baba410",
"versionType": "git"
},
{
"lessThan": "81d18c152e3f82bacadf83bc0a471b2363b9cc18",
"status": "affected",
"version": "e1a10ef7fa876f8510aaec36ea5c0cf34baba410",
"versionType": "git"
},
{
"lessThan": "09aea49fbc7e755a915c405644f347137cdb62b0",
"status": "affected",
"version": "e1a10ef7fa876f8510aaec36ea5c0cf34baba410",
"versionType": "git"
},
{
"lessThan": "c8770db2d54437a5f49417ae7b46f7de23d14db6",
"status": "affected",
"version": "e1a10ef7fa876f8510aaec36ea5c0cf34baba410",
"versionType": "git"
},
{
"status": "affected",
"version": "42a858e036bb26cb559157393b7890cabe70bfc2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tcp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.227",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.54",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.13",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.2",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.108",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: check skb is non-NULL in tcp_rto_delta_us()\n\nWe have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic\nkernel that are running ceph and recently hit a null ptr dereference in\ntcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also\nsaw it getting hit from the RACK case as well. Here are examples of the oops\nmessages we saw in each of those cases:\n\nJul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020\nJul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode\nJul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page\nJul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0\nJul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI\nJul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu\nJul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023\nJul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160\nJul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 \u003c48\u003e 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3\nJul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246\nJul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000\nJul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60\nJul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8\nJul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900\nJul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30\nJul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000\nJul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nJul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0\nJul 26 15:05:02 rx [11061395.913822] PKRU: 55555554\nJul 26 15:05:02 rx [11061395.916786] Call Trace:\nJul 26 15:05:02 rx [11061395.919488]\nJul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f\nJul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9\nJul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380\nJul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0\nJul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50\nJul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0\nJul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20\nJul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450\nJul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140\nJul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90\nJul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0\nJul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40\nJul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160\nJul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160\nJul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220\nJul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240\nJul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0\nJul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240\nJul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130\nJul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280\nJul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10\nJul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30\nJul 26 15:05:02 rx [11061396.017718] ? lapic_next_even\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:58:53.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad4f0a14d6856e68f023fc4e5017cfd881a3dfbc"
},
{
"url": "https://git.kernel.org/stable/c/16e0387d87fc858e34449fdf2b14ed5837f761db"
},
{
"url": "https://git.kernel.org/stable/c/ec31cf42fc4e35bb1248ce6eb1de6de9f851ac86"
},
{
"url": "https://git.kernel.org/stable/c/5c4c03288a4aea705e36aa44119c13d7ee4dce99"
},
{
"url": "https://git.kernel.org/stable/c/96c4983eab2a5da235f7fff90beaf17b008ba029"
},
{
"url": "https://git.kernel.org/stable/c/570f7d8c9bf14f041152ba8353d4330ef7575915"
},
{
"url": "https://git.kernel.org/stable/c/81d18c152e3f82bacadf83bc0a471b2363b9cc18"
},
{
"url": "https://git.kernel.org/stable/c/09aea49fbc7e755a915c405644f347137cdb62b0"
},
{
"url": "https://git.kernel.org/stable/c/c8770db2d54437a5f49417ae7b46f7de23d14db6"
}
],
"title": "tcp: check skb is non-NULL in tcp_rto_delta_us()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47684",
"datePublished": "2024-10-21T11:53:25.787Z",
"dateReserved": "2024-09-30T16:00:12.941Z",
"dateUpdated": "2025-11-03T22:20:50.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39968 (GCVE-0-2025-39968)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: add max boundary check for VF filters
There is no check for max filters that VF can request. Add it.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9176e18681cb0d34c5acc87bda224f5652af2ab8",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "e490d8c5a54e0dd1ab22417d72c3a7319cf0f030",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "77a35be582dff4c80442ebcdce24d45eed8a6ce4",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "02aae5fcdd34c3a55a243d80a1b328a35852a35c",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "edecce7abd7152b48e279b4fa0a883d1839bb577",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "d33e5d6631ac4fddda235a7815babc9d3f124299",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "8b13df5aa877b9e4541e301a58a84c42d84d2d9a",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "cb79fa7118c150c3c76a327894bb2eb878c02619",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: add max boundary check for VF filters\n\nThere is no check for max filters that VF can request. Add it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:52.272Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9176e18681cb0d34c5acc87bda224f5652af2ab8"
},
{
"url": "https://git.kernel.org/stable/c/e490d8c5a54e0dd1ab22417d72c3a7319cf0f030"
},
{
"url": "https://git.kernel.org/stable/c/77a35be582dff4c80442ebcdce24d45eed8a6ce4"
},
{
"url": "https://git.kernel.org/stable/c/02aae5fcdd34c3a55a243d80a1b328a35852a35c"
},
{
"url": "https://git.kernel.org/stable/c/edecce7abd7152b48e279b4fa0a883d1839bb577"
},
{
"url": "https://git.kernel.org/stable/c/d33e5d6631ac4fddda235a7815babc9d3f124299"
},
{
"url": "https://git.kernel.org/stable/c/8b13df5aa877b9e4541e301a58a84c42d84d2d9a"
},
{
"url": "https://git.kernel.org/stable/c/cb79fa7118c150c3c76a327894bb2eb878c02619"
}
],
"title": "i40e: add max boundary check for VF filters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39968",
"datePublished": "2025-10-15T07:55:52.272Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:52.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53319 (GCVE-0-2023-53319)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm
Currently there is no synchronisation between finalize_pkvm() and
kvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if
kvm_arm_init() fails resulting in the following warning on all the CPUs
and eventually a HYP panic:
| kvm [1]: IPA Size Limit: 48 bits
| kvm [1]: Failed to init hyp memory protection
| kvm [1]: error initializing Hyp mode: -22
|
| <snip>
|
| WARNING: CPU: 0 PID: 0 at arch/arm64/kvm/pkvm.c:226 _kvm_host_prot_finalize+0x30/0x50
| Modules linked in:
| CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0 #237
| Hardware name: FVP Base RevC (DT)
| pstate: 634020c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
| pc : _kvm_host_prot_finalize+0x30/0x50
| lr : __flush_smp_call_function_queue+0xd8/0x230
|
| Call trace:
| _kvm_host_prot_finalize+0x3c/0x50
| on_each_cpu_cond_mask+0x3c/0x6c
| pkvm_drop_host_privileges+0x4c/0x78
| finalize_pkvm+0x3c/0x5c
| do_one_initcall+0xcc/0x240
| do_initcall_level+0x8c/0xac
| do_initcalls+0x54/0x94
| do_basic_setup+0x1c/0x28
| kernel_init_freeable+0x100/0x16c
| kernel_init+0x20/0x1a0
| ret_from_fork+0x10/0x20
| Failed to finalize Hyp protection: -22
| dtb=fvp-base-revc.dtb
| kvm [95]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:540!
| kvm [95]: nVHE call trace:
| kvm [95]: [<ffff800081052984>] __kvm_nvhe_hyp_panic+0xac/0xf8
| kvm [95]: [<ffff800081059644>] __kvm_nvhe_handle_host_mem_abort+0x1a0/0x2ac
| kvm [95]: [<ffff80008105511c>] __kvm_nvhe_handle_trap+0x4c/0x160
| kvm [95]: [<ffff8000810540fc>] __kvm_nvhe___skip_pauth_save+0x4/0x4
| kvm [95]: ---[ end nVHE call trace ]---
| kvm [95]: Hyp Offset: 0xfffe8db00ffa0000
| Kernel panic - not syncing: HYP panic:
| PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800
| FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000
| VCPU:0000000000000000
| CPU: 3 PID: 95 Comm: kworker/u16:2 Tainted: G W 6.4.0 #237
| Hardware name: FVP Base RevC (DT)
| Workqueue: rpciod rpc_async_schedule
| Call trace:
| dump_backtrace+0xec/0x108
| show_stack+0x18/0x2c
| dump_stack_lvl+0x50/0x68
| dump_stack+0x18/0x24
| panic+0x138/0x33c
| nvhe_hyp_panic_handler+0x100/0x184
| new_slab+0x23c/0x54c
| ___slab_alloc+0x3e4/0x770
| kmem_cache_alloc_node+0x1f0/0x278
| __alloc_skb+0xdc/0x294
| tcp_stream_alloc_skb+0x2c/0xf0
| tcp_sendmsg_locked+0x3d0/0xda4
| tcp_sendmsg+0x38/0x5c
| inet_sendmsg+0x44/0x60
| sock_sendmsg+0x1c/0x34
| xprt_sock_sendmsg+0xdc/0x274
| xs_tcp_send_request+0x1ac/0x28c
| xprt_transmit+0xcc/0x300
| call_transmit+0x78/0x90
| __rpc_execute+0x114/0x3d8
| rpc_async_schedule+0x28/0x48
| process_one_work+0x1d8/0x314
| worker_thread+0x248/0x474
| kthread+0xfc/0x184
| ret_from_fork+0x10/0x20
| SMP: stopping secondary CPUs
| Kernel Offset: 0x57c5cb460000 from 0xffff800080000000
| PHYS_OFFSET: 0x80000000
| CPU features: 0x00000000,1035b7a3,ccfe773f
| Memory Limit: none
| ---[ end Kernel panic - not syncing: HYP panic:
| PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800
| FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000
| VCPU:0000000000000000 ]---
Fix it by checking for the successfull initialisation of kvm_arm_init()
in finalize_pkvm() before proceeding any futher.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/virt.h",
"arch/arm64/kvm/arm.c",
"arch/arm64/kvm/pkvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "91450dec0445f4d12f960ba68d8d05c3cb2ab5b8",
"status": "affected",
"version": "87727ba2bb05cc3cb4233231faa7ab4c7eeb6c73",
"versionType": "git"
},
{
"lessThan": "fa729bc7c9c8c17a2481358c841ef8ca920485d3",
"status": "affected",
"version": "87727ba2bb05cc3cb4233231faa7ab4c7eeb6c73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/virt.h",
"arch/arm64/kvm/arm.c",
"arch/arm64/kvm/pkvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm\n\nCurrently there is no synchronisation between finalize_pkvm() and\nkvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if\nkvm_arm_init() fails resulting in the following warning on all the CPUs\nand eventually a HYP panic:\n\n | kvm [1]: IPA Size Limit: 48 bits\n | kvm [1]: Failed to init hyp memory protection\n | kvm [1]: error initializing Hyp mode: -22\n |\n | \u003csnip\u003e\n |\n | WARNING: CPU: 0 PID: 0 at arch/arm64/kvm/pkvm.c:226 _kvm_host_prot_finalize+0x30/0x50\n | Modules linked in:\n | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0 #237\n | Hardware name: FVP Base RevC (DT)\n | pstate: 634020c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n | pc : _kvm_host_prot_finalize+0x30/0x50\n | lr : __flush_smp_call_function_queue+0xd8/0x230\n |\n | Call trace:\n | _kvm_host_prot_finalize+0x3c/0x50\n | on_each_cpu_cond_mask+0x3c/0x6c\n | pkvm_drop_host_privileges+0x4c/0x78\n | finalize_pkvm+0x3c/0x5c\n | do_one_initcall+0xcc/0x240\n | do_initcall_level+0x8c/0xac\n | do_initcalls+0x54/0x94\n | do_basic_setup+0x1c/0x28\n | kernel_init_freeable+0x100/0x16c\n | kernel_init+0x20/0x1a0\n | ret_from_fork+0x10/0x20\n | Failed to finalize Hyp protection: -22\n | dtb=fvp-base-revc.dtb\n | kvm [95]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:540!\n | kvm [95]: nVHE call trace:\n | kvm [95]: [\u003cffff800081052984\u003e] __kvm_nvhe_hyp_panic+0xac/0xf8\n | kvm [95]: [\u003cffff800081059644\u003e] __kvm_nvhe_handle_host_mem_abort+0x1a0/0x2ac\n | kvm [95]: [\u003cffff80008105511c\u003e] __kvm_nvhe_handle_trap+0x4c/0x160\n | kvm [95]: [\u003cffff8000810540fc\u003e] __kvm_nvhe___skip_pauth_save+0x4/0x4\n | kvm [95]: ---[ end nVHE call trace ]---\n | kvm [95]: Hyp Offset: 0xfffe8db00ffa0000\n | Kernel panic - not syncing: HYP panic:\n | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800\n | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000\n | VCPU:0000000000000000\n | CPU: 3 PID: 95 Comm: kworker/u16:2 Tainted: G W 6.4.0 #237\n | Hardware name: FVP Base RevC (DT)\n | Workqueue: rpciod rpc_async_schedule\n | Call trace:\n | dump_backtrace+0xec/0x108\n | show_stack+0x18/0x2c\n | dump_stack_lvl+0x50/0x68\n | dump_stack+0x18/0x24\n | panic+0x138/0x33c\n | nvhe_hyp_panic_handler+0x100/0x184\n | new_slab+0x23c/0x54c\n | ___slab_alloc+0x3e4/0x770\n | kmem_cache_alloc_node+0x1f0/0x278\n | __alloc_skb+0xdc/0x294\n | tcp_stream_alloc_skb+0x2c/0xf0\n | tcp_sendmsg_locked+0x3d0/0xda4\n | tcp_sendmsg+0x38/0x5c\n | inet_sendmsg+0x44/0x60\n | sock_sendmsg+0x1c/0x34\n | xprt_sock_sendmsg+0xdc/0x274\n | xs_tcp_send_request+0x1ac/0x28c\n | xprt_transmit+0xcc/0x300\n | call_transmit+0x78/0x90\n | __rpc_execute+0x114/0x3d8\n | rpc_async_schedule+0x28/0x48\n | process_one_work+0x1d8/0x314\n | worker_thread+0x248/0x474\n | kthread+0xfc/0x184\n | ret_from_fork+0x10/0x20\n | SMP: stopping secondary CPUs\n | Kernel Offset: 0x57c5cb460000 from 0xffff800080000000\n | PHYS_OFFSET: 0x80000000\n | CPU features: 0x00000000,1035b7a3,ccfe773f\n | Memory Limit: none\n | ---[ end Kernel panic - not syncing: HYP panic:\n | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800\n | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000\n | VCPU:0000000000000000 ]---\n\nFix it by checking for the successfull initialisation of kvm_arm_init()\nin finalize_pkvm() before proceeding any futher."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:55.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/91450dec0445f4d12f960ba68d8d05c3cb2ab5b8"
},
{
"url": "https://git.kernel.org/stable/c/fa729bc7c9c8c17a2481358c841ef8ca920485d3"
}
],
"title": "KVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53319",
"datePublished": "2025-09-16T16:11:55.490Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:55.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53711 (GCVE-0-2023-53711)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix a potential data corruption
We must ensure that the subrequests are joined back into the head before
we can retransmit a request. If the head was not on the commit lists,
because the server wrote it synchronously, we still need to add it back
to the retransmission list.
Add a call that mirrors the effect of nfs_cancel_remove_inode() for
O_DIRECT.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/direct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4185605cd0f72ec8bf8b423aacd94cd5ee13bbcf",
"status": "affected",
"version": "ed5d588fe47feef290f271022820e255d8371561",
"versionType": "git"
},
{
"lessThan": "da302f1d476a44245823a74546debb5d160bf5bd",
"status": "affected",
"version": "ed5d588fe47feef290f271022820e255d8371561",
"versionType": "git"
},
{
"lessThan": "dac14a1dbe20e003215dacb8a3a1a7e4ca4e0ad0",
"status": "affected",
"version": "ed5d588fe47feef290f271022820e255d8371561",
"versionType": "git"
},
{
"lessThan": "0ec26716e45d615edfff46012e7dedcc0ac5f7ab",
"status": "affected",
"version": "ed5d588fe47feef290f271022820e255d8371561",
"versionType": "git"
},
{
"lessThan": "88975a55969e11f26fe3846bf4fbf8e7dc8cbbd4",
"status": "affected",
"version": "ed5d588fe47feef290f271022820e255d8371561",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/direct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a potential data corruption\n\nWe must ensure that the subrequests are joined back into the head before\nwe can retransmit a request. If the head was not on the commit lists,\nbecause the server wrote it synchronously, we still need to add it back\nto the retransmission list.\nAdd a call that mirrors the effect of nfs_cancel_remove_inode() for\nO_DIRECT."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:46.458Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4185605cd0f72ec8bf8b423aacd94cd5ee13bbcf"
},
{
"url": "https://git.kernel.org/stable/c/da302f1d476a44245823a74546debb5d160bf5bd"
},
{
"url": "https://git.kernel.org/stable/c/dac14a1dbe20e003215dacb8a3a1a7e4ca4e0ad0"
},
{
"url": "https://git.kernel.org/stable/c/0ec26716e45d615edfff46012e7dedcc0ac5f7ab"
},
{
"url": "https://git.kernel.org/stable/c/88975a55969e11f26fe3846bf4fbf8e7dc8cbbd4"
}
],
"title": "NFS: Fix a potential data corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53711",
"datePublished": "2025-10-22T13:23:46.458Z",
"dateReserved": "2025-10-22T13:21:37.346Z",
"dateUpdated": "2025-10-22T13:23:46.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53472 (GCVE-0-2023-53472)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pwm: lpc32xx: Remove handling of PWM channels
Because LPC32xx PWM controllers have only a single output which is
registered as the only PWM device/channel per controller, it is known in
advance that pwm->hwpwm value is always 0. On basis of this fact
simplify the code by removing operations with pwm->hwpwm, there is no
controls which require channel number as input.
Even though I wasn't aware at the time when I forward ported that patch,
this fixes a null pointer dereference as lpc32xx->chip.pwms is NULL
before devm_pwmchip_add() is called.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bb4de81eb940e7027f37a6fd3b7ddcb4403deb56 Version: 4459118977665f681017e1299933895d54b6e87b Version: 81e6b51709da162b94e40a445bb60856406beaa1 Version: 322b70b522abe03cd59712bb47a72eddd835d19d Version: 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e Version: 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e Version: 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e Version: 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e Version: 7fc2172ad4e701d3c6e7dcb7b2efd8df71d2417b Version: 1c90a357cef4219cb436e59cc7463888103e104b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-lpc32xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "abd9b2ee4047ccd980decbf26d61f9637604b1d5",
"status": "affected",
"version": "bb4de81eb940e7027f37a6fd3b7ddcb4403deb56",
"versionType": "git"
},
{
"lessThan": "a9a505f5b39d8fff1a55963a5e524c84639e98b2",
"status": "affected",
"version": "4459118977665f681017e1299933895d54b6e87b",
"versionType": "git"
},
{
"lessThan": "04301da4d87067a989f70ee56942bf9d97cd2a45",
"status": "affected",
"version": "81e6b51709da162b94e40a445bb60856406beaa1",
"versionType": "git"
},
{
"lessThan": "a2d9d884e84bfd37892219b1f55847f36d8e9901",
"status": "affected",
"version": "322b70b522abe03cd59712bb47a72eddd835d19d",
"versionType": "git"
},
{
"lessThan": "5e22217c11424ef958ba28d03ff7167b4d7a8914",
"status": "affected",
"version": "3d2813fb17e5fd0d73c1d1442ca0192bde4af10e",
"versionType": "git"
},
{
"lessThan": "523f6268e86552a048975749251184c4e9a4b38f",
"status": "affected",
"version": "3d2813fb17e5fd0d73c1d1442ca0192bde4af10e",
"versionType": "git"
},
{
"lessThan": "e3a0ddbaf7f1f9ffc070718b417461ced3268758",
"status": "affected",
"version": "3d2813fb17e5fd0d73c1d1442ca0192bde4af10e",
"versionType": "git"
},
{
"lessThan": "4aae44f65827f0213a7361cf9c32cfe06114473f",
"status": "affected",
"version": "3d2813fb17e5fd0d73c1d1442ca0192bde4af10e",
"versionType": "git"
},
{
"status": "affected",
"version": "7fc2172ad4e701d3c6e7dcb7b2efd8df71d2417b",
"versionType": "git"
},
{
"status": "affected",
"version": "1c90a357cef4219cb436e59cc7463888103e104b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-lpc32xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.14.248",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.19.208",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.4.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.10.69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: lpc32xx: Remove handling of PWM channels\n\nBecause LPC32xx PWM controllers have only a single output which is\nregistered as the only PWM device/channel per controller, it is known in\nadvance that pwm-\u003ehwpwm value is always 0. On basis of this fact\nsimplify the code by removing operations with pwm-\u003ehwpwm, there is no\ncontrols which require channel number as input.\n\nEven though I wasn\u0027t aware at the time when I forward ported that patch,\nthis fixes a null pointer dereference as lpc32xx-\u003echip.pwms is NULL\nbefore devm_pwmchip_add() is called."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:41.951Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/abd9b2ee4047ccd980decbf26d61f9637604b1d5"
},
{
"url": "https://git.kernel.org/stable/c/a9a505f5b39d8fff1a55963a5e524c84639e98b2"
},
{
"url": "https://git.kernel.org/stable/c/04301da4d87067a989f70ee56942bf9d97cd2a45"
},
{
"url": "https://git.kernel.org/stable/c/a2d9d884e84bfd37892219b1f55847f36d8e9901"
},
{
"url": "https://git.kernel.org/stable/c/5e22217c11424ef958ba28d03ff7167b4d7a8914"
},
{
"url": "https://git.kernel.org/stable/c/523f6268e86552a048975749251184c4e9a4b38f"
},
{
"url": "https://git.kernel.org/stable/c/e3a0ddbaf7f1f9ffc070718b417461ced3268758"
},
{
"url": "https://git.kernel.org/stable/c/4aae44f65827f0213a7361cf9c32cfe06114473f"
}
],
"title": "pwm: lpc32xx: Remove handling of PWM channels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53472",
"datePublished": "2025-10-01T11:42:41.951Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:41.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53369 (GCVE-0-2023-53369)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dcb: choose correct policy to parse DCB_ATTR_BCN
The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],
which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB
BCN"). Please see the comment in below code
static int dcbnl_bcn_setcfg(...)
{
...
ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )
// !!! dcbnl_pfc_up_nest for attributes
// DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs
...
for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) {
// !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs
...
value_byte = nla_get_u8(data[i]);
...
}
...
for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) {
// !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs
...
value_int = nla_get_u32(data[i]);
...
}
...
}
That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest
attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the
following access code fetch each nlattr as dcbnl_bcn_attrs attributes.
By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find
the beginning part of these two policies are "same".
static const struct nla_policy dcbnl_pfc_up_nest[...] = {
[DCB_PFC_UP_ATTR_0] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_1] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_2] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_3] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_4] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_5] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_6] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_7] = {.type = NLA_U8},
[DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},
};
static const struct nla_policy dcbnl_bcn_nest[...] = {
[DCB_BCN_ATTR_RP_0] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_1] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_2] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_3] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_4] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_5] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_6] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_7] = {.type = NLA_U8},
[DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG},
// from here is somewhat different
[DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32},
...
[DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG},
};
Therefore, the current code is buggy and this
nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use
the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.
Hence use the correct policy dcbnl_bcn_nest to parse the nested
tb[DCB_ATTR_BCN] TLV.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e Version: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e Version: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e Version: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e Version: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e Version: 859ee3c43812051e21816c6d6d4cc04fb7ce9b2e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dcb/dcbnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "8e309f43d0ca4051d20736c06a6f84bbddd881da",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "a0da2684db18dead3bcee12fb185e596e3d63c2b",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "ecff20e193207b44fdbfe64d7de89890f0a7fe6c",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "199fde04bd875d28b3a5ca525eaaa004eec6e947",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
},
{
"lessThan": "31d49ba033095f6e8158c60f69714a500922e0c3",
"status": "affected",
"version": "859ee3c43812051e21816c6d6d4cc04fb7ce9b2e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dcb/dcbnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dcb: choose correct policy to parse DCB_ATTR_BCN\n\nThe dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],\nwhich is introduced in commit 859ee3c43812 (\"DCB: Add support for DCB\nBCN\"). Please see the comment in below code\n\nstatic int dcbnl_bcn_setcfg(...)\n{\n ...\n ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )\n // !!! dcbnl_pfc_up_nest for attributes\n // DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs\n ...\n for (i = DCB_BCN_ATTR_RP_0; i \u003c= DCB_BCN_ATTR_RP_7; i++) {\n // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs\n ...\n value_byte = nla_get_u8(data[i]);\n ...\n }\n ...\n for (i = DCB_BCN_ATTR_BCNA_0; i \u003c= DCB_BCN_ATTR_RI; i++) {\n // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs\n ...\n value_int = nla_get_u32(data[i]);\n ...\n }\n ...\n}\n\nThat is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest\nattributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the\nfollowing access code fetch each nlattr as dcbnl_bcn_attrs attributes.\nBy looking up the associated nla_policy for dcbnl_bcn_attrs. We can find\nthe beginning part of these two policies are \"same\".\n\nstatic const struct nla_policy dcbnl_pfc_up_nest[...] = {\n [DCB_PFC_UP_ATTR_0] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_1] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_2] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_3] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_4] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_5] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_6] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_7] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},\n};\n\nstatic const struct nla_policy dcbnl_bcn_nest[...] = {\n [DCB_BCN_ATTR_RP_0] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_1] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_2] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_3] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_4] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_5] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_6] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_7] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG},\n // from here is somewhat different\n [DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32},\n ...\n [DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG},\n};\n\nTherefore, the current code is buggy and this\nnla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use\nthe adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.\n\nHence use the correct policy dcbnl_bcn_nest to parse the nested\ntb[DCB_ATTR_BCN] TLV."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:17.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9"
},
{
"url": "https://git.kernel.org/stable/c/8e309f43d0ca4051d20736c06a6f84bbddd881da"
},
{
"url": "https://git.kernel.org/stable/c/a0da2684db18dead3bcee12fb185e596e3d63c2b"
},
{
"url": "https://git.kernel.org/stable/c/ecff20e193207b44fdbfe64d7de89890f0a7fe6c"
},
{
"url": "https://git.kernel.org/stable/c/199fde04bd875d28b3a5ca525eaaa004eec6e947"
},
{
"url": "https://git.kernel.org/stable/c/31d49ba033095f6e8158c60f69714a500922e0c3"
}
],
"title": "net: dcb: choose correct policy to parse DCB_ATTR_BCN",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53369",
"datePublished": "2025-09-18T13:33:17.384Z",
"dateReserved": "2025-09-17T14:54:09.734Z",
"dateUpdated": "2025-09-18T13:33:17.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39844 (GCVE-0-2025-39844)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: move page table sync declarations to linux/pgtable.h
During our internal testing, we started observing intermittent boot
failures when the machine uses 4-level paging and has a large amount of
persistent memory:
BUG: unable to handle page fault for address: ffffe70000000034
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] SMP NOPTI
RIP: 0010:__init_single_page+0x9/0x6d
Call Trace:
<TASK>
__init_zone_device_page+0x17/0x5d
memmap_init_zone_device+0x154/0x1bb
pagemap_range+0x2e0/0x40f
memremap_pages+0x10b/0x2f0
devm_memremap_pages+0x1e/0x60
dev_dax_probe+0xce/0x2ec [device_dax]
dax_bus_probe+0x6d/0xc9
[... snip ...]
</TASK>
It turns out that the kernel panics while initializing vmemmap (struct
page array) when the vmemmap region spans two PGD entries, because the new
PGD entry is only installed in init_mm.pgd, but not in the page tables of
other tasks.
And looking at __populate_section_memmap():
if (vmemmap_can_optimize(altmap, pgmap))
// does not sync top level page tables
r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap);
else
// sync top level page tables in x86
r = vmemmap_populate(start, end, nid, altmap);
In the normal path, vmemmap_populate() in arch/x86/mm/init_64.c
synchronizes the top level page table (See commit 9b861528a801 ("x86-64,
mem: Update all PGDs for direct mapping and vmemmap mapping changes")) so
that all tasks in the system can see the new vmemmap area.
However, when vmemmap_can_optimize() returns true, the optimized path
skips synchronization of top-level page tables. This is because
vmemmap_populate_compound_pages() is implemented in core MM code, which
does not handle synchronization of the top-level page tables. Instead,
the core MM has historically relied on each architecture to perform this
synchronization manually.
We're not the first party to encounter a crash caused by not-sync'd top
level page tables: earlier this year, Gwan-gyeong Mun attempted to address
the issue [1] [2] after hitting a kernel panic when x86 code accessed the
vmemmap area before the corresponding top-level entries were synced. At
that time, the issue was believed to be triggered only when struct page
was enlarged for debugging purposes, and the patch did not get further
updates.
It turns out that current approach of relying on each arch to handle the
page table sync manually is fragile because 1) it's easy to forget to sync
the top level page table, and 2) it's also easy to overlook that the
kernel should not access the vmemmap and direct mapping areas before the
sync.
# The solution: Make page table sync more code robust and harder to miss
To address this, Dave Hansen suggested [3] [4] introducing
{pgd,p4d}_populate_kernel() for updating kernel portion of the page tables
and allow each architecture to explicitly perform synchronization when
installing top-level entries. With this approach, we no longer need to
worry about missing the sync step, reducing the risk of future
regressions.
The new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK,
PGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by
vmalloc and ioremap to synchronize page tables.
pgd_populate_kernel() looks like this:
static inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd,
p4d_t *p4d)
{
pgd_populate(&init_mm, pgd, p4d);
if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED)
arch_sync_kernel_mappings(addr, addr);
}
It is worth noting that vmalloc() and apply_to_range() carefully
synchronizes page tables by calling p*d_alloc_track() and
arch_sync_kernel_mappings(), and thus they are not affected by
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8d400913c231bd1da74067255816453f96cd35b0 Version: 8d400913c231bd1da74067255816453f96cd35b0 Version: 8d400913c231bd1da74067255816453f96cd35b0 Version: 8d400913c231bd1da74067255816453f96cd35b0 Version: 8d400913c231bd1da74067255816453f96cd35b0 Version: 8d400913c231bd1da74067255816453f96cd35b0 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:59.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/pgtable.h",
"include/linux/vmalloc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "732e62212f49d549c91071b4da7942ee3058f7a2",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "eceb44e1f94bd641b2a4e8c09b64c797c4eabc15",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "6797a8b3f71b2cb558b8771a03450dc3e004e453",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "4f7537772011fad832f83d6848f8eab282545bef",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "469f9d22751472b81eaaf8a27fcdb5a70741c342",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "7cc183f2e67d19b03ee5c13a6664b8c6cc37ff9d",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/pgtable.h",
"include/linux/vmalloc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: move page table sync declarations to linux/pgtable.h\n\nDuring our internal testing, we started observing intermittent boot\nfailures when the machine uses 4-level paging and has a large amount of\npersistent memory:\n\n BUG: unable to handle page fault for address: ffffe70000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0 \n Oops: 0002 [#1] SMP NOPTI\n RIP: 0010:__init_single_page+0x9/0x6d\n Call Trace:\n \u003cTASK\u003e\n __init_zone_device_page+0x17/0x5d\n memmap_init_zone_device+0x154/0x1bb\n pagemap_range+0x2e0/0x40f\n memremap_pages+0x10b/0x2f0\n devm_memremap_pages+0x1e/0x60\n dev_dax_probe+0xce/0x2ec [device_dax]\n dax_bus_probe+0x6d/0xc9\n [... snip ...]\n \u003c/TASK\u003e\n\nIt turns out that the kernel panics while initializing vmemmap (struct\npage array) when the vmemmap region spans two PGD entries, because the new\nPGD entry is only installed in init_mm.pgd, but not in the page tables of\nother tasks.\n\nAnd looking at __populate_section_memmap():\n if (vmemmap_can_optimize(altmap, pgmap)) \n // does not sync top level page tables\n r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap);\n else \n // sync top level page tables in x86\n r = vmemmap_populate(start, end, nid, altmap);\n\nIn the normal path, vmemmap_populate() in arch/x86/mm/init_64.c\nsynchronizes the top level page table (See commit 9b861528a801 (\"x86-64,\nmem: Update all PGDs for direct mapping and vmemmap mapping changes\")) so\nthat all tasks in the system can see the new vmemmap area.\n\nHowever, when vmemmap_can_optimize() returns true, the optimized path\nskips synchronization of top-level page tables. This is because\nvmemmap_populate_compound_pages() is implemented in core MM code, which\ndoes not handle synchronization of the top-level page tables. Instead,\nthe core MM has historically relied on each architecture to perform this\nsynchronization manually.\n\nWe\u0027re not the first party to encounter a crash caused by not-sync\u0027d top\nlevel page tables: earlier this year, Gwan-gyeong Mun attempted to address\nthe issue [1] [2] after hitting a kernel panic when x86 code accessed the\nvmemmap area before the corresponding top-level entries were synced. At\nthat time, the issue was believed to be triggered only when struct page\nwas enlarged for debugging purposes, and the patch did not get further\nupdates.\n\nIt turns out that current approach of relying on each arch to handle the\npage table sync manually is fragile because 1) it\u0027s easy to forget to sync\nthe top level page table, and 2) it\u0027s also easy to overlook that the\nkernel should not access the vmemmap and direct mapping areas before the\nsync.\n\n# The solution: Make page table sync more code robust and harder to miss\n\nTo address this, Dave Hansen suggested [3] [4] introducing\n{pgd,p4d}_populate_kernel() for updating kernel portion of the page tables\nand allow each architecture to explicitly perform synchronization when\ninstalling top-level entries. With this approach, we no longer need to\nworry about missing the sync step, reducing the risk of future\nregressions.\n\nThe new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK,\nPGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by\nvmalloc and ioremap to synchronize page tables.\n\npgd_populate_kernel() looks like this:\nstatic inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd,\n p4d_t *p4d)\n{\n pgd_populate(\u0026init_mm, pgd, p4d);\n if (ARCH_PAGE_TABLE_SYNC_MASK \u0026 PGTBL_PGD_MODIFIED)\n arch_sync_kernel_mappings(addr, addr);\n}\n\nIt is worth noting that vmalloc() and apply_to_range() carefully\nsynchronizes page tables by calling p*d_alloc_track() and\narch_sync_kernel_mappings(), and thus they are not affected by\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:53.654Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/732e62212f49d549c91071b4da7942ee3058f7a2"
},
{
"url": "https://git.kernel.org/stable/c/eceb44e1f94bd641b2a4e8c09b64c797c4eabc15"
},
{
"url": "https://git.kernel.org/stable/c/6797a8b3f71b2cb558b8771a03450dc3e004e453"
},
{
"url": "https://git.kernel.org/stable/c/4f7537772011fad832f83d6848f8eab282545bef"
},
{
"url": "https://git.kernel.org/stable/c/469f9d22751472b81eaaf8a27fcdb5a70741c342"
},
{
"url": "https://git.kernel.org/stable/c/7cc183f2e67d19b03ee5c13a6664b8c6cc37ff9d"
}
],
"title": "mm: move page table sync declarations to linux/pgtable.h",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39844",
"datePublished": "2025-09-19T15:26:18.471Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:43:59.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53343 (GCVE-0-2023-53343)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().
With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that
has the link-local address as src and dst IP and will be forwarded to
an external IP in the IPv6 Ext Hdr.
For example, the script below generates a packet whose src IP is the
link-local address and dst is updated to 11::.
# for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done
# python3
>>> from socket import *
>>> from scapy.all import *
>>>
>>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456"
>>>
>>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)
>>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1)
>>>
>>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)
>>> sk.sendto(bytes(pkt), (DST_ADDR, 0))
For such a packet, we call ip6_route_input() to look up a route for the
next destination in these three functions depending on the header type.
* ipv6_rthdr_rcv()
* ipv6_rpl_srh_rcv()
* ipv6_srh_rcv()
If no route is found, ip6_null_entry is set to skb, and the following
dst_input(skb) calls ip6_pkt_drop().
Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev
as the input device is the loopback interface. Then, we have to check if
skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref
for ip6_null_entry.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor read access in kernel mode
PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)
Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01
RSP: 0018:ffffc90000003c70 EFLAGS: 00000286
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0
RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18
RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001
R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10
R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0
FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
<IRQ>
ip6_pkt_drop (net/ipv6/route.c:4513)
ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)
ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))
ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)
__netif_receive_skb_one_core (net/core/dev.c:5455)
process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)
__napi_poll (net/core/dev.c:6460)
net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)
</IRQ>
<TASK>
__local_bh_enable_ip (kernel/softirq.c:381)
__dev_queue_xmit (net/core/dev.c:4231)
ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)
rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)
sock_sendmsg (net/socket.c:725 net/socket.c:748)
__sys_sendto (net/socket.c:2134)
__x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
RIP: 0033:0x7f9dc751baea
Code: d8 64 89 02 48 c7 c0 ff f
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d Version: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d Version: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d Version: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d Version: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d Version: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d Version: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8803c59fde4dd370a627dfbf7183682fa0cabf70",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "61b4c4659746959056450b92a5d7e6bc1243b31b",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "d30ddd7ff15df9d91a793ce3f06f0190ff7afacc",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "3fabca5d9cae0140b6aad09a1c6b9aa57089fbb8",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "1462e9d9aa52d14665eaca6d89d22c4af44ede04",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "aa657d319e6c7502a4eb85cc0ee80cc81b8e5724",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "2aaa8a15de73874847d62eb595c6683bface80fd",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp6: Fix null-ptr-deref of ip6_null_entry-\u003ert6i_idev in icmp6_dev().\n\nWith some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that\nhas the link-local address as src and dst IP and will be forwarded to\nan external IP in the IPv6 Ext Hdr.\n\nFor example, the script below generates a packet whose src IP is the\nlink-local address and dst is updated to 11::.\n\n # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 \u003e $f; done\n # python3\n \u003e\u003e\u003e from socket import *\n \u003e\u003e\u003e from scapy.all import *\n \u003e\u003e\u003e\n \u003e\u003e\u003e SRC_ADDR = DST_ADDR = \"fe80::5054:ff:fe12:3456\"\n \u003e\u003e\u003e\n \u003e\u003e\u003e pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)\n \u003e\u003e\u003e pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=[\"11::\", \"22::\"], segleft=1)\n \u003e\u003e\u003e\n \u003e\u003e\u003e sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)\n \u003e\u003e\u003e sk.sendto(bytes(pkt), (DST_ADDR, 0))\n\nFor such a packet, we call ip6_route_input() to look up a route for the\nnext destination in these three functions depending on the header type.\n\n * ipv6_rthdr_rcv()\n * ipv6_rpl_srh_rcv()\n * ipv6_srh_rcv()\n\nIf no route is found, ip6_null_entry is set to skb, and the following\ndst_input(skb) calls ip6_pkt_drop().\n\nFinally, in icmp6_dev(), we dereference skb_rt6_info(skb)-\u003ert6i_idev-\u003edev\nas the input device is the loopback interface. Then, we have to check if\nskb_rt6_info(skb)-\u003ert6i_idev is NULL or not to avoid NULL pointer deref\nfor ip6_null_entry.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)\nCode: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 \u003c48\u003e 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01\nRSP: 0018:ffffc90000003c70 EFLAGS: 00000286\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0\nRDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18\nRBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001\nR10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10\nR13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0\nFS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \u003cIRQ\u003e\n ip6_pkt_drop (net/ipv6/route.c:4513)\n ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))\n ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)\n __netif_receive_skb_one_core (net/core/dev.c:5455)\n process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)\n __napi_poll (net/core/dev.c:6460)\n net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip (kernel/softirq.c:381)\n __dev_queue_xmit (net/core/dev.c:4231)\n ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)\n rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)\n sock_sendmsg (net/socket.c:725 net/socket.c:748)\n __sys_sendto (net/socket.c:2134)\n __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nRIP: 0033:0x7f9dc751baea\nCode: d8 64 89 02 48 c7 c0 ff f\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:36.285Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8803c59fde4dd370a627dfbf7183682fa0cabf70"
},
{
"url": "https://git.kernel.org/stable/c/61b4c4659746959056450b92a5d7e6bc1243b31b"
},
{
"url": "https://git.kernel.org/stable/c/d30ddd7ff15df9d91a793ce3f06f0190ff7afacc"
},
{
"url": "https://git.kernel.org/stable/c/3fabca5d9cae0140b6aad09a1c6b9aa57089fbb8"
},
{
"url": "https://git.kernel.org/stable/c/1462e9d9aa52d14665eaca6d89d22c4af44ede04"
},
{
"url": "https://git.kernel.org/stable/c/aa657d319e6c7502a4eb85cc0ee80cc81b8e5724"
},
{
"url": "https://git.kernel.org/stable/c/2aaa8a15de73874847d62eb595c6683bface80fd"
}
],
"title": "icmp6: Fix null-ptr-deref of ip6_null_entry-\u003ert6i_idev in icmp6_dev().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53343",
"datePublished": "2025-09-17T14:56:36.285Z",
"dateReserved": "2025-09-16T16:08:59.566Z",
"dateUpdated": "2025-09-17T14:56:36.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53637 (GCVE-0-2023-53637)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: i2c: ov772x: Fix memleak in ov772x_probe()
A memory leak was reported when testing ov772x with bpf mock device:
AssertionError: unreferenced object 0xffff888109afa7a8 (size 8):
comm "python3", pid 279, jiffies 4294805921 (age 20.681s)
hex dump (first 8 bytes):
80 22 88 15 81 88 ff ff ."......
backtrace:
[<000000009990b438>] __kmalloc_node+0x44/0x1b0
[<000000009e32f7d7>] kvmalloc_node+0x34/0x180
[<00000000faf48134>] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev]
[<00000000da376937>] ov772x_probe+0x1c3/0x68c [ov772x]
[<000000003f0d225e>] i2c_device_probe+0x28d/0x680
[<00000000e0b6db89>] really_probe+0x17c/0x3f0
[<000000001b19fcee>] __driver_probe_device+0xe3/0x170
[<0000000048370519>] driver_probe_device+0x49/0x120
[<000000005ead07a0>] __device_attach_driver+0xf7/0x150
[<0000000043f452b8>] bus_for_each_drv+0x114/0x180
[<00000000358e5596>] __device_attach+0x1e5/0x2d0
[<0000000043f83c5d>] bus_probe_device+0x126/0x140
[<00000000ee0f3046>] device_add+0x810/0x1130
[<00000000e0278184>] i2c_new_client_device+0x359/0x4f0
[<0000000070baf34f>] of_i2c_register_device+0xf1/0x110
[<00000000a9f2159d>] of_i2c_notify+0x100/0x160
unreferenced object 0xffff888119825c00 (size 256):
comm "python3", pid 279, jiffies 4294805921 (age 20.681s)
hex dump (first 32 bytes):
00 b4 a5 17 81 88 ff ff 00 5e 82 19 81 88 ff ff .........^......
10 5c 82 19 81 88 ff ff 10 5c 82 19 81 88 ff ff .\.......\......
backtrace:
[<000000009990b438>] __kmalloc_node+0x44/0x1b0
[<000000009e32f7d7>] kvmalloc_node+0x34/0x180
[<0000000073d88e0b>] v4l2_ctrl_new.cold+0x19b/0x86f [videodev]
[<00000000b1f576fb>] v4l2_ctrl_new_std+0x16f/0x210 [videodev]
[<00000000caf7ac99>] ov772x_probe+0x1fa/0x68c [ov772x]
[<000000003f0d225e>] i2c_device_probe+0x28d/0x680
[<00000000e0b6db89>] really_probe+0x17c/0x3f0
[<000000001b19fcee>] __driver_probe_device+0xe3/0x170
[<0000000048370519>] driver_probe_device+0x49/0x120
[<000000005ead07a0>] __device_attach_driver+0xf7/0x150
[<0000000043f452b8>] bus_for_each_drv+0x114/0x180
[<00000000358e5596>] __device_attach+0x1e5/0x2d0
[<0000000043f83c5d>] bus_probe_device+0x126/0x140
[<00000000ee0f3046>] device_add+0x810/0x1130
[<00000000e0278184>] i2c_new_client_device+0x359/0x4f0
[<0000000070baf34f>] of_i2c_register_device+0xf1/0x110
The reason is that if priv->hdl.error is set, ov772x_probe() jumps to the
error_mutex_destroy without doing v4l2_ctrl_handler_free(), and all
resources allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std()
are leaked.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece Version: 1112babde21483d86ed3fbad1320b0ddf9ab2ece |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/ov772x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc3b6011d7a9f149489eb9420c6305a779162c57",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "448ce1cd50387b1345ec14eb191ef05f7afc2a26",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "dfaafeb8e9537969e8dba75491f732478c7fa9d6",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "1da495101ef7507eb4f4b1dbec2874d740eff251",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "ac93f8ac66e60227bed42d5a023f0e6c15b52c0a",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "c86d760c1c6855a6131e78d0ddacc48c79324ac3",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
},
{
"lessThan": "7485edb2b6ca5960205c0a49bedfd09bba30e521",
"status": "affected",
"version": "1112babde21483d86ed3fbad1320b0ddf9ab2ece",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/ov772x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: ov772x: Fix memleak in ov772x_probe()\n\nA memory leak was reported when testing ov772x with bpf mock device:\n\nAssertionError: unreferenced object 0xffff888109afa7a8 (size 8):\n comm \"python3\", pid 279, jiffies 4294805921 (age 20.681s)\n hex dump (first 8 bytes):\n 80 22 88 15 81 88 ff ff .\"......\n backtrace:\n [\u003c000000009990b438\u003e] __kmalloc_node+0x44/0x1b0\n [\u003c000000009e32f7d7\u003e] kvmalloc_node+0x34/0x180\n [\u003c00000000faf48134\u003e] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev]\n [\u003c00000000da376937\u003e] ov772x_probe+0x1c3/0x68c [ov772x]\n [\u003c000000003f0d225e\u003e] i2c_device_probe+0x28d/0x680\n [\u003c00000000e0b6db89\u003e] really_probe+0x17c/0x3f0\n [\u003c000000001b19fcee\u003e] __driver_probe_device+0xe3/0x170\n [\u003c0000000048370519\u003e] driver_probe_device+0x49/0x120\n [\u003c000000005ead07a0\u003e] __device_attach_driver+0xf7/0x150\n [\u003c0000000043f452b8\u003e] bus_for_each_drv+0x114/0x180\n [\u003c00000000358e5596\u003e] __device_attach+0x1e5/0x2d0\n [\u003c0000000043f83c5d\u003e] bus_probe_device+0x126/0x140\n [\u003c00000000ee0f3046\u003e] device_add+0x810/0x1130\n [\u003c00000000e0278184\u003e] i2c_new_client_device+0x359/0x4f0\n [\u003c0000000070baf34f\u003e] of_i2c_register_device+0xf1/0x110\n [\u003c00000000a9f2159d\u003e] of_i2c_notify+0x100/0x160\nunreferenced object 0xffff888119825c00 (size 256):\n comm \"python3\", pid 279, jiffies 4294805921 (age 20.681s)\n hex dump (first 32 bytes):\n 00 b4 a5 17 81 88 ff ff 00 5e 82 19 81 88 ff ff .........^......\n 10 5c 82 19 81 88 ff ff 10 5c 82 19 81 88 ff ff .\\.......\\......\n backtrace:\n [\u003c000000009990b438\u003e] __kmalloc_node+0x44/0x1b0\n [\u003c000000009e32f7d7\u003e] kvmalloc_node+0x34/0x180\n [\u003c0000000073d88e0b\u003e] v4l2_ctrl_new.cold+0x19b/0x86f [videodev]\n [\u003c00000000b1f576fb\u003e] v4l2_ctrl_new_std+0x16f/0x210 [videodev]\n [\u003c00000000caf7ac99\u003e] ov772x_probe+0x1fa/0x68c [ov772x]\n [\u003c000000003f0d225e\u003e] i2c_device_probe+0x28d/0x680\n [\u003c00000000e0b6db89\u003e] really_probe+0x17c/0x3f0\n [\u003c000000001b19fcee\u003e] __driver_probe_device+0xe3/0x170\n [\u003c0000000048370519\u003e] driver_probe_device+0x49/0x120\n [\u003c000000005ead07a0\u003e] __device_attach_driver+0xf7/0x150\n [\u003c0000000043f452b8\u003e] bus_for_each_drv+0x114/0x180\n [\u003c00000000358e5596\u003e] __device_attach+0x1e5/0x2d0\n [\u003c0000000043f83c5d\u003e] bus_probe_device+0x126/0x140\n [\u003c00000000ee0f3046\u003e] device_add+0x810/0x1130\n [\u003c00000000e0278184\u003e] i2c_new_client_device+0x359/0x4f0\n [\u003c0000000070baf34f\u003e] of_i2c_register_device+0xf1/0x110\n\nThe reason is that if priv-\u003ehdl.error is set, ov772x_probe() jumps to the\nerror_mutex_destroy without doing v4l2_ctrl_handler_free(), and all\nresources allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std()\nare leaked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:38.317Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc3b6011d7a9f149489eb9420c6305a779162c57"
},
{
"url": "https://git.kernel.org/stable/c/448ce1cd50387b1345ec14eb191ef05f7afc2a26"
},
{
"url": "https://git.kernel.org/stable/c/dfaafeb8e9537969e8dba75491f732478c7fa9d6"
},
{
"url": "https://git.kernel.org/stable/c/1da495101ef7507eb4f4b1dbec2874d740eff251"
},
{
"url": "https://git.kernel.org/stable/c/ac93f8ac66e60227bed42d5a023f0e6c15b52c0a"
},
{
"url": "https://git.kernel.org/stable/c/c86d760c1c6855a6131e78d0ddacc48c79324ac3"
},
{
"url": "https://git.kernel.org/stable/c/7485edb2b6ca5960205c0a49bedfd09bba30e521"
}
],
"title": "media: i2c: ov772x: Fix memleak in ov772x_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53637",
"datePublished": "2025-10-07T15:19:38.317Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-07T15:19:38.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53184 (GCVE-0-2023-53184)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-15 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/sme: Set new vector length before reallocating
As part of fixing the allocation of the buffer for SVE state when changing
SME vector length we introduced an immediate reallocation of the SVE state,
this is also done when changing the SVE vector length for consistency.
Unfortunately this reallocation is done prior to writing the new vector
length to the task struct, meaning the allocation is done with the old
vector length and can lead to memory corruption due to an undersized buffer
being used.
Move the update of the vector length before the allocation to ensure that
the new vector length is taken into account.
For some reason this isn't triggering any problems when running tests on
the arm64 fixes branch (even after repeated tries) but is triggering
issues very often after merge into mainline.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/fpsimd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "356e711640aea6ed145da9407499388b45264cb4",
"status": "affected",
"version": "aa5cf8bd1318b6e7d500668b318c07a71cde783b",
"versionType": "git"
},
{
"lessThan": "807ada0e4aa3c9090c66009a99fa530c462012c9",
"status": "affected",
"version": "292f0453b0d021bb1d3f64648bfdfca093512214",
"versionType": "git"
},
{
"lessThan": "05d881b85b48c7ac6a7c92ce00aa916c4a84d052",
"status": "affected",
"version": "d4d5be94a87872421ea2569044092535aff0b886",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/fpsimd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.43",
"status": "affected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThan": "6.4.8",
"status": "affected",
"version": "6.4.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sme: Set new vector length before reallocating\n\nAs part of fixing the allocation of the buffer for SVE state when changing\nSME vector length we introduced an immediate reallocation of the SVE state,\nthis is also done when changing the SVE vector length for consistency.\nUnfortunately this reallocation is done prior to writing the new vector\nlength to the task struct, meaning the allocation is done with the old\nvector length and can lead to memory corruption due to an undersized buffer\nbeing used.\n\nMove the update of the vector length before the allocation to ensure that\nthe new vector length is taken into account.\n\nFor some reason this isn\u0027t triggering any problems when running tests on\nthe arm64 fixes branch (even after repeated tries) but is triggering\nissues very often after merge into mainline."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:04:36.754Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/356e711640aea6ed145da9407499388b45264cb4"
},
{
"url": "https://git.kernel.org/stable/c/807ada0e4aa3c9090c66009a99fa530c462012c9"
},
{
"url": "https://git.kernel.org/stable/c/05d881b85b48c7ac6a7c92ce00aa916c4a84d052"
}
],
"title": "arm64/sme: Set new vector length before reallocating",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53184",
"datePublished": "2025-09-15T14:04:36.754Z",
"dateReserved": "2025-09-15T13:59:19.065Z",
"dateUpdated": "2025-09-15T14:04:36.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50514 (GCVE-0-2022-50514)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: fix refcount leak on error path
When failing to allocate report_desc, opts->refcnt has already been
incremented so it needs to be decremented to avoid leaving the options
structure permanently locked.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd Version: 21a9476a7ba847e413bf1c144d7c614532aed6dd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95412c932b3c9e8cc4431dac4fac8fcd80d54982",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "80dc47e751a837106c09bec73964ff8f7ea280b4",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "e88b89a096af0001bcff6bf7ad2feb1486487173",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "9d4a0aca8a75550d3456c8de339a341dc4536ec5",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "ba78f7c10606719f702c04a15fb0471507b32d7b",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "216437dd64fce36791a3b6cc8f8013df36856958",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
},
{
"lessThan": "70a3288a7586526315105c699b687d78cd32559a",
"status": "affected",
"version": "21a9476a7ba847e413bf1c144d7c614532aed6dd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: fix refcount leak on error path\n\nWhen failing to allocate report_desc, opts-\u003erefcnt has already been\nincremented so it needs to be decremented to avoid leaving the options\nstructure permanently locked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:10.253Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95412c932b3c9e8cc4431dac4fac8fcd80d54982"
},
{
"url": "https://git.kernel.org/stable/c/80dc47e751a837106c09bec73964ff8f7ea280b4"
},
{
"url": "https://git.kernel.org/stable/c/e88b89a096af0001bcff6bf7ad2feb1486487173"
},
{
"url": "https://git.kernel.org/stable/c/9d4a0aca8a75550d3456c8de339a341dc4536ec5"
},
{
"url": "https://git.kernel.org/stable/c/ba78f7c10606719f702c04a15fb0471507b32d7b"
},
{
"url": "https://git.kernel.org/stable/c/216437dd64fce36791a3b6cc8f8013df36856958"
},
{
"url": "https://git.kernel.org/stable/c/70a3288a7586526315105c699b687d78cd32559a"
}
],
"title": "usb: gadget: f_hid: fix refcount leak on error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50514",
"datePublished": "2025-10-07T15:19:10.253Z",
"dateReserved": "2025-10-07T15:15:38.661Z",
"dateUpdated": "2025-10-07T15:19:10.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39760 (GCVE-0-2025-39760)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: core: config: Prevent OOB read in SS endpoint companion parsing
usb_parse_ss_endpoint_companion() checks descriptor type before length,
enabling a potentially odd read outside of the buffer size.
Fix this up by checking the size first before looking at any of the
fields in the descriptor.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:09.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/core/config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c3097ede7835d3caf6543eb70ff689af4550cd2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "058ad2b722812708fe90567875704ae36563e33b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b10e0f868067c6f25bbfabdcf3e1e6432c24ca55",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5badd56c711e2c8371d1670f9bd486697575423c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9512510cee7d1becdb0e9413fdd3ab783e4e30ee",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4fe6f472f0beef4281e6f03bc38a910a33be663f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9843bcb187cb933861f7805022e6873905f669e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cf16f408364efd8a68f39011a3b073c83a03612d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/core/config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: core: config: Prevent OOB read in SS endpoint companion parsing\n\nusb_parse_ss_endpoint_companion() checks descriptor type before length,\nenabling a potentially odd read outside of the buffer size.\n\nFix this up by checking the size first before looking at any of the\nfields in the descriptor."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:51.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c3097ede7835d3caf6543eb70ff689af4550cd2"
},
{
"url": "https://git.kernel.org/stable/c/058ad2b722812708fe90567875704ae36563e33b"
},
{
"url": "https://git.kernel.org/stable/c/b10e0f868067c6f25bbfabdcf3e1e6432c24ca55"
},
{
"url": "https://git.kernel.org/stable/c/5badd56c711e2c8371d1670f9bd486697575423c"
},
{
"url": "https://git.kernel.org/stable/c/9512510cee7d1becdb0e9413fdd3ab783e4e30ee"
},
{
"url": "https://git.kernel.org/stable/c/4fe6f472f0beef4281e6f03bc38a910a33be663f"
},
{
"url": "https://git.kernel.org/stable/c/9843bcb187cb933861f7805022e6873905f669e4"
},
{
"url": "https://git.kernel.org/stable/c/cf16f408364efd8a68f39011a3b073c83a03612d"
}
],
"title": "usb: core: config: Prevent OOB read in SS endpoint companion parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39760",
"datePublished": "2025-09-11T16:52:29.045Z",
"dateReserved": "2025-04-16T07:20:57.126Z",
"dateUpdated": "2025-11-03T17:43:09.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53657 (GCVE-0-2023-53657)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Don't tx before switchdev is fully configured
There is possibility that ice_eswitch_port_start_xmit might be
called while some resources are still not allocated which might
cause NULL pointer dereference. Fix this by checking if switchdev
configuration was finished.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_eswitch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5760a72b3060150b587eff3e879648c7470efddd",
"status": "affected",
"version": "f5396b8a663f7a78ee5b75a47ee524b40795b265",
"versionType": "git"
},
{
"lessThan": "63ff5a94649837d980e3b9ef535c793ec8cb0ca7",
"status": "affected",
"version": "f5396b8a663f7a78ee5b75a47ee524b40795b265",
"versionType": "git"
},
{
"lessThan": "7aa529a69e92b9aff585e569d5003f7c15d8d60b",
"status": "affected",
"version": "f5396b8a663f7a78ee5b75a47ee524b40795b265",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_eswitch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don\u0027t tx before switchdev is fully configured\n\nThere is possibility that ice_eswitch_port_start_xmit might be\ncalled while some resources are still not allocated which might\ncause NULL pointer dereference. Fix this by checking if switchdev\nconfiguration was finished."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:40.984Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5760a72b3060150b587eff3e879648c7470efddd"
},
{
"url": "https://git.kernel.org/stable/c/63ff5a94649837d980e3b9ef535c793ec8cb0ca7"
},
{
"url": "https://git.kernel.org/stable/c/7aa529a69e92b9aff585e569d5003f7c15d8d60b"
}
],
"title": "ice: Don\u0027t tx before switchdev is fully configured",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53657",
"datePublished": "2025-10-07T15:21:18.268Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-29T10:50:40.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53454 (GCVE-0-2023-53454)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: Correct devm device reference for hidinput input_dev name
Reference the HID device rather than the input device for the devm
allocation of the input_dev name. Referencing the input_dev would lead to a
use-after-free when the input_dev was unregistered and subsequently fires a
uevent that depends on the name. At the point of firing the uevent, the
name would be freed by devres management.
Use devm_kasprintf to simplify the logic for allocating memory and
formatting the input_dev name string.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 Version: c08d46aa805ba46d501f610c2448d07bea979780 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac0d389402a6ff9ad92cea02c2d8c711483b91ab",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "39c70c19456e50dcb3abfe53539220dff0490f1d",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "df7ca43fe090e1a56c216c8ebc106ef5fd49afc6",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "15ec7cb55e7d88755aa01d44a7a1015a42bfce86",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "dde88ab4e45beb60b217026207aa9c14c88d71ab",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "2763732ec1e68910719c75b6b896e11b6d3d622b",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "1d7833db9fd118415dace2ca157bfa603dec9c8c",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "b70ac7849248ec8128fa12f86e3655ba38838f29",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "4794394635293a3e74591351fff469cea7ad15a2",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Correct devm device reference for hidinput input_dev name\n\nReference the HID device rather than the input device for the devm\nallocation of the input_dev name. Referencing the input_dev would lead to a\nuse-after-free when the input_dev was unregistered and subsequently fires a\nuevent that depends on the name. At the point of firing the uevent, the\nname would be freed by devres management.\n\nUse devm_kasprintf to simplify the logic for allocating memory and\nformatting the input_dev name string."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:25.760Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac0d389402a6ff9ad92cea02c2d8c711483b91ab"
},
{
"url": "https://git.kernel.org/stable/c/39c70c19456e50dcb3abfe53539220dff0490f1d"
},
{
"url": "https://git.kernel.org/stable/c/df7ca43fe090e1a56c216c8ebc106ef5fd49afc6"
},
{
"url": "https://git.kernel.org/stable/c/15ec7cb55e7d88755aa01d44a7a1015a42bfce86"
},
{
"url": "https://git.kernel.org/stable/c/dde88ab4e45beb60b217026207aa9c14c88d71ab"
},
{
"url": "https://git.kernel.org/stable/c/2763732ec1e68910719c75b6b896e11b6d3d622b"
},
{
"url": "https://git.kernel.org/stable/c/1d7833db9fd118415dace2ca157bfa603dec9c8c"
},
{
"url": "https://git.kernel.org/stable/c/b70ac7849248ec8128fa12f86e3655ba38838f29"
},
{
"url": "https://git.kernel.org/stable/c/4794394635293a3e74591351fff469cea7ad15a2"
}
],
"title": "HID: multitouch: Correct devm device reference for hidinput input_dev name",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53454",
"datePublished": "2025-10-01T11:42:25.760Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:25.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53495 (GCVE-0-2023-53495)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
rules is allocated in ethtool_get_rxnfc and the size is determined by
rule_cnt from user space. So rule_cnt needs to be check before using
rules to avoid OOB writing or NULL pointer dereference.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 Version: 90b509b39ac9b09be88eb641c7a3abd8de06b698 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba6673824efa3dc198b04a54e69dce480066d7d9",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
},
{
"lessThan": "61054a8ddb176b155a8f2bacdfefb3727187f5d9",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
},
{
"lessThan": "5bb09dddc724c5f7c4dc6dd3bfebd685eecd93e8",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
},
{
"lessThan": "349638f7e5d3c7d328565587bb7b0454bbee02e2",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
},
{
"lessThan": "625b70d31dd4df4b96b3ddcbe251debb33bd67f5",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
},
{
"lessThan": "51fe0a470543f345e3c62b6798929de3ddcedc1d",
"status": "affected",
"version": "90b509b39ac9b09be88eb641c7a3abd8de06b698",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()\n\nrules is allocated in ethtool_get_rxnfc and the size is determined by\nrule_cnt from user space. So rule_cnt needs to be check before using\nrules to avoid OOB writing or NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:46.877Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba6673824efa3dc198b04a54e69dce480066d7d9"
},
{
"url": "https://git.kernel.org/stable/c/61054a8ddb176b155a8f2bacdfefb3727187f5d9"
},
{
"url": "https://git.kernel.org/stable/c/5bb09dddc724c5f7c4dc6dd3bfebd685eecd93e8"
},
{
"url": "https://git.kernel.org/stable/c/349638f7e5d3c7d328565587bb7b0454bbee02e2"
},
{
"url": "https://git.kernel.org/stable/c/625b70d31dd4df4b96b3ddcbe251debb33bd67f5"
},
{
"url": "https://git.kernel.org/stable/c/51fe0a470543f345e3c62b6798929de3ddcedc1d"
}
],
"title": "net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53495",
"datePublished": "2025-10-01T11:45:46.877Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:46.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39937 (GCVE-0-2025-39937)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer
Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from
device property") rfkill_find_type() gets called with the possibly
uninitialized "const char *type_name;" local variable.
On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752"
acpi_device, the rfkill->type is set based on the ACPI acpi_device_id:
rfkill->type = (unsigned)id->driver_data;
and there is no "type" property so device_property_read_string() will fail
and leave type_name uninitialized, leading to a potential crash.
rfkill_find_type() does accept a NULL pointer, fix the potential crash
by initializing type_name to NULL.
Note likely sofar this has not been caught because:
1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device
2. The stack happened to contain NULL where type_name is stored
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rfkill/rfkill-gpio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "184f608a68f96794e8fe58cd5535014d53622cde",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "8793e7a8e1b60131a825457174ed6398111daeb7",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "ada2282259243387e6b6e89239aeb4897e62f051",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "47ade5f9d70b23a119ec20b1c6504864b2543a79",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "689aee35ce671aab752f159e5c8e66d7685e6887",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "21ba85d9d508422ca9e6698463ff9357c928c22d",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "21a39b958b4bcf44f7674bfbbe1bbb8cad0d842d",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "b6f56a44e4c1014b08859dcf04ed246500e310e5",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rfkill/rfkill-gpio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer\n\nSince commit 7d5e9737efda (\"net: rfkill: gpio: get the name and type from\ndevice property\") rfkill_find_type() gets called with the possibly\nuninitialized \"const char *type_name;\" local variable.\n\nOn x86 systems when rfkill-gpio binds to a \"BCM4752\" or \"LNV4752\"\nacpi_device, the rfkill-\u003etype is set based on the ACPI acpi_device_id:\n\n rfkill-\u003etype = (unsigned)id-\u003edriver_data;\n\nand there is no \"type\" property so device_property_read_string() will fail\nand leave type_name uninitialized, leading to a potential crash.\n\nrfkill_find_type() does accept a NULL pointer, fix the potential crash\nby initializing type_name to NULL.\n\nNote likely sofar this has not been caught because:\n\n1. Not many x86 machines actually have a \"BCM4752\"/\"LNV4752\" acpi_device\n2. The stack happened to contain NULL where type_name is stored"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:01.924Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/184f608a68f96794e8fe58cd5535014d53622cde"
},
{
"url": "https://git.kernel.org/stable/c/8793e7a8e1b60131a825457174ed6398111daeb7"
},
{
"url": "https://git.kernel.org/stable/c/ada2282259243387e6b6e89239aeb4897e62f051"
},
{
"url": "https://git.kernel.org/stable/c/47ade5f9d70b23a119ec20b1c6504864b2543a79"
},
{
"url": "https://git.kernel.org/stable/c/689aee35ce671aab752f159e5c8e66d7685e6887"
},
{
"url": "https://git.kernel.org/stable/c/21ba85d9d508422ca9e6698463ff9357c928c22d"
},
{
"url": "https://git.kernel.org/stable/c/21a39b958b4bcf44f7674bfbbe1bbb8cad0d842d"
},
{
"url": "https://git.kernel.org/stable/c/b6f56a44e4c1014b08859dcf04ed246500e310e5"
}
],
"title": "net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39937",
"datePublished": "2025-10-04T07:31:00.879Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:01.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38618 (GCVE-0-2025-38618)
Vulnerability from cvelistv5
Published
2025-08-22 13:01
Modified
2025-11-03 17:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: Do not allow binding to VMADDR_PORT_ANY
It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
cause a use-after-free when a connection is made to the bound socket.
The socket returned by accept() also has port VMADDR_PORT_ANY but is not
on the list of unbound sockets. Binding it will result in an extra
refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
the binding until socket destruction).
Modify the check in __vsock_bind_connectible() to also prevent binding
to VMADDR_PORT_ANY.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:30.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c04a2c1ca25b9b23104124d3b2d349d934e302de",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "d1a5b1964cef42727668ac0d8532dae4f8c19386",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "cf86704798c1b9c46fa59dfc2d662f57d1394d79",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "f138be5d7f301fddad4e65ec66dfc3ceebf79be3",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "44bd006d5c93f6a8f28b106cbae2428c5d0275b7",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "32950b1907919be86a7a2697d6f93d57068b3865",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "8f01093646b49f6330bb2d36761983fd829472b1",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "d73960f0cf03ef1dc9e96ec7a20e538accc26d87",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "aba0c94f61ec05315fa7815d21aefa4c87f6a9f4",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Do not allow binding to VMADDR_PORT_ANY\n\nIt is possible for a vsock to autobind to VMADDR_PORT_ANY. This can\ncause a use-after-free when a connection is made to the bound socket.\nThe socket returned by accept() also has port VMADDR_PORT_ANY but is not\non the list of unbound sockets. Binding it will result in an extra\nrefcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep\nthe binding until socket destruction).\n\nModify the check in __vsock_bind_connectible() to also prevent binding\nto VMADDR_PORT_ANY."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:53.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c04a2c1ca25b9b23104124d3b2d349d934e302de"
},
{
"url": "https://git.kernel.org/stable/c/d1a5b1964cef42727668ac0d8532dae4f8c19386"
},
{
"url": "https://git.kernel.org/stable/c/cf86704798c1b9c46fa59dfc2d662f57d1394d79"
},
{
"url": "https://git.kernel.org/stable/c/f138be5d7f301fddad4e65ec66dfc3ceebf79be3"
},
{
"url": "https://git.kernel.org/stable/c/44bd006d5c93f6a8f28b106cbae2428c5d0275b7"
},
{
"url": "https://git.kernel.org/stable/c/32950b1907919be86a7a2697d6f93d57068b3865"
},
{
"url": "https://git.kernel.org/stable/c/8f01093646b49f6330bb2d36761983fd829472b1"
},
{
"url": "https://git.kernel.org/stable/c/d73960f0cf03ef1dc9e96ec7a20e538accc26d87"
},
{
"url": "https://git.kernel.org/stable/c/aba0c94f61ec05315fa7815d21aefa4c87f6a9f4"
}
],
"title": "vsock: Do not allow binding to VMADDR_PORT_ANY",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38618",
"datePublished": "2025-08-22T13:01:24.678Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-11-03T17:40:30.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21971 (GCVE-0-2025-21971)
Vulnerability from cvelistv5
Published
2025-04-01 15:47
Modified
2025-11-03 19:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: Prevent creation of classes with TC_H_ROOT
The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination
condition when traversing up the qdisc tree to update parent backlog
counters. However, if a class is created with classid TC_H_ROOT, the
traversal terminates prematurely at this class instead of reaching the
actual root qdisc, causing parent statistics to be incorrectly maintained.
In case of DRR, this could lead to a crash as reported by Mingi Cho.
Prevent the creation of any Qdisc class with classid TC_H_ROOT
(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:40:14.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "7a82fe67a9f4d7123d8e5ba8f0f0806c28695006",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "003d92c91cdb5a64b25a9a74cb8543aac9a8bb48",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "78533c4a29ac3aeddce4b481770beaaa4f3bfb67",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "94edfdfb9505ab608e86599d1d1e38c83816fc1c",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "0c3057a5a04d07120b3d0ec9c79568fceb9c921e",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.292",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.132",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.84",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.20",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.8",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:26:09.021Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c"
},
{
"url": "https://git.kernel.org/stable/c/7a82fe67a9f4d7123d8e5ba8f0f0806c28695006"
},
{
"url": "https://git.kernel.org/stable/c/003d92c91cdb5a64b25a9a74cb8543aac9a8bb48"
},
{
"url": "https://git.kernel.org/stable/c/e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7"
},
{
"url": "https://git.kernel.org/stable/c/78533c4a29ac3aeddce4b481770beaaa4f3bfb67"
},
{
"url": "https://git.kernel.org/stable/c/5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7"
},
{
"url": "https://git.kernel.org/stable/c/94edfdfb9505ab608e86599d1d1e38c83816fc1c"
},
{
"url": "https://git.kernel.org/stable/c/0c3057a5a04d07120b3d0ec9c79568fceb9c921e"
}
],
"title": "net_sched: Prevent creation of classes with TC_H_ROOT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21971",
"datePublished": "2025-04-01T15:47:04.448Z",
"dateReserved": "2024-12-29T08:45:45.797Z",
"dateUpdated": "2025-11-03T19:40:14.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40019 (GCVE-0-2025-40019)
Vulnerability from cvelistv5
Published
2025-10-24 11:44
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: essiv - Check ssize for decryption and in-place encryption
Move the ssize check to the start in essiv_aead_crypt so that
it's also checked for decryption and in-place encryption.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: be1eb7f78aa8fbe34779c56c266ccd0364604e71 Version: be1eb7f78aa8fbe34779c56c266ccd0364604e71 Version: be1eb7f78aa8fbe34779c56c266ccd0364604e71 Version: be1eb7f78aa8fbe34779c56c266ccd0364604e71 Version: be1eb7f78aa8fbe34779c56c266ccd0364604e71 Version: be1eb7f78aa8fbe34779c56c266ccd0364604e71 Version: be1eb7f78aa8fbe34779c56c266ccd0364604e71 Version: be1eb7f78aa8fbe34779c56c266ccd0364604e71 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/essiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29294dd6f1e7acf527255fb136ffde6602c3a129",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "71f03f8f72d9c70ffba76980e78b38c180e61589",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "df58651968f82344a0ed2afdafd20ecfc55ff548",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "248ff2797ff52a8cbf86507f9583437443bf7685",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "f37e7860dc5e94c70b4a3e38a5809181310ea9ac",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "dc4c854a5e7453c465fa73b153eba4ef2a240abe",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "da7afb01ba05577ba3629f7f4824205550644986",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "6bb73db6948c2de23e407fe1b7ef94bf02b7529f",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/essiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: essiv - Check ssize for decryption and in-place encryption\n\nMove the ssize check to the start in essiv_aead_crypt so that\nit\u0027s also checked for decryption and in-place encryption."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:25.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29294dd6f1e7acf527255fb136ffde6602c3a129"
},
{
"url": "https://git.kernel.org/stable/c/71f03f8f72d9c70ffba76980e78b38c180e61589"
},
{
"url": "https://git.kernel.org/stable/c/df58651968f82344a0ed2afdafd20ecfc55ff548"
},
{
"url": "https://git.kernel.org/stable/c/248ff2797ff52a8cbf86507f9583437443bf7685"
},
{
"url": "https://git.kernel.org/stable/c/f37e7860dc5e94c70b4a3e38a5809181310ea9ac"
},
{
"url": "https://git.kernel.org/stable/c/dc4c854a5e7453c465fa73b153eba4ef2a240abe"
},
{
"url": "https://git.kernel.org/stable/c/da7afb01ba05577ba3629f7f4824205550644986"
},
{
"url": "https://git.kernel.org/stable/c/6bb73db6948c2de23e407fe1b7ef94bf02b7529f"
}
],
"title": "crypto: essiv - Check ssize for decryption and in-place encryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40019",
"datePublished": "2025-10-24T11:44:29.864Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-10-29T13:19:25.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53575 (GCVE-0-2023-53575)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-06 09:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: fix potential array out of bounds access
Account for IWL_SEC_WEP_KEY_OFFSET when needed while verifying
key_len size in iwl_mvm_sec_key_add().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "133b1cd4d98bb8b272335c8e6b0e0c399c0b2ffa",
"status": "affected",
"version": "5c75a208c2449c6ea24f07610cc052f6a352246c",
"versionType": "git"
},
{
"lessThan": "637452360ecde9ac972d19416e9606529576b302",
"status": "affected",
"version": "5c75a208c2449c6ea24f07610cc052f6a352246c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix potential array out of bounds access\n\nAccount for IWL_SEC_WEP_KEY_OFFSET when needed while verifying\nkey_len size in iwl_mvm_sec_key_add()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T09:07:19.662Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/133b1cd4d98bb8b272335c8e6b0e0c399c0b2ffa"
},
{
"url": "https://git.kernel.org/stable/c/637452360ecde9ac972d19416e9606529576b302"
}
],
"title": "wifi: iwlwifi: mvm: fix potential array out of bounds access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53575",
"datePublished": "2025-10-04T15:17:15.224Z",
"dateReserved": "2025-10-04T15:14:15.925Z",
"dateUpdated": "2025-10-06T09:07:19.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53683 (GCVE-0-2023-53683)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
syzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for
crafted filesystem image can contain bogus length. There conditions are
not kernel bugs that can justify kernel to panic.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f62f5ee63052324ad94dd05091743d9e09f72070 Version: ab778439c6fa0071698b62a351f79d319fd72c53 Version: 781fa141414ef18b52f15037497155f80bf0ecab Version: 1f881d9201f6e0a917004a14329f9ff3d0bfa1e5 Version: 48d9e2e6de01ed35e965eb549758a837c07b601d Version: 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb Version: 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb Version: 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61af77acd039ffd221bf7adf0dc95d0a4d377505",
"status": "affected",
"version": "f62f5ee63052324ad94dd05091743d9e09f72070",
"versionType": "git"
},
{
"lessThan": "c074913b12db3632b11588b31bbfb0fa80a0a1c9",
"status": "affected",
"version": "ab778439c6fa0071698b62a351f79d319fd72c53",
"versionType": "git"
},
{
"lessThan": "a75d9211a07fed513c08c5d4861c4a36ac6a74fe",
"status": "affected",
"version": "781fa141414ef18b52f15037497155f80bf0ecab",
"versionType": "git"
},
{
"lessThan": "c8daee66585897a4c90d937c91e762100237bff9",
"status": "affected",
"version": "1f881d9201f6e0a917004a14329f9ff3d0bfa1e5",
"versionType": "git"
},
{
"lessThan": "37cab61a52d6f42b2d961c51bcf369f09e235fb5",
"status": "affected",
"version": "48d9e2e6de01ed35e965eb549758a837c07b601d",
"versionType": "git"
},
{
"lessThan": "48960a503fcec76d3f72347b7e679dda08ca43be",
"status": "affected",
"version": "55d1cbbbb29e6656c662ee8f73ba1fc4777532eb",
"versionType": "git"
},
{
"lessThan": "3a9d68d84b2e41ba3f2a727b36f035fad6800492",
"status": "affected",
"version": "55d1cbbbb29e6656c662ee8f73ba1fc4777532eb",
"versionType": "git"
},
{
"lessThan": "81b21c0f0138ff5a499eafc3eb0578ad2a99622c",
"status": "affected",
"version": "55d1cbbbb29e6656c662ee8f73ba1fc4777532eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()\n\nsyzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for\ncrafted filesystem image can contain bogus length. There conditions are\nnot kernel bugs that can justify kernel to panic."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:43.360Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61af77acd039ffd221bf7adf0dc95d0a4d377505"
},
{
"url": "https://git.kernel.org/stable/c/c074913b12db3632b11588b31bbfb0fa80a0a1c9"
},
{
"url": "https://git.kernel.org/stable/c/a75d9211a07fed513c08c5d4861c4a36ac6a74fe"
},
{
"url": "https://git.kernel.org/stable/c/c8daee66585897a4c90d937c91e762100237bff9"
},
{
"url": "https://git.kernel.org/stable/c/37cab61a52d6f42b2d961c51bcf369f09e235fb5"
},
{
"url": "https://git.kernel.org/stable/c/48960a503fcec76d3f72347b7e679dda08ca43be"
},
{
"url": "https://git.kernel.org/stable/c/3a9d68d84b2e41ba3f2a727b36f035fad6800492"
},
{
"url": "https://git.kernel.org/stable/c/81b21c0f0138ff5a499eafc3eb0578ad2a99622c"
}
],
"title": "fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53683",
"datePublished": "2025-10-07T15:21:36.715Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-29T10:50:43.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53550 (GCVE-0-2023-53550)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: amd-pstate: fix global sysfs attribute type
In commit 3666062b87ec ("cpufreq: amd-pstate: move to use bus_get_dev_root()")
the "amd_pstate" attributes where moved from a dedicated kobject to the
cpu root kobject.
While the dedicated kobject expects to contain kobj_attributes the root
kobject needs device_attributes.
As the changed arguments are not used by the callbacks it works most of
the time.
However CFI will detect this issue:
[ 4947.849350] CFI failure at dev_attr_show+0x24/0x60 (target: show_status+0x0/0x70; expected type: 0x8651b1de)
...
[ 4947.849409] Call Trace:
[ 4947.849410] <TASK>
[ 4947.849411] ? __warn+0xcf/0x1c0
[ 4947.849414] ? dev_attr_show+0x24/0x60
[ 4947.849415] ? report_cfi_failure+0x4e/0x60
[ 4947.849417] ? handle_cfi_failure+0x14c/0x1d0
[ 4947.849419] ? __cfi_show_status+0x10/0x10
[ 4947.849420] ? handle_bug+0x4f/0x90
[ 4947.849421] ? exc_invalid_op+0x1a/0x60
[ 4947.849422] ? asm_exc_invalid_op+0x1a/0x20
[ 4947.849424] ? __cfi_show_status+0x10/0x10
[ 4947.849425] ? dev_attr_show+0x24/0x60
[ 4947.849426] sysfs_kf_seq_show+0xa6/0x110
[ 4947.849433] seq_read_iter+0x16c/0x4b0
[ 4947.849436] vfs_read+0x272/0x2d0
[ 4947.849438] ksys_read+0x72/0xe0
[ 4947.849439] do_syscall_64+0x76/0xb0
[ 4947.849440] ? do_user_addr_fault+0x252/0x650
[ 4947.849442] ? exc_page_fault+0x7a/0x1b0
[ 4947.849443] entry_SYSCALL_64_after_hwframe+0x72/0xdc
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/amd-pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddcfc33a20380508f7fea18e1c330abe17ed4fc0",
"status": "affected",
"version": "3666062b87ec8be4b85dc475dfb54bb17e10a7f6",
"versionType": "git"
},
{
"lessThan": "5e720f8c8c9d959283c3908bbf32a91a01a86547",
"status": "affected",
"version": "3666062b87ec8be4b85dc475dfb54bb17e10a7f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/amd-pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix global sysfs attribute type\n\nIn commit 3666062b87ec (\"cpufreq: amd-pstate: move to use bus_get_dev_root()\")\nthe \"amd_pstate\" attributes where moved from a dedicated kobject to the\ncpu root kobject.\n\nWhile the dedicated kobject expects to contain kobj_attributes the root\nkobject needs device_attributes.\n\nAs the changed arguments are not used by the callbacks it works most of\nthe time.\nHowever CFI will detect this issue:\n\n[ 4947.849350] CFI failure at dev_attr_show+0x24/0x60 (target: show_status+0x0/0x70; expected type: 0x8651b1de)\n...\n[ 4947.849409] Call Trace:\n[ 4947.849410] \u003cTASK\u003e\n[ 4947.849411] ? __warn+0xcf/0x1c0\n[ 4947.849414] ? dev_attr_show+0x24/0x60\n[ 4947.849415] ? report_cfi_failure+0x4e/0x60\n[ 4947.849417] ? handle_cfi_failure+0x14c/0x1d0\n[ 4947.849419] ? __cfi_show_status+0x10/0x10\n[ 4947.849420] ? handle_bug+0x4f/0x90\n[ 4947.849421] ? exc_invalid_op+0x1a/0x60\n[ 4947.849422] ? asm_exc_invalid_op+0x1a/0x20\n[ 4947.849424] ? __cfi_show_status+0x10/0x10\n[ 4947.849425] ? dev_attr_show+0x24/0x60\n[ 4947.849426] sysfs_kf_seq_show+0xa6/0x110\n[ 4947.849433] seq_read_iter+0x16c/0x4b0\n[ 4947.849436] vfs_read+0x272/0x2d0\n[ 4947.849438] ksys_read+0x72/0xe0\n[ 4947.849439] do_syscall_64+0x76/0xb0\n[ 4947.849440] ? do_user_addr_fault+0x252/0x650\n[ 4947.849442] ? exc_page_fault+0x7a/0x1b0\n[ 4947.849443] entry_SYSCALL_64_after_hwframe+0x72/0xdc"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:57.061Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddcfc33a20380508f7fea18e1c330abe17ed4fc0"
},
{
"url": "https://git.kernel.org/stable/c/5e720f8c8c9d959283c3908bbf32a91a01a86547"
}
],
"title": "cpufreq: amd-pstate: fix global sysfs attribute type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53550",
"datePublished": "2025-10-04T15:16:57.061Z",
"dateReserved": "2025-10-04T15:14:15.922Z",
"dateUpdated": "2025-10-04T15:16:57.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50115 (GCVE-0-2024-50115)
Vulnerability from cvelistv5
Published
2024-11-05 17:10
Modified
2025-11-03 22:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory
Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits
4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't
enforce 32-byte alignment of nCR3.
In the absolute worst case scenario, failure to ignore bits 4:0 can result
in an out-of-bounds read, e.g. if the target page is at the end of a
memslot, and the VMM isn't using guard pages.
Per the APM:
The CR3 register points to the base address of the page-directory-pointer
table. The page-directory-pointer table is aligned on a 32-byte boundary,
with the low 5 address bits 4:0 assumed to be 0.
And the SDM's much more explicit:
4:0 Ignored
Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow
that is broken.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e4e517b4be019787ada4cbbce2f04570c21b0cbd Version: e4e517b4be019787ada4cbbce2f04570c21b0cbd Version: e4e517b4be019787ada4cbbce2f04570c21b0cbd Version: e4e517b4be019787ada4cbbce2f04570c21b0cbd Version: e4e517b4be019787ada4cbbce2f04570c21b0cbd Version: e4e517b4be019787ada4cbbce2f04570c21b0cbd |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:21:56.032296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:27:17.080Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:25:38.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76ce386feb14ec9a460784fcd495d8432acce7a5",
"status": "affected",
"version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
"versionType": "git"
},
{
"lessThan": "58cb697d80e669c56197f703e188867c8c54c494",
"status": "affected",
"version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
"versionType": "git"
},
{
"lessThan": "6876793907cbe19d42e9edc8c3315a21e06c32ae",
"status": "affected",
"version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
"versionType": "git"
},
{
"lessThan": "2c4adc9b192a0815fe58a62bc0709449416cc884",
"status": "affected",
"version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
"versionType": "git"
},
{
"lessThan": "426682afec71ea3f889b972d038238807b9443e4",
"status": "affected",
"version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
"versionType": "git"
},
{
"lessThan": "f559b2e9c5c5308850544ab59396b7d53cfc67bd",
"status": "affected",
"version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.229",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.170",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.115",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.59",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.6",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory\n\nIgnore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits\n4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn\u0027t\nenforce 32-byte alignment of nCR3.\n\nIn the absolute worst case scenario, failure to ignore bits 4:0 can result\nin an out-of-bounds read, e.g. if the target page is at the end of a\nmemslot, and the VMM isn\u0027t using guard pages.\n\nPer the APM:\n\n The CR3 register points to the base address of the page-directory-pointer\n table. The page-directory-pointer table is aligned on a 32-byte boundary,\n with the low 5 address bits 4:0 assumed to be 0.\n\nAnd the SDM\u0027s much more explicit:\n\n 4:0 Ignored\n\nNote, KVM gets this right when loading PDPTRs, it\u0027s only the nSVM flow\nthat is broken."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:46:21.969Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76ce386feb14ec9a460784fcd495d8432acce7a5"
},
{
"url": "https://git.kernel.org/stable/c/58cb697d80e669c56197f703e188867c8c54c494"
},
{
"url": "https://git.kernel.org/stable/c/6876793907cbe19d42e9edc8c3315a21e06c32ae"
},
{
"url": "https://git.kernel.org/stable/c/2c4adc9b192a0815fe58a62bc0709449416cc884"
},
{
"url": "https://git.kernel.org/stable/c/426682afec71ea3f889b972d038238807b9443e4"
},
{
"url": "https://git.kernel.org/stable/c/f559b2e9c5c5308850544ab59396b7d53cfc67bd"
}
],
"title": "KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50115",
"datePublished": "2024-11-05T17:10:46.677Z",
"dateReserved": "2024-10-21T19:36:19.947Z",
"dateUpdated": "2025-11-03T22:25:38.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53697 (GCVE-0-2023-53697)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvdimm: Fix memleak of pmu attr_groups in unregister_nvdimm_pmu()
Memory pointed by 'nd_pmu->pmu.attr_groups' is allocated in function
'register_nvdimm_pmu' and is lost after 'kfree(nd_pmu)' call in function
'unregister_nvdimm_pmu'.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvdimm/nd_perf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "500a6ff9c2a81348fe0f04e2deb758145e8ab94e",
"status": "affected",
"version": "0fab1ba6ad6ba1f76380f92ead95c6e861ef8116",
"versionType": "git"
},
{
"lessThan": "4999f2ec5fde7c45e3ecafda5b78560cc1c7bdb5",
"status": "affected",
"version": "0fab1ba6ad6ba1f76380f92ead95c6e861ef8116",
"versionType": "git"
},
{
"lessThan": "16259c80542ee8945aaa39cfc6a1809bcdc08ffe",
"status": "affected",
"version": "0fab1ba6ad6ba1f76380f92ead95c6e861ef8116",
"versionType": "git"
},
{
"lessThan": "85ae42c72142346645e63c33835da947dfa008b3",
"status": "affected",
"version": "0fab1ba6ad6ba1f76380f92ead95c6e861ef8116",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvdimm/nd_perf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvdimm: Fix memleak of pmu attr_groups in unregister_nvdimm_pmu()\n\nMemory pointed by \u0027nd_pmu-\u003epmu.attr_groups\u0027 is allocated in function\n\u0027register_nvdimm_pmu\u0027 and is lost after \u0027kfree(nd_pmu)\u0027 call in function\n\u0027unregister_nvdimm_pmu\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:37.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/500a6ff9c2a81348fe0f04e2deb758145e8ab94e"
},
{
"url": "https://git.kernel.org/stable/c/4999f2ec5fde7c45e3ecafda5b78560cc1c7bdb5"
},
{
"url": "https://git.kernel.org/stable/c/16259c80542ee8945aaa39cfc6a1809bcdc08ffe"
},
{
"url": "https://git.kernel.org/stable/c/85ae42c72142346645e63c33835da947dfa008b3"
}
],
"title": "nvdimm: Fix memleak of pmu attr_groups in unregister_nvdimm_pmu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53697",
"datePublished": "2025-10-22T13:23:37.757Z",
"dateReserved": "2025-10-22T13:21:37.345Z",
"dateUpdated": "2025-10-22T13:23:37.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38692 (GCVE-0-2025-38692)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-09-29 05:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: add cluster chain loop check for dir
An infinite loop may occur if the following conditions occur due to
file system corruption.
(1) Condition for exfat_count_dir_entries() to loop infinitely.
- The cluster chain includes a loop.
- There is no UNUSED entry in the cluster chain.
(2) Condition for exfat_create_upcase_table() to loop infinitely.
- The cluster chain of the root directory includes a loop.
- There are no UNUSED entry and up-case table entry in the cluster
chain of the root directory.
(3) Condition for exfat_load_bitmap() to loop infinitely.
- The cluster chain of the root directory includes a loop.
- There are no UNUSED entry and bitmap entry in the cluster chain
of the root directory.
(4) Condition for exfat_find_dir_entry() to loop infinitely.
- The cluster chain includes a loop.
- The unused directory entries were exhausted by some operation.
(5) Condition for exfat_check_dir_empty() to loop infinitely.
- The cluster chain includes a loop.
- The unused directory entries were exhausted by some operation.
- All files and sub-directories under the directory are deleted.
This commit adds checks to break the above infinite loop.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/dir.c",
"fs/exfat/fatent.c",
"fs/exfat/namei.c",
"fs/exfat/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "868f23286c1a13162330fa6c614fe350f78e3f82",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "aa8fe7b7b73d4c9a41bb96cb3fb3092f794ecb33",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "e2066ca3ef49a30920d8536fa366b2a183a808ee",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "4c3cda20c4cf1871e27868d08fda06b79bc7d568",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "99f9a97dce39ad413c39b92c90393bbd6778f3fd",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/dir.c",
"fs/exfat/fatent.c",
"fs/exfat/namei.c",
"fs/exfat/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: add cluster chain loop check for dir\n\nAn infinite loop may occur if the following conditions occur due to\nfile system corruption.\n\n(1) Condition for exfat_count_dir_entries() to loop infinitely.\n - The cluster chain includes a loop.\n - There is no UNUSED entry in the cluster chain.\n\n(2) Condition for exfat_create_upcase_table() to loop infinitely.\n - The cluster chain of the root directory includes a loop.\n - There are no UNUSED entry and up-case table entry in the cluster\n chain of the root directory.\n\n(3) Condition for exfat_load_bitmap() to loop infinitely.\n - The cluster chain of the root directory includes a loop.\n - There are no UNUSED entry and bitmap entry in the cluster chain\n of the root directory.\n\n(4) Condition for exfat_find_dir_entry() to loop infinitely.\n - The cluster chain includes a loop.\n - The unused directory entries were exhausted by some operation.\n\n(5) Condition for exfat_check_dir_empty() to loop infinitely.\n - The cluster chain includes a loop.\n - The unused directory entries were exhausted by some operation.\n - All files and sub-directories under the directory are deleted.\n\nThis commit adds checks to break the above infinite loop."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:08.225Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/868f23286c1a13162330fa6c614fe350f78e3f82"
},
{
"url": "https://git.kernel.org/stable/c/aa8fe7b7b73d4c9a41bb96cb3fb3092f794ecb33"
},
{
"url": "https://git.kernel.org/stable/c/e2066ca3ef49a30920d8536fa366b2a183a808ee"
},
{
"url": "https://git.kernel.org/stable/c/4c3cda20c4cf1871e27868d08fda06b79bc7d568"
},
{
"url": "https://git.kernel.org/stable/c/99f9a97dce39ad413c39b92c90393bbd6778f3fd"
}
],
"title": "exfat: add cluster chain loop check for dir",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38692",
"datePublished": "2025-09-04T15:32:46.004Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-09-29T05:56:08.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53605 (GCVE-0-2023-53605)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-06 09:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: amd: display: Fix memory leakage
This commit fixes memory leakage in dc_construct_ctx() function.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d473c55ce1975c9e601c25293328a5039225d2b2",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "9ae15ebaefc4878d614f10cc56ea672f88cea582",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "83ace0dd67ee386be1ddcf59dab49d6d9a54e62e",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "1bdea8ee92a6abc650b2189fd5c53f36859baecb",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "6b8701be1f66064ca72733c5f6e13748cdbf8397",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: amd: display: Fix memory leakage\n\nThis commit fixes memory leakage in dc_construct_ctx() function."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T09:07:22.038Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d473c55ce1975c9e601c25293328a5039225d2b2"
},
{
"url": "https://git.kernel.org/stable/c/9ae15ebaefc4878d614f10cc56ea672f88cea582"
},
{
"url": "https://git.kernel.org/stable/c/83ace0dd67ee386be1ddcf59dab49d6d9a54e62e"
},
{
"url": "https://git.kernel.org/stable/c/1bdea8ee92a6abc650b2189fd5c53f36859baecb"
},
{
"url": "https://git.kernel.org/stable/c/6b8701be1f66064ca72733c5f6e13748cdbf8397"
}
],
"title": "drm: amd: display: Fix memory leakage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53605",
"datePublished": "2025-10-04T15:44:15.231Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-06T09:07:22.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53384 (GCVE-0-2023-53384)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: avoid possible NULL skb pointer dereference
In 'mwifiex_handle_uap_rx_forward()', always check the value
returned by 'skb_copy()' to avoid potential NULL pointer
dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop
original skb in case of copying failure.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 838e4f44929782a2163c7bc95a7cd2da5d8b47f9 Version: 838e4f44929782a2163c7bc95a7cd2da5d8b47f9 Version: 838e4f44929782a2163c7bc95a7cd2da5d8b47f9 Version: 838e4f44929782a2163c7bc95a7cd2da5d8b47f9 Version: 838e4f44929782a2163c7bc95a7cd2da5d8b47f9 Version: 838e4f44929782a2163c7bc95a7cd2da5d8b47f9 Version: 838e4f44929782a2163c7bc95a7cd2da5d8b47f9 Version: 838e4f44929782a2163c7bc95a7cd2da5d8b47f9 Version: 838e4f44929782a2163c7bc95a7cd2da5d8b47f9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/uap_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d155c5f64cefacdc6a9a26d40be53ee2903c28ff",
"status": "affected",
"version": "838e4f44929782a2163c7bc95a7cd2da5d8b47f9",
"versionType": "git"
},
{
"lessThan": "139d285e7695279f030dbb172e2d0245425c86c6",
"status": "affected",
"version": "838e4f44929782a2163c7bc95a7cd2da5d8b47f9",
"versionType": "git"
},
{
"lessThan": "231086e6a36316b823654f4535653f22d6344420",
"status": "affected",
"version": "838e4f44929782a2163c7bc95a7cd2da5d8b47f9",
"versionType": "git"
},
{
"lessThan": "bef85d58f7709896ed8426560ad117a73a37762f",
"status": "affected",
"version": "838e4f44929782a2163c7bc95a7cd2da5d8b47f9",
"versionType": "git"
},
{
"lessThan": "d7fd24b8d1bb54c5bcf583139e11a5e651e0263c",
"status": "affected",
"version": "838e4f44929782a2163c7bc95a7cd2da5d8b47f9",
"versionType": "git"
},
{
"lessThan": "7e7197e4d6a1bc72a774590d8765909f898be1dc",
"status": "affected",
"version": "838e4f44929782a2163c7bc95a7cd2da5d8b47f9",
"versionType": "git"
},
{
"lessThan": "0c57f9ad2c3ed43abb764b0247d610ff7fdb7a00",
"status": "affected",
"version": "838e4f44929782a2163c7bc95a7cd2da5d8b47f9",
"versionType": "git"
},
{
"lessThan": "c2509f7c37355e1f0bd5b7087815b845fd383723",
"status": "affected",
"version": "838e4f44929782a2163c7bc95a7cd2da5d8b47f9",
"versionType": "git"
},
{
"lessThan": "35a7a1ce7c7d61664ee54f5239a1f120ab95a87e",
"status": "affected",
"version": "838e4f44929782a2163c7bc95a7cd2da5d8b47f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/uap_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: avoid possible NULL skb pointer dereference\n\nIn \u0027mwifiex_handle_uap_rx_forward()\u0027, always check the value\nreturned by \u0027skb_copy()\u0027 to avoid potential NULL pointer\ndereference in \u0027mwifiex_uap_queue_bridged_pkt()\u0027, and drop\noriginal skb in case of copying failure.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:28.469Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d155c5f64cefacdc6a9a26d40be53ee2903c28ff"
},
{
"url": "https://git.kernel.org/stable/c/139d285e7695279f030dbb172e2d0245425c86c6"
},
{
"url": "https://git.kernel.org/stable/c/231086e6a36316b823654f4535653f22d6344420"
},
{
"url": "https://git.kernel.org/stable/c/bef85d58f7709896ed8426560ad117a73a37762f"
},
{
"url": "https://git.kernel.org/stable/c/d7fd24b8d1bb54c5bcf583139e11a5e651e0263c"
},
{
"url": "https://git.kernel.org/stable/c/7e7197e4d6a1bc72a774590d8765909f898be1dc"
},
{
"url": "https://git.kernel.org/stable/c/0c57f9ad2c3ed43abb764b0247d610ff7fdb7a00"
},
{
"url": "https://git.kernel.org/stable/c/c2509f7c37355e1f0bd5b7087815b845fd383723"
},
{
"url": "https://git.kernel.org/stable/c/35a7a1ce7c7d61664ee54f5239a1f120ab95a87e"
}
],
"title": "wifi: mwifiex: avoid possible NULL skb pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53384",
"datePublished": "2025-09-18T13:33:28.469Z",
"dateReserved": "2025-09-17T14:54:09.736Z",
"dateUpdated": "2025-09-18T13:33:28.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53621 (GCVE-0-2023-53621)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memcontrol: ensure memcg acquired by id is properly set up
In the eviction recency check, we attempt to retrieve the memcg to which
the folio belonged when it was evicted, by the memcg id stored in the
shadow entry. However, there is a chance that the retrieved memcg is not
the original memcg that has been killed, but a new one which happens to
have the same id.
This is a somewhat unfortunate, but acceptable and rare inaccuracy in the
heuristics. However, if we retrieve this new memcg between its allocation
and when it is properly attached to the memcg hierarchy, we could run into
the following NULL pointer exception during the memcg hierarchy traversal
done in mem_cgroup_get_nr_swap_pages():
[ 155757.793456] BUG: kernel NULL pointer dereference, address: 00000000000000c0
[ 155757.807568] #PF: supervisor read access in kernel mode
[ 155757.818024] #PF: error_code(0x0000) - not-present page
[ 155757.828482] PGD 401f77067 P4D 401f77067 PUD 401f76067 PMD 0
[ 155757.839985] Oops: 0000 [#1] SMP
[ 155757.887870] RIP: 0010:mem_cgroup_get_nr_swap_pages+0x3d/0xb0
[ 155757.899377] Code: 29 19 4a 02 48 39 f9 74 63 48 8b 97 c0 00 00 00 48 8b b7 58 02 00 00 48 2b b7 c0 01 00 00 48 39 f0 48 0f 4d c6 48 39 d1 74 42 <48> 8b b2 c0 00 00 00 48 8b ba 58 02 00 00 48 2b ba c0 01 00 00 48
[ 155757.937125] RSP: 0018:ffffc9002ecdfbc8 EFLAGS: 00010286
[ 155757.947755] RAX: 00000000003a3b1c RBX: 000007ffffffffff RCX: ffff888280183000
[ 155757.962202] RDX: 0000000000000000 RSI: 0007ffffffffffff RDI: ffff888bbc2d1000
[ 155757.976648] RBP: 0000000000000001 R08: 000000000000000b R09: ffff888ad9cedba0
[ 155757.991094] R10: ffffea0039c07900 R11: 0000000000000010 R12: ffff888b23a7b000
[ 155758.005540] R13: 0000000000000000 R14: ffff888bbc2d1000 R15: 000007ffffc71354
[ 155758.019991] FS: 00007f6234c68640(0000) GS:ffff88903f9c0000(0000) knlGS:0000000000000000
[ 155758.036356] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 155758.048023] CR2: 00000000000000c0 CR3: 0000000a83eb8004 CR4: 00000000007706e0
[ 155758.062473] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 155758.076924] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 155758.091376] PKRU: 55555554
[ 155758.096957] Call Trace:
[ 155758.102016] <TASK>
[ 155758.106502] ? __die+0x78/0xc0
[ 155758.112793] ? page_fault_oops+0x286/0x380
[ 155758.121175] ? exc_page_fault+0x5d/0x110
[ 155758.129209] ? asm_exc_page_fault+0x22/0x30
[ 155758.137763] ? mem_cgroup_get_nr_swap_pages+0x3d/0xb0
[ 155758.148060] workingset_test_recent+0xda/0x1b0
[ 155758.157133] workingset_refault+0xca/0x1e0
[ 155758.165508] filemap_add_folio+0x4d/0x70
[ 155758.173538] page_cache_ra_unbounded+0xed/0x190
[ 155758.182919] page_cache_sync_ra+0xd6/0x1e0
[ 155758.191738] filemap_read+0x68d/0xdf0
[ 155758.199495] ? mlx5e_napi_poll+0x123/0x940
[ 155758.207981] ? __napi_schedule+0x55/0x90
[ 155758.216095] __x64_sys_pread64+0x1d6/0x2c0
[ 155758.224601] do_syscall_64+0x3d/0x80
[ 155758.232058] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 155758.242473] RIP: 0033:0x7f62c29153b5
[ 155758.249938] Code: e8 48 89 75 f0 89 7d f8 48 89 4d e0 e8 b4 e6 f7 ff 41 89 c0 4c 8b 55 e0 48 8b 55 e8 48 8b 75 f0 8b 7d f8 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 45 f8 e8 e7 e6 f7 ff 48 8b
[ 155758.288005] RSP: 002b:00007f6234c5ffd0 EFLAGS: 00000293 ORIG_RAX: 0000000000000011
[ 155758.303474] RAX: ffffffffffffffda RBX: 00007f628c4e70c0 RCX: 00007f62c29153b5
[ 155758.318075] RDX: 000000000003c041 RSI: 00007f61d2986000 RDI: 0000000000000076
[ 155758.332678] RBP: 00007f6234c5fff0 R08: 0000000000000000 R09: 0000000064d5230c
[ 155758.347452] R10: 000000000027d450 R11: 0000000000000293 R12: 000000000003c041
[ 155758.362044] R13: 00007f61d2986000 R14: 00007f629e11b060 R15: 000000000027d450
[ 155758.376661] </TASK>
This patch fixes the issue by moving the memcg's id publication from the
alloc stage to
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memcontrol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9d30c38ee859d833a51131b5b4b864c7a6219d0",
"status": "affected",
"version": "f78dfc7b77d5c3527d0f895bef693f711802de5a",
"versionType": "git"
},
{
"lessThan": "6f0df8e16eb543167f2929cb756e695709a3551d",
"status": "affected",
"version": "f78dfc7b77d5c3527d0f895bef693f711802de5a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memcontrol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcontrol: ensure memcg acquired by id is properly set up\n\nIn the eviction recency check, we attempt to retrieve the memcg to which\nthe folio belonged when it was evicted, by the memcg id stored in the\nshadow entry. However, there is a chance that the retrieved memcg is not\nthe original memcg that has been killed, but a new one which happens to\nhave the same id.\n\nThis is a somewhat unfortunate, but acceptable and rare inaccuracy in the\nheuristics. However, if we retrieve this new memcg between its allocation\nand when it is properly attached to the memcg hierarchy, we could run into\nthe following NULL pointer exception during the memcg hierarchy traversal\ndone in mem_cgroup_get_nr_swap_pages():\n\n[ 155757.793456] BUG: kernel NULL pointer dereference, address: 00000000000000c0\n[ 155757.807568] #PF: supervisor read access in kernel mode\n[ 155757.818024] #PF: error_code(0x0000) - not-present page\n[ 155757.828482] PGD 401f77067 P4D 401f77067 PUD 401f76067 PMD 0\n[ 155757.839985] Oops: 0000 [#1] SMP\n[ 155757.887870] RIP: 0010:mem_cgroup_get_nr_swap_pages+0x3d/0xb0\n[ 155757.899377] Code: 29 19 4a 02 48 39 f9 74 63 48 8b 97 c0 00 00 00 48 8b b7 58 02 00 00 48 2b b7 c0 01 00 00 48 39 f0 48 0f 4d c6 48 39 d1 74 42 \u003c48\u003e 8b b2 c0 00 00 00 48 8b ba 58 02 00 00 48 2b ba c0 01 00 00 48\n[ 155757.937125] RSP: 0018:ffffc9002ecdfbc8 EFLAGS: 00010286\n[ 155757.947755] RAX: 00000000003a3b1c RBX: 000007ffffffffff RCX: ffff888280183000\n[ 155757.962202] RDX: 0000000000000000 RSI: 0007ffffffffffff RDI: ffff888bbc2d1000\n[ 155757.976648] RBP: 0000000000000001 R08: 000000000000000b R09: ffff888ad9cedba0\n[ 155757.991094] R10: ffffea0039c07900 R11: 0000000000000010 R12: ffff888b23a7b000\n[ 155758.005540] R13: 0000000000000000 R14: ffff888bbc2d1000 R15: 000007ffffc71354\n[ 155758.019991] FS: 00007f6234c68640(0000) GS:ffff88903f9c0000(0000) knlGS:0000000000000000\n[ 155758.036356] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 155758.048023] CR2: 00000000000000c0 CR3: 0000000a83eb8004 CR4: 00000000007706e0\n[ 155758.062473] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 155758.076924] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 155758.091376] PKRU: 55555554\n[ 155758.096957] Call Trace:\n[ 155758.102016] \u003cTASK\u003e\n[ 155758.106502] ? __die+0x78/0xc0\n[ 155758.112793] ? page_fault_oops+0x286/0x380\n[ 155758.121175] ? exc_page_fault+0x5d/0x110\n[ 155758.129209] ? asm_exc_page_fault+0x22/0x30\n[ 155758.137763] ? mem_cgroup_get_nr_swap_pages+0x3d/0xb0\n[ 155758.148060] workingset_test_recent+0xda/0x1b0\n[ 155758.157133] workingset_refault+0xca/0x1e0\n[ 155758.165508] filemap_add_folio+0x4d/0x70\n[ 155758.173538] page_cache_ra_unbounded+0xed/0x190\n[ 155758.182919] page_cache_sync_ra+0xd6/0x1e0\n[ 155758.191738] filemap_read+0x68d/0xdf0\n[ 155758.199495] ? mlx5e_napi_poll+0x123/0x940\n[ 155758.207981] ? __napi_schedule+0x55/0x90\n[ 155758.216095] __x64_sys_pread64+0x1d6/0x2c0\n[ 155758.224601] do_syscall_64+0x3d/0x80\n[ 155758.232058] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 155758.242473] RIP: 0033:0x7f62c29153b5\n[ 155758.249938] Code: e8 48 89 75 f0 89 7d f8 48 89 4d e0 e8 b4 e6 f7 ff 41 89 c0 4c 8b 55 e0 48 8b 55 e8 48 8b 75 f0 8b 7d f8 b8 11 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 33 44 89 c7 48 89 45 f8 e8 e7 e6 f7 ff 48 8b\n[ 155758.288005] RSP: 002b:00007f6234c5ffd0 EFLAGS: 00000293 ORIG_RAX: 0000000000000011\n[ 155758.303474] RAX: ffffffffffffffda RBX: 00007f628c4e70c0 RCX: 00007f62c29153b5\n[ 155758.318075] RDX: 000000000003c041 RSI: 00007f61d2986000 RDI: 0000000000000076\n[ 155758.332678] RBP: 00007f6234c5fff0 R08: 0000000000000000 R09: 0000000064d5230c\n[ 155758.347452] R10: 000000000027d450 R11: 0000000000000293 R12: 000000000003c041\n[ 155758.362044] R13: 00007f61d2986000 R14: 00007f629e11b060 R15: 000000000027d450\n[ 155758.376661] \u003c/TASK\u003e\n\nThis patch fixes the issue by moving the memcg\u0027s id publication from the\nalloc stage to \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:27.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9d30c38ee859d833a51131b5b4b864c7a6219d0"
},
{
"url": "https://git.kernel.org/stable/c/6f0df8e16eb543167f2929cb756e695709a3551d"
}
],
"title": "memcontrol: ensure memcg acquired by id is properly set up",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53621",
"datePublished": "2025-10-07T15:19:27.372Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:27.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53715 (GCVE-0-2023-53715)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex
Apparently the hex passphrase mechanism does not work on newer
chips/firmware (e.g. BCM4387). It seems there was a simple way of
passing it in binary all along, so use that and avoid the hexification.
OpenBSD has been doing it like this from the beginning, so this should
work on all chips.
Also clear the structure before setting the PMK. This was leaking
uninitialized stack contents to the device.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1687845eb8f37360a9ee849a3587ab659b090773",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2bc34facb90ceeff6f8c17d2006575a6d07c3825",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "56c7e9c39bd54fd753c0c4b1ed10278cbd3a5f02",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4e8dc0e5c7636efaadbd7e488acd34b4291c0431",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e242c66f7ecfe8f5b6eb308f4ea464fd8589c866",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f8a6c53ff1d91acd5a20eb627edbffd816eb9a4e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2fa3a5226b05e0a797c68b9609dcebe0cd236b27",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "89b89e52153fda2733562776c7c9d9d3ebf8dd6d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex\n\nApparently the hex passphrase mechanism does not work on newer\nchips/firmware (e.g. BCM4387). It seems there was a simple way of\npassing it in binary all along, so use that and avoid the hexification.\n\nOpenBSD has been doing it like this from the beginning, so this should\nwork on all chips.\n\nAlso clear the structure before setting the PMK. This was leaking\nuninitialized stack contents to the device."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:48.905Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1687845eb8f37360a9ee849a3587ab659b090773"
},
{
"url": "https://git.kernel.org/stable/c/2bc34facb90ceeff6f8c17d2006575a6d07c3825"
},
{
"url": "https://git.kernel.org/stable/c/56c7e9c39bd54fd753c0c4b1ed10278cbd3a5f02"
},
{
"url": "https://git.kernel.org/stable/c/4e8dc0e5c7636efaadbd7e488acd34b4291c0431"
},
{
"url": "https://git.kernel.org/stable/c/e242c66f7ecfe8f5b6eb308f4ea464fd8589c866"
},
{
"url": "https://git.kernel.org/stable/c/f8a6c53ff1d91acd5a20eb627edbffd816eb9a4e"
},
{
"url": "https://git.kernel.org/stable/c/2fa3a5226b05e0a797c68b9609dcebe0cd236b27"
},
{
"url": "https://git.kernel.org/stable/c/89b89e52153fda2733562776c7c9d9d3ebf8dd6d"
}
],
"title": "wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53715",
"datePublished": "2025-10-22T13:23:48.905Z",
"dateReserved": "2025-10-22T13:21:37.347Z",
"dateUpdated": "2025-10-22T13:23:48.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53339 (GCVE-0-2023-53339)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix BUG_ON condition in btrfs_cancel_balance
Pausing and canceling balance can race to interrupt balance lead to BUG_ON
panic in btrfs_cancel_balance. The BUG_ON condition in btrfs_cancel_balance
does not take this race scenario into account.
However, the race condition has no other side effects. We can fix that.
Reproducing it with panic trace like this:
kernel BUG at fs/btrfs/volumes.c:4618!
RIP: 0010:btrfs_cancel_balance+0x5cf/0x6a0
Call Trace:
<TASK>
? do_nanosleep+0x60/0x120
? hrtimer_nanosleep+0xb7/0x1a0
? sched_core_clone_cookie+0x70/0x70
btrfs_ioctl_balance_ctl+0x55/0x70
btrfs_ioctl+0xa46/0xd20
__x64_sys_ioctl+0x7d/0xa0
do_syscall_64+0x38/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Race scenario as follows:
> mutex_unlock(&fs_info->balance_mutex);
> --------------------
> .......issue pause and cancel req in another thread
> --------------------
> ret = __btrfs_balance(fs_info);
>
> mutex_lock(&fs_info->balance_mutex);
> if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) {
> btrfs_info(fs_info, "balance: paused");
> btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED);
> }
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/volumes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c93b89cd46636b5e74c12fa21dd86167bc6ea8d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a0a462a0f20926918d6009f0b4b25673e883fc98",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd7bef82ce0e929ef4cf63a34990545aaca28077",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b966e9e1e250dfdb41a7f41775faea4a37af923c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ceb9ba8e30833a4823e2dc73f80ebcdf2498d01a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae81329f7de3aa6f34ecdfa5412e72161a30e9ce",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "29eefa6d0d07e185f7bfe9576f91e6dba98189c2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/volumes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix BUG_ON condition in btrfs_cancel_balance\n\nPausing and canceling balance can race to interrupt balance lead to BUG_ON\npanic in btrfs_cancel_balance. The BUG_ON condition in btrfs_cancel_balance\ndoes not take this race scenario into account.\n\nHowever, the race condition has no other side effects. We can fix that.\n\nReproducing it with panic trace like this:\n\n kernel BUG at fs/btrfs/volumes.c:4618!\n RIP: 0010:btrfs_cancel_balance+0x5cf/0x6a0\n Call Trace:\n \u003cTASK\u003e\n ? do_nanosleep+0x60/0x120\n ? hrtimer_nanosleep+0xb7/0x1a0\n ? sched_core_clone_cookie+0x70/0x70\n btrfs_ioctl_balance_ctl+0x55/0x70\n btrfs_ioctl+0xa46/0xd20\n __x64_sys_ioctl+0x7d/0xa0\n do_syscall_64+0x38/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n Race scenario as follows:\n \u003e mutex_unlock(\u0026fs_info-\u003ebalance_mutex);\n \u003e --------------------\n \u003e .......issue pause and cancel req in another thread\n \u003e --------------------\n \u003e ret = __btrfs_balance(fs_info);\n \u003e\n \u003e mutex_lock(\u0026fs_info-\u003ebalance_mutex);\n \u003e if (ret == -ECANCELED \u0026\u0026 atomic_read(\u0026fs_info-\u003ebalance_pause_req)) {\n \u003e btrfs_info(fs_info, \"balance: paused\");\n \u003e btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED);\n \u003e }"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:33.114Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c93b89cd46636b5e74c12fa21dd86167bc6ea8d"
},
{
"url": "https://git.kernel.org/stable/c/a0a462a0f20926918d6009f0b4b25673e883fc98"
},
{
"url": "https://git.kernel.org/stable/c/bd7bef82ce0e929ef4cf63a34990545aaca28077"
},
{
"url": "https://git.kernel.org/stable/c/b966e9e1e250dfdb41a7f41775faea4a37af923c"
},
{
"url": "https://git.kernel.org/stable/c/ceb9ba8e30833a4823e2dc73f80ebcdf2498d01a"
},
{
"url": "https://git.kernel.org/stable/c/ae81329f7de3aa6f34ecdfa5412e72161a30e9ce"
},
{
"url": "https://git.kernel.org/stable/c/29eefa6d0d07e185f7bfe9576f91e6dba98189c2"
}
],
"title": "btrfs: fix BUG_ON condition in btrfs_cancel_balance",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53339",
"datePublished": "2025-09-17T14:56:33.114Z",
"dateReserved": "2025-09-16T16:08:59.565Z",
"dateUpdated": "2025-09-17T14:56:33.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39694 (GCVE-0-2025-39694)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/sclp: Fix SCCB present check
Tracing code called by the SCLP interrupt handler contains early exits
if the SCCB address associated with an interrupt is NULL. This check is
performed after physical to virtual address translation.
If the kernel identity mapping does not start at address zero, the
resulting virtual address is never zero, so that the NULL checks won't
work. Subsequently this may result in incorrect accesses to the first
page of the identity mapping.
Fix this by introducing a function that handles the NULL case before
address translation.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:26.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/char/sclp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa5073ac1a2a274812f3b04c278992e68ff67cc7",
"status": "affected",
"version": "ada1da31ce34248bc97ca8f801f2cf6efa378a81",
"versionType": "git"
},
{
"lessThan": "86c2825791c3836a8f77a954b9c5ebe6fab410c5",
"status": "affected",
"version": "ada1da31ce34248bc97ca8f801f2cf6efa378a81",
"versionType": "git"
},
{
"lessThan": "61605c847599fbfdfafe638607841c7d73719081",
"status": "affected",
"version": "ada1da31ce34248bc97ca8f801f2cf6efa378a81",
"versionType": "git"
},
{
"lessThan": "bf83ae3537359af088d6577812ed93113dfbcb7b",
"status": "affected",
"version": "ada1da31ce34248bc97ca8f801f2cf6efa378a81",
"versionType": "git"
},
{
"lessThan": "430fa71027b6ac9bb0ce5532b8d0676777d4219a",
"status": "affected",
"version": "ada1da31ce34248bc97ca8f801f2cf6efa378a81",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/char/sclp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Fix SCCB present check\n\nTracing code called by the SCLP interrupt handler contains early exits\nif the SCCB address associated with an interrupt is NULL. This check is\nperformed after physical to virtual address translation.\n\nIf the kernel identity mapping does not start at address zero, the\nresulting virtual address is never zero, so that the NULL checks won\u0027t\nwork. Subsequently this may result in incorrect accesses to the first\npage of the identity mapping.\n\nFix this by introducing a function that handles the NULL case before\naddress translation."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:33.748Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa5073ac1a2a274812f3b04c278992e68ff67cc7"
},
{
"url": "https://git.kernel.org/stable/c/86c2825791c3836a8f77a954b9c5ebe6fab410c5"
},
{
"url": "https://git.kernel.org/stable/c/61605c847599fbfdfafe638607841c7d73719081"
},
{
"url": "https://git.kernel.org/stable/c/bf83ae3537359af088d6577812ed93113dfbcb7b"
},
{
"url": "https://git.kernel.org/stable/c/430fa71027b6ac9bb0ce5532b8d0676777d4219a"
}
],
"title": "s390/sclp: Fix SCCB present check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39694",
"datePublished": "2025-09-05T17:21:00.361Z",
"dateReserved": "2025-04-16T07:20:57.114Z",
"dateUpdated": "2025-11-03T17:42:26.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53581 (GCVE-0-2023-53581)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Check for NOT_READY flag state after locking
Currently the check for NOT_READY flag is performed before obtaining the
necessary lock. This opens a possibility for race condition when the flow
is concurrently removed from unready_flows list by the workqueue task,
which causes a double-removal from the list and a crash[0]. Fix the issue
by moving the flag check inside the section protected by
uplink_priv->unready_flows_lock mutex.
[0]:
[44376.389654] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP
[44376.391665] CPU: 7 PID: 59123 Comm: tc Not tainted 6.4.0-rc4+ #1
[44376.392984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[44376.395342] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]
[44376.396857] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06
[44376.399167] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246
[44376.399680] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00
[44376.400337] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0
[44376.401001] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001
[44376.401663] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000
[44376.402342] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000
[44376.402999] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000
[44376.403787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[44376.404343] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0
[44376.405004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[44376.405665] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[44376.406339] Call Trace:
[44376.406651] <TASK>
[44376.406939] ? die_addr+0x33/0x90
[44376.407311] ? exc_general_protection+0x192/0x390
[44376.407795] ? asm_exc_general_protection+0x22/0x30
[44376.408292] ? mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]
[44376.408876] __mlx5e_tc_del_fdb_peer_flow+0xbc/0xe0 [mlx5_core]
[44376.409482] mlx5e_tc_del_flow+0x42/0x210 [mlx5_core]
[44376.410055] mlx5e_flow_put+0x25/0x50 [mlx5_core]
[44376.410529] mlx5e_delete_flower+0x24b/0x350 [mlx5_core]
[44376.411043] tc_setup_cb_reoffload+0x22/0x80
[44376.411462] fl_reoffload+0x261/0x2f0 [cls_flower]
[44376.411907] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]
[44376.412481] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]
[44376.413044] tcf_block_playback_offloads+0x76/0x170
[44376.413497] tcf_block_unbind+0x7b/0xd0
[44376.413881] tcf_block_setup+0x17d/0x1c0
[44376.414269] tcf_block_offload_cmd.isra.0+0xf1/0x130
[44376.414725] tcf_block_offload_unbind+0x43/0x70
[44376.415153] __tcf_block_put+0x82/0x150
[44376.415532] ingress_destroy+0x22/0x30 [sch_ingress]
[44376.415986] qdisc_destroy+0x3b/0xd0
[44376.416343] qdisc_graft+0x4d0/0x620
[44376.416706] tc_get_qdisc+0x1c9/0x3b0
[44376.417074] rtnetlink_rcv_msg+0x29c/0x390
[44376.419978] ? rep_movs_alternative+0x3a/0xa0
[44376.420399] ? rtnl_calcit.isra.0+0x120/0x120
[44376.420813] netlink_rcv_skb+0x54/0x100
[44376.421192] netlink_unicast+0x1f6/0x2c0
[44376.421573] netlink_sendmsg+0x232/0x4a0
[44376.421980] sock_sendmsg+0x38/0x60
[44376.422328] ____sys_sendmsg+0x1d0/0x1e0
[44376.422709] ? copy_msghdr_from_user+0x6d/0xa0
[44376.423127] ___sys_sendmsg+0x80/0xc0
[44376.423495] ? ___sys_recvmsg+0x8b/0xc0
[44376.423869] __sys_sendmsg+0x51/0x90
[44376.424226] do_syscall_64+0x3d/0x90
[44376.424587] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[44376.425046] RIP: 0033:0x7f045134f887
[44376.425403] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30c281a77fb1b2d362030ea243dd663201d62a21",
"status": "affected",
"version": "ad86755b18d5edf1956f6d25c844f27289216877",
"versionType": "git"
},
{
"lessThan": "82ac62d76a000871004f534ad294e763e966d3b0",
"status": "affected",
"version": "ad86755b18d5edf1956f6d25c844f27289216877",
"versionType": "git"
},
{
"lessThan": "e962fd5933ebc767ce2a1cf7b7c85035b5a5d04c",
"status": "affected",
"version": "ad86755b18d5edf1956f6d25c844f27289216877",
"versionType": "git"
},
{
"lessThan": "f7ceedd1d124217a67ed1a67bbd7a7b1288705e3",
"status": "affected",
"version": "ad86755b18d5edf1956f6d25c844f27289216877",
"versionType": "git"
},
{
"lessThan": "65e64640e97c0f223e77f9ea69b5a46186b93470",
"status": "affected",
"version": "ad86755b18d5edf1956f6d25c844f27289216877",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Check for NOT_READY flag state after locking\n\nCurrently the check for NOT_READY flag is performed before obtaining the\nnecessary lock. This opens a possibility for race condition when the flow\nis concurrently removed from unready_flows list by the workqueue task,\nwhich causes a double-removal from the list and a crash[0]. Fix the issue\nby moving the flag check inside the section protected by\nuplink_priv-\u003eunready_flows_lock mutex.\n\n[0]:\n[44376.389654] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP\n[44376.391665] CPU: 7 PID: 59123 Comm: tc Not tainted 6.4.0-rc4+ #1\n[44376.392984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[44376.395342] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]\n[44376.396857] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 \u003c48\u003e 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06\n[44376.399167] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246\n[44376.399680] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00\n[44376.400337] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0\n[44376.401001] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001\n[44376.401663] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000\n[44376.402342] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000\n[44376.402999] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000\n[44376.403787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[44376.404343] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0\n[44376.405004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[44376.405665] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[44376.406339] Call Trace:\n[44376.406651] \u003cTASK\u003e\n[44376.406939] ? die_addr+0x33/0x90\n[44376.407311] ? exc_general_protection+0x192/0x390\n[44376.407795] ? asm_exc_general_protection+0x22/0x30\n[44376.408292] ? mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]\n[44376.408876] __mlx5e_tc_del_fdb_peer_flow+0xbc/0xe0 [mlx5_core]\n[44376.409482] mlx5e_tc_del_flow+0x42/0x210 [mlx5_core]\n[44376.410055] mlx5e_flow_put+0x25/0x50 [mlx5_core]\n[44376.410529] mlx5e_delete_flower+0x24b/0x350 [mlx5_core]\n[44376.411043] tc_setup_cb_reoffload+0x22/0x80\n[44376.411462] fl_reoffload+0x261/0x2f0 [cls_flower]\n[44376.411907] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]\n[44376.412481] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]\n[44376.413044] tcf_block_playback_offloads+0x76/0x170\n[44376.413497] tcf_block_unbind+0x7b/0xd0\n[44376.413881] tcf_block_setup+0x17d/0x1c0\n[44376.414269] tcf_block_offload_cmd.isra.0+0xf1/0x130\n[44376.414725] tcf_block_offload_unbind+0x43/0x70\n[44376.415153] __tcf_block_put+0x82/0x150\n[44376.415532] ingress_destroy+0x22/0x30 [sch_ingress]\n[44376.415986] qdisc_destroy+0x3b/0xd0\n[44376.416343] qdisc_graft+0x4d0/0x620\n[44376.416706] tc_get_qdisc+0x1c9/0x3b0\n[44376.417074] rtnetlink_rcv_msg+0x29c/0x390\n[44376.419978] ? rep_movs_alternative+0x3a/0xa0\n[44376.420399] ? rtnl_calcit.isra.0+0x120/0x120\n[44376.420813] netlink_rcv_skb+0x54/0x100\n[44376.421192] netlink_unicast+0x1f6/0x2c0\n[44376.421573] netlink_sendmsg+0x232/0x4a0\n[44376.421980] sock_sendmsg+0x38/0x60\n[44376.422328] ____sys_sendmsg+0x1d0/0x1e0\n[44376.422709] ? copy_msghdr_from_user+0x6d/0xa0\n[44376.423127] ___sys_sendmsg+0x80/0xc0\n[44376.423495] ? ___sys_recvmsg+0x8b/0xc0\n[44376.423869] __sys_sendmsg+0x51/0x90\n[44376.424226] do_syscall_64+0x3d/0x90\n[44376.424587] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[44376.425046] RIP: 0033:0x7f045134f887\n[44376.425403] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:57.758Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30c281a77fb1b2d362030ea243dd663201d62a21"
},
{
"url": "https://git.kernel.org/stable/c/82ac62d76a000871004f534ad294e763e966d3b0"
},
{
"url": "https://git.kernel.org/stable/c/e962fd5933ebc767ce2a1cf7b7c85035b5a5d04c"
},
{
"url": "https://git.kernel.org/stable/c/f7ceedd1d124217a67ed1a67bbd7a7b1288705e3"
},
{
"url": "https://git.kernel.org/stable/c/65e64640e97c0f223e77f9ea69b5a46186b93470"
}
],
"title": "net/mlx5e: Check for NOT_READY flag state after locking",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53581",
"datePublished": "2025-10-04T15:43:57.758Z",
"dateReserved": "2025-10-04T15:14:15.926Z",
"dateUpdated": "2025-10-04T15:43:57.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53510 (GCVE-0-2023-53510)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix handling of lrbp->cmd
ufshcd_queuecommand() may be called two times in a row for a SCSI command
before it is completed. Hence make the following changes:
- In the functions that submit a command, do not check the old value of
lrbp->cmd nor clear lrbp->cmd in error paths.
- In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd.
See also scsi_send_eh_cmnd().
This commit prevents that the following appears if a command times out:
WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8
Call trace:
ufshcd_queuecommand+0x6f8/0x9a8
scsi_send_eh_cmnd+0x2c0/0x960
scsi_eh_test_devices+0x100/0x314
scsi_eh_ready_devs+0xd90/0x114c
scsi_error_handler+0x2b4/0xb70
kthread+0x16c/0x1e0
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3ee24af62681b942bbd799ac77b90a6d7e1fdb1",
"status": "affected",
"version": "5a0b0cb9bee767ef10ff9ce2fb4141af06416288",
"versionType": "git"
},
{
"lessThan": "49234a401e161a2f2698f4612ab792c49b3cad1b",
"status": "affected",
"version": "5a0b0cb9bee767ef10ff9ce2fb4141af06416288",
"versionType": "git"
},
{
"lessThan": "549e91a9bbaa0ee480f59357868421a61d369770",
"status": "affected",
"version": "5a0b0cb9bee767ef10ff9ce2fb4141af06416288",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix handling of lrbp-\u003ecmd\n\nufshcd_queuecommand() may be called two times in a row for a SCSI command\nbefore it is completed. Hence make the following changes:\n\n - In the functions that submit a command, do not check the old value of\n lrbp-\u003ecmd nor clear lrbp-\u003ecmd in error paths.\n\n - In ufshcd_release_scsi_cmd(), do not clear lrbp-\u003ecmd.\n\nSee also scsi_send_eh_cmnd().\n\nThis commit prevents that the following appears if a command times out:\n\nWARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8\nCall trace:\n ufshcd_queuecommand+0x6f8/0x9a8\n scsi_send_eh_cmnd+0x2c0/0x960\n scsi_eh_test_devices+0x100/0x314\n scsi_eh_ready_devs+0xd90/0x114c\n scsi_error_handler+0x2b4/0xb70\n kthread+0x16c/0x1e0"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:59.421Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3ee24af62681b942bbd799ac77b90a6d7e1fdb1"
},
{
"url": "https://git.kernel.org/stable/c/49234a401e161a2f2698f4612ab792c49b3cad1b"
},
{
"url": "https://git.kernel.org/stable/c/549e91a9bbaa0ee480f59357868421a61d369770"
}
],
"title": "scsi: ufs: core: Fix handling of lrbp-\u003ecmd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53510",
"datePublished": "2025-10-01T11:45:59.421Z",
"dateReserved": "2025-10-01T11:39:39.405Z",
"dateUpdated": "2025-10-01T11:45:59.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39800 (GCVE-0-2025-39800)
Vulnerability from cvelistv5
Published
2025-09-15 12:36
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: abort transaction on unexpected eb generation at btrfs_copy_root()
If we find an unexpected generation for the extent buffer we are cloning
at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the
transaction, meaning we allow to persist metadata with an unexpected
generation. Instead of warning only, abort the transaction and return
-EUCLEAN.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:30.834Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ctree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4290e34fb87ae556b12c216efd0ae91583446b7a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4734255ef39b416864139dcda96a387fe5f33a6a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "da2124719f386b6e5d4d4b1a2e67c440e4d5892f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f4f5bd9251a4cbe55aaa05725c6c3c32ad1f74b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33e8f24b52d2796b8cfb28c19a1a7dd6476323a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ctree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: abort transaction on unexpected eb generation at btrfs_copy_root()\n\nIf we find an unexpected generation for the extent buffer we are cloning\nat btrfs_copy_root(), we just WARN_ON() and don\u0027t error out and abort the\ntransaction, meaning we allow to persist metadata with an unexpected\ngeneration. Instead of warning only, abort the transaction and return\n-EUCLEAN."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:40.807Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4290e34fb87ae556b12c216efd0ae91583446b7a"
},
{
"url": "https://git.kernel.org/stable/c/4734255ef39b416864139dcda96a387fe5f33a6a"
},
{
"url": "https://git.kernel.org/stable/c/da2124719f386b6e5d4d4b1a2e67c440e4d5892f"
},
{
"url": "https://git.kernel.org/stable/c/f4f5bd9251a4cbe55aaa05725c6c3c32ad1f74b3"
},
{
"url": "https://git.kernel.org/stable/c/33e8f24b52d2796b8cfb28c19a1a7dd6476323a8"
}
],
"title": "btrfs: abort transaction on unexpected eb generation at btrfs_copy_root()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39800",
"datePublished": "2025-09-15T12:36:43.043Z",
"dateReserved": "2025-04-16T07:20:57.133Z",
"dateUpdated": "2025-11-03T17:43:30.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39925 (GCVE-0-2025-39925)
Vulnerability from cvelistv5
Published
2025-10-01 08:07
Modified
2025-10-01 08:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: implement NETDEV_UNREGISTER notification handler
syzbot is reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
problem, for j1939 protocol did not have NETDEV_UNREGISTER notification
handler for undoing changes made by j1939_sk_bind().
Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
callback") expects that a call to j1939_priv_put() can be unconditionally
delayed until j1939_sk_sock_destruct() is called. But we need to call
j1939_priv_put() against an extra ref held by j1939_sk_bind() call
(as a part of undoing changes made by j1939_sk_bind()) as soon as
NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()
is called via j1939_sk_release()). Otherwise, the extra ref on "struct
j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from
dropping the usage count to 1; making it impossible for
unregister_netdevice() to continue.
[mkl: remove space in front of label]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/j1939-priv.h",
"net/can/j1939/main.c",
"net/can/j1939/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da9e8f429139928570407e8f90559b5d46c20262",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "7fcbe5b2c6a4b5407bf2241fdb71e0a390f6ab9a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/j1939-priv.h",
"net/can/j1939/main.c",
"net/can/j1939/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: implement NETDEV_UNREGISTER notification handler\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for vcan0 to become free. Usage count = 2\n\nproblem, for j1939 protocol did not have NETDEV_UNREGISTER notification\nhandler for undoing changes made by j1939_sk_bind().\n\nCommit 25fe97cb7620 (\"can: j1939: move j1939_priv_put() into sk_destruct\ncallback\") expects that a call to j1939_priv_put() can be unconditionally\ndelayed until j1939_sk_sock_destruct() is called. But we need to call\nj1939_priv_put() against an extra ref held by j1939_sk_bind() call\n(as a part of undoing changes made by j1939_sk_bind()) as soon as\nNETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()\nis called via j1939_sk_release()). Otherwise, the extra ref on \"struct\nj1939_priv\" held by j1939_sk_bind() call prevents \"struct net_device\" from\ndropping the usage count to 1; making it impossible for\nunregister_netdevice() to continue.\n\n[mkl: remove space in front of label]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:07:13.123Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da9e8f429139928570407e8f90559b5d46c20262"
},
{
"url": "https://git.kernel.org/stable/c/7fcbe5b2c6a4b5407bf2241fdb71e0a390f6ab9a"
}
],
"title": "can: j1939: implement NETDEV_UNREGISTER notification handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39925",
"datePublished": "2025-10-01T08:07:13.123Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T08:07:13.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39861 (GCVE-0-2025-39861)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: vhci: Prevent use-after-free by removing debugfs files early
Move the creation of debugfs files into a dedicated function, and ensure
they are explicitly removed during vhci_release(), before associated
data structures are freed.
Previously, debugfs files such as "force_suspend", "force_wakeup", and
others were created under hdev->debugfs but not removed in
vhci_release(). Since vhci_release() frees the backing vhci_data
structure, any access to these files after release would result in
use-after-free errors.
Although hdev->debugfs is later freed in hci_release_dev(), user can
access files after vhci_data is freed but before hdev->debugfs is
released.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_vhci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd75eba88e88d7b896b0c737b02a74a12afc235f",
"status": "affected",
"version": "ab4e4380d4e158486e595013a2635190e07e28ce",
"versionType": "git"
},
{
"lessThan": "1503756fffe76d5aea2371a4b8dee20c3577bcfd",
"status": "affected",
"version": "ab4e4380d4e158486e595013a2635190e07e28ce",
"versionType": "git"
},
{
"lessThan": "7cc08f2f127b9a66f46ea918e34353811a7cb378",
"status": "affected",
"version": "ab4e4380d4e158486e595013a2635190e07e28ce",
"versionType": "git"
},
{
"lessThan": "28010791193a4503f054e8d69a950ef815deb539",
"status": "affected",
"version": "ab4e4380d4e158486e595013a2635190e07e28ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_vhci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: vhci: Prevent use-after-free by removing debugfs files early\n\nMove the creation of debugfs files into a dedicated function, and ensure\nthey are explicitly removed during vhci_release(), before associated\ndata structures are freed.\n\nPreviously, debugfs files such as \"force_suspend\", \"force_wakeup\", and\nothers were created under hdev-\u003edebugfs but not removed in\nvhci_release(). Since vhci_release() frees the backing vhci_data\nstructure, any access to these files after release would result in\nuse-after-free errors.\n\nAlthough hdev-\u003edebugfs is later freed in hci_release_dev(), user can\naccess files after vhci_data is freed but before hdev-\u003edebugfs is\nreleased."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:16.104Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd75eba88e88d7b896b0c737b02a74a12afc235f"
},
{
"url": "https://git.kernel.org/stable/c/1503756fffe76d5aea2371a4b8dee20c3577bcfd"
},
{
"url": "https://git.kernel.org/stable/c/7cc08f2f127b9a66f46ea918e34353811a7cb378"
},
{
"url": "https://git.kernel.org/stable/c/28010791193a4503f054e8d69a950ef815deb539"
}
],
"title": "Bluetooth: vhci: Prevent use-after-free by removing debugfs files early",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39861",
"datePublished": "2025-09-19T15:26:31.519Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-09-29T06:01:16.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53559 (GCVE-0-2023-53559)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip_vti: fix potential slab-use-after-free in decode_session6
When ip_vti device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when ip_vti device sends IPv6 packets.
As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82fb41c5de243e7dfa90f32ca58e35adaff56c1d",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "7dfe23659f3677c08a60a0056cda2d91a79c15ca",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "d34c30442d5e53a33cde79ca163320dbe2432cbd",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "0b4d69539fdea138af2befe08893850c89248068",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "e1e04cc2ef2c0c0866c19f5627149a76c2baae32",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "2b05bf5dc437f7891dd409a3eaf5058459391c7a",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "78e397a43e1c47321a4679cc49a6c4530bf820b9",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "6018a266279b1a75143c7c0804dd08a5fc4c3e0b",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip_vti: fix potential slab-use-after-free in decode_session6\n\nWhen ip_vti device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when ip_vti device sends IPv6 packets.\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)-\u003enhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:03.497Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82fb41c5de243e7dfa90f32ca58e35adaff56c1d"
},
{
"url": "https://git.kernel.org/stable/c/7dfe23659f3677c08a60a0056cda2d91a79c15ca"
},
{
"url": "https://git.kernel.org/stable/c/d34c30442d5e53a33cde79ca163320dbe2432cbd"
},
{
"url": "https://git.kernel.org/stable/c/0b4d69539fdea138af2befe08893850c89248068"
},
{
"url": "https://git.kernel.org/stable/c/e1e04cc2ef2c0c0866c19f5627149a76c2baae32"
},
{
"url": "https://git.kernel.org/stable/c/2b05bf5dc437f7891dd409a3eaf5058459391c7a"
},
{
"url": "https://git.kernel.org/stable/c/78e397a43e1c47321a4679cc49a6c4530bf820b9"
},
{
"url": "https://git.kernel.org/stable/c/6018a266279b1a75143c7c0804dd08a5fc4c3e0b"
}
],
"title": "ip_vti: fix potential slab-use-after-free in decode_session6",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53559",
"datePublished": "2025-10-04T15:17:03.497Z",
"dateReserved": "2025-10-04T15:14:15.923Z",
"dateUpdated": "2025-10-04T15:17:03.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40049 (GCVE-0-2025-40049)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: fix uninit-value in squashfs_get_parent
Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.
This is caused by open_by_handle_at() being called with a file handle
containing an invalid parent inode number. In particular the inode number
is that of a symbolic link, rather than a directory.
Squashfs_get_parent() gets called with that symbolic link inode, and
accesses the parent member field.
unsigned int parent_ino = squashfs_i(inode)->parent;
Because non-directory inodes in Squashfs do not have a parent value, this
is uninitialised, and this causes an uninitialised value access.
The fix is to initialise parent with the invalid inode 0, which will cause
an EINVAL error to be returned.
Regular inodes used to share the parent field with the block_list_start
field. This is removed in this commit to enable the parent field to
contain the invalid inode number 0.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c",
"fs/squashfs/squashfs_fs_i.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f81a5bc9e924ee1950e0dd82bd10749048390f6e",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "382a47fae449e554ef1e8c198667fd2f3270b945",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "61d38b5ce2782bff3cacaacbb8164087a73ed1a5",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "81a2bca52d43fc9d9abf07408b91255131c5dc53",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "c28b0ca029edf5d0558abcd76cb8c732706cd339",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "1b3ccd0019132880c94bb00ca7088c1749308f82",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "91b99db7a92e57ff48a96a1b10fddfd2547e7f53",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c",
"fs/squashfs/squashfs_fs_i.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: fix uninit-value in squashfs_get_parent\n\nSyzkaller reports a \"KMSAN: uninit-value in squashfs_get_parent\" bug.\n\nThis is caused by open_by_handle_at() being called with a file handle\ncontaining an invalid parent inode number. In particular the inode number\nis that of a symbolic link, rather than a directory.\n\nSquashfs_get_parent() gets called with that symbolic link inode, and\naccesses the parent member field.\n\n\tunsigned int parent_ino = squashfs_i(inode)-\u003eparent;\n\nBecause non-directory inodes in Squashfs do not have a parent value, this\nis uninitialised, and this causes an uninitialised value access.\n\nThe fix is to initialise parent with the invalid inode 0, which will cause\nan EINVAL error to be returned.\n\nRegular inodes used to share the parent field with the block_list_start\nfield. This is removed in this commit to enable the parent field to\ncontain the invalid inode number 0."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:50.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f81a5bc9e924ee1950e0dd82bd10749048390f6e"
},
{
"url": "https://git.kernel.org/stable/c/382a47fae449e554ef1e8c198667fd2f3270b945"
},
{
"url": "https://git.kernel.org/stable/c/61d38b5ce2782bff3cacaacbb8164087a73ed1a5"
},
{
"url": "https://git.kernel.org/stable/c/81a2bca52d43fc9d9abf07408b91255131c5dc53"
},
{
"url": "https://git.kernel.org/stable/c/c28b0ca029edf5d0558abcd76cb8c732706cd339"
},
{
"url": "https://git.kernel.org/stable/c/1b3ccd0019132880c94bb00ca7088c1749308f82"
},
{
"url": "https://git.kernel.org/stable/c/91b99db7a92e57ff48a96a1b10fddfd2547e7f53"
},
{
"url": "https://git.kernel.org/stable/c/74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf"
}
],
"title": "Squashfs: fix uninit-value in squashfs_get_parent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40049",
"datePublished": "2025-10-28T11:48:25.862Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-10-29T13:19:50.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38699 (GCVE-0-2025-38699)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: bfa: Double-free fix
When the bfad_im_probe() function fails during initialization, the memory
pointed to by bfad->im is freed without setting bfad->im to NULL.
Subsequently, during driver uninstallation, when the state machine enters
the bfad_sm_stopping state and calls the bfad_im_probe_undo() function,
it attempts to free the memory pointed to by bfad->im again, thereby
triggering a double-free vulnerability.
Set bfad->im to NULL if probing fails.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:29.823Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/bfa/bfad_im.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "684c92bb08a25ed3c0356bc7eb532ed5b19588dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9337c2affbaebe00b75fdf84ea0e2fcf93c140af",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ba024d92564580bb90ec367248ace8efe16ce815",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8e03dd9fadf76db5b9799583074a1a2a54f787f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39cfe2c83146aad956318f866d0ee471b7a61fa5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "13f613228cf3c96a038424cd97aa4d6aadc66294",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8456f862cb95bcc3a831e1ba87c0c17068be0f3f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "50d9bd48321038bd6e15af5a454bbcd180cf6f80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/bfa/bfad_im.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Double-free fix\n\nWhen the bfad_im_probe() function fails during initialization, the memory\npointed to by bfad-\u003eim is freed without setting bfad-\u003eim to NULL.\n\nSubsequently, during driver uninstallation, when the state machine enters\nthe bfad_sm_stopping state and calls the bfad_im_probe_undo() function,\nit attempts to free the memory pointed to by bfad-\u003eim again, thereby\ntriggering a double-free vulnerability.\n\nSet bfad-\u003eim to NULL if probing fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:17.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/684c92bb08a25ed3c0356bc7eb532ed5b19588dd"
},
{
"url": "https://git.kernel.org/stable/c/9337c2affbaebe00b75fdf84ea0e2fcf93c140af"
},
{
"url": "https://git.kernel.org/stable/c/ba024d92564580bb90ec367248ace8efe16ce815"
},
{
"url": "https://git.kernel.org/stable/c/8e03dd9fadf76db5b9799583074a1a2a54f787f1"
},
{
"url": "https://git.kernel.org/stable/c/39cfe2c83146aad956318f866d0ee471b7a61fa5"
},
{
"url": "https://git.kernel.org/stable/c/13f613228cf3c96a038424cd97aa4d6aadc66294"
},
{
"url": "https://git.kernel.org/stable/c/8456f862cb95bcc3a831e1ba87c0c17068be0f3f"
},
{
"url": "https://git.kernel.org/stable/c/50d9bd48321038bd6e15af5a454bbcd180cf6f80"
},
{
"url": "https://git.kernel.org/stable/c/add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9"
}
],
"title": "scsi: bfa: Double-free fix",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38699",
"datePublished": "2025-09-04T15:32:51.420Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:29.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47706 (GCVE-0-2024-47706)
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2025-11-03 22:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix possible UAF for bfqq->bic with merge chain
1) initial state, three tasks:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
| Λ | Λ | Λ
| | | | | |
V | V | V |
bfqq1 bfqq2 bfqq3
process ref: 1 1 1
2) bfqq1 merged to bfqq2:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
| | | Λ
\--------------\| | |
V V |
bfqq1--------->bfqq2 bfqq3
process ref: 0 2 1
3) bfqq2 merged to bfqq3:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
here -> Λ | |
\--------------\ \-------------\|
V V
bfqq1--------->bfqq2---------->bfqq3
process ref: 0 1 3
In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
get bfqq3 through merge chain, and finially handle IO by bfqq3.
Howerver, current code will think bfqq2 is owned by BIC1, like initial
state, and set bfqq2->bic to BIC1.
bfq_insert_request
-> by Process 1
bfqq = bfq_init_rq(rq)
bfqq = bfq_get_bfqq_handle_split
bfqq = bic_to_bfqq
-> get bfqq2 from BIC1
bfqq->ref++
rq->elv.priv[0] = bic
rq->elv.priv[1] = bfqq
if (bfqq_process_refs(bfqq) == 1)
bfqq->bic = bic
-> record BIC1 to bfqq2
__bfq_insert_request
new_bfqq = bfq_setup_cooperator
-> get bfqq3 from bfqq2->new_bfqq
bfqq_request_freed(bfqq)
new_bfqq->ref++
rq->elv.priv[1] = new_bfqq
-> handle IO by bfqq3
Fix the problem by checking bfqq is from merge chain fist. And this
might fix a following problem reported by our syzkaller(unreproducible):
==================================================================
BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595
CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_requeue_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x10d/0x610 mm/kasan/report.c:475
kasan_report+0x8e/0xc0 mm/kasan/report.c:588
bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757
bfq_init_rq block/bfq-iosched.c:6876 [inline]
bfq_insert_request block/bfq-iosched.c:6254 [inline]
bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304
blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593
blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
</TASK>
Allocated by task 20776:
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3458 [inline]
kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503
ioc_create_icq block/blk-ioc.c:370 [inline]
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T13:03:53.838190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T13:04:19.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:21:10.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9bdd5b36887d2bacb8bc777fd18317c99fc2587",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "bc2140534b2aae752e4f7cb4489642dbb5ec4777",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "e1277ae780cca4e69ef5468d4582dfd48f0b8320",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "8aa9de02a4be2e7006e636816ce19b0d667ceaa3",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "ddbdaad123254fb53e32480cb74a486a6868b1e0",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "7faed2896d78e48ec96229e73b30b0af6c00a9aa",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "880692ee233ba63808182705b3333403413b58f5",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "6d130db286ad0ea392c96ebb2551acf0d7308048",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
},
{
"lessThan": "18ad4df091dd5d067d2faa8fce1180b79f7041a7",
"status": "affected",
"version": "36eca894832351feed9072d0f97eb06fc9482ca4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.227",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.54",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible UAF for bfqq-\u003ebic with merge chain\n\n1) initial state, three tasks:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t\t | \u039b | \u039b\t\t | \u039b\n\t\t | | | |\t\t | |\n\t\t V | V |\t\t V |\n\t\t bfqq1 bfqq2\t\t bfqq3\nprocess ref:\t 1\t\t 1\t\t 1\n\n2) bfqq1 merged to bfqq2:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t\t | |\t\t | \u039b\n\t\t \\--------------\\|\t\t | |\n\t\t V\t\t V |\n\t\t bfqq1---------\u003ebfqq2\t\t bfqq3\nprocess ref:\t 0\t\t 2\t\t 1\n\n3) bfqq2 merged to bfqq3:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t here -\u003e \u039b |\t\t |\n\t\t \\--------------\\ \\-------------\\|\n\t\t V\t\t V\n\t\t bfqq1---------\u003ebfqq2----------\u003ebfqq3\nprocess ref:\t 0\t\t 1\t\t 3\n\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\nstate, and set bfqq2-\u003ebic to BIC1.\n\nbfq_insert_request\n-\u003e by Process 1\n bfqq = bfq_init_rq(rq)\n bfqq = bfq_get_bfqq_handle_split\n bfqq = bic_to_bfqq\n -\u003e get bfqq2 from BIC1\n bfqq-\u003eref++\n rq-\u003eelv.priv[0] = bic\n rq-\u003eelv.priv[1] = bfqq\n if (bfqq_process_refs(bfqq) == 1)\n bfqq-\u003ebic = bic\n -\u003e record BIC1 to bfqq2\n\n __bfq_insert_request\n new_bfqq = bfq_setup_cooperator\n -\u003e get bfqq3 from bfqq2-\u003enew_bfqq\n bfqq_request_freed(bfqq)\n new_bfqq-\u003eref++\n rq-\u003eelv.priv[1] = new_bfqq\n -\u003e handle IO by bfqq3\n\nFix the problem by checking bfqq is from merge chain fist. And this\nmight fix a following problem reported by our syzkaller(unreproducible):\n\n==================================================================\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\n\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_requeue_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0x10d/0x610 mm/kasan/report.c:475\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\n kthread+0x33c/0x440 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\n \u003c/TASK\u003e\n\nAllocated by task 20776:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:763 [inline]\n slab_alloc_node mm/slub.c:3458 [inline]\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\n ioc_create_icq block/blk-ioc.c:370 [inline]\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:37:55.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587"
},
{
"url": "https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777"
},
{
"url": "https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320"
},
{
"url": "https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3"
},
{
"url": "https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0"
},
{
"url": "https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa"
},
{
"url": "https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5"
},
{
"url": "https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048"
},
{
"url": "https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7"
}
],
"title": "block, bfq: fix possible UAF for bfqq-\u003ebic with merge chain",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47706",
"datePublished": "2024-10-21T11:53:40.759Z",
"dateReserved": "2024-09-30T16:00:12.946Z",
"dateUpdated": "2025-11-03T22:21:10.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38181 (GCVE-0-2025-38181)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-11-03 17:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().
syzkaller reported a null-ptr-deref in sock_omalloc() while allocating
a CALIPSO option. [0]
The NULL is of struct sock, which was fetched by sk_to_full_sk() in
calipso_req_setattr().
Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"),
reqsk->rsk_listener could be NULL when SYN Cookie is returned to its
client, as hinted by the leading SYN Cookie log.
Here are 3 options to fix the bug:
1) Return 0 in calipso_req_setattr()
2) Return an error in calipso_req_setattr()
3) Alaways set rsk_listener
1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie
for CALIPSO. 3) is also no go as there have been many efforts to reduce
atomic ops and make TCP robust against DDoS. See also commit 3b24d854cb35
("tcp/dccp: do not touch listener sk_refcnt under synflood").
As of the blamed commit, SYN Cookie already did not need refcounting,
and no one has stumbled on the bug for 9 years, so no CALIPSO user will
care about SYN Cookie.
Let's return an error in calipso_req_setattr() and calipso_req_delattr()
in the SYN Cookie case.
This can be reproduced by [1] on Fedora and now connect() of nc times out.
[0]:
TCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 3 UID: 0 PID: 12262 Comm: syz.1.2611 Not tainted 6.14.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:read_pnet include/net/net_namespace.h:406 [inline]
RIP: 0010:sock_net include/net/sock.h:655 [inline]
RIP: 0010:sock_kmalloc+0x35/0x170 net/core/sock.c:2806
Code: 89 d5 41 54 55 89 f5 53 48 89 fb e8 25 e3 c6 fd e8 f0 91 e3 00 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
RSP: 0018:ffff88811af89038 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888105266400
RDX: 0000000000000006 RSI: ffff88800c890000 RDI: 0000000000000030
RBP: 0000000000000050 R08: 0000000000000000 R09: ffff88810526640e
R10: ffffed1020a4cc81 R11: ffff88810526640f R12: 0000000000000000
R13: 0000000000000820 R14: ffff888105266400 R15: 0000000000000050
FS: 00007f0653a07640(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f863ba096f4 CR3: 00000000163c0005 CR4: 0000000000770ef0
PKRU: 80000000
Call Trace:
<IRQ>
ipv6_renew_options+0x279/0x950 net/ipv6/exthdrs.c:1288
calipso_req_setattr+0x181/0x340 net/ipv6/calipso.c:1204
calipso_req_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:597
netlbl_req_setattr+0x18a/0x440 net/netlabel/netlabel_kapi.c:1249
selinux_netlbl_inet_conn_request+0x1fb/0x320 security/selinux/netlabel.c:342
selinux_inet_conn_request+0x1eb/0x2c0 security/selinux/hooks.c:5551
security_inet_conn_request+0x50/0xa0 security/security.c:4945
tcp_v6_route_req+0x22c/0x550 net/ipv6/tcp_ipv6.c:825
tcp_conn_request+0xec8/0x2b70 net/ipv4/tcp_input.c:7275
tcp_v6_conn_request+0x1e3/0x440 net/ipv6/tcp_ipv6.c:1328
tcp_rcv_state_process+0xafa/0x52b0 net/ipv4/tcp_input.c:6781
tcp_v6_do_rcv+0x8a6/0x1a40 net/ipv6/tcp_ipv6.c:1667
tcp_v6_rcv+0x505e/0x5b50 net/ipv6/tcp_ipv6.c:1904
ip6_protocol_deliver_rcu+0x17c/0x1da0 net/ipv6/ip6_input.c:436
ip6_input_finish+0x103/0x180 net/ipv6/ip6_input.c:480
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
ip6_input+0x13c/0x6b0 net/ipv6/ip6_input.c:491
dst_input include/net/dst.h:469 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
ip6_rcv_finish+0xb6/0x490 net/ipv6/ip6_input.c:69
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netf
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e1adea927080821ebfa7505bff752a4015955660 Version: e1adea927080821ebfa7505bff752a4015955660 Version: e1adea927080821ebfa7505bff752a4015955660 Version: e1adea927080821ebfa7505bff752a4015955660 Version: e1adea927080821ebfa7505bff752a4015955660 Version: e1adea927080821ebfa7505bff752a4015955660 Version: e1adea927080821ebfa7505bff752a4015955660 Version: e1adea927080821ebfa7505bff752a4015955660 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:35:06.886Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "956f1499412ed0953f6a116df7fdb855e9f1fc66",
"status": "affected",
"version": "e1adea927080821ebfa7505bff752a4015955660",
"versionType": "git"
},
{
"lessThan": "f4ae0f61dd9a63329ecb49b1e6356139d43240b8",
"status": "affected",
"version": "e1adea927080821ebfa7505bff752a4015955660",
"versionType": "git"
},
{
"lessThan": "dc724bd34d56f5589f7587a091a8cda2386826c4",
"status": "affected",
"version": "e1adea927080821ebfa7505bff752a4015955660",
"versionType": "git"
},
{
"lessThan": "058dd4a370f23a5553a9449f2db53d5bfa88d45e",
"status": "affected",
"version": "e1adea927080821ebfa7505bff752a4015955660",
"versionType": "git"
},
{
"lessThan": "bde8833eb075ba8e8674de88e32de6b669966451",
"status": "affected",
"version": "e1adea927080821ebfa7505bff752a4015955660",
"versionType": "git"
},
{
"lessThan": "988edde4d52d5c02ea4dd95d7619372a5e2fb7b7",
"status": "affected",
"version": "e1adea927080821ebfa7505bff752a4015955660",
"versionType": "git"
},
{
"lessThan": "d092c7fd8e220b23d6c47e03d7d0cc79e731f379",
"status": "affected",
"version": "e1adea927080821ebfa7505bff752a4015955660",
"versionType": "git"
},
{
"lessThan": "10876da918fa1aec0227fb4c67647513447f53a9",
"status": "affected",
"version": "e1adea927080821ebfa7505bff752a4015955660",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: Fix null-ptr-deref in calipso_req_{set,del}attr().\n\nsyzkaller reported a null-ptr-deref in sock_omalloc() while allocating\na CALIPSO option. [0]\n\nThe NULL is of struct sock, which was fetched by sk_to_full_sk() in\ncalipso_req_setattr().\n\nSince commit a1a5344ddbe8 (\"tcp: avoid two atomic ops for syncookies\"),\nreqsk-\u003ersk_listener could be NULL when SYN Cookie is returned to its\nclient, as hinted by the leading SYN Cookie log.\n\nHere are 3 options to fix the bug:\n\n 1) Return 0 in calipso_req_setattr()\n 2) Return an error in calipso_req_setattr()\n 3) Alaways set rsk_listener\n\n1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie\nfor CALIPSO. 3) is also no go as there have been many efforts to reduce\natomic ops and make TCP robust against DDoS. See also commit 3b24d854cb35\n(\"tcp/dccp: do not touch listener sk_refcnt under synflood\").\n\nAs of the blamed commit, SYN Cookie already did not need refcounting,\nand no one has stumbled on the bug for 9 years, so no CALIPSO user will\ncare about SYN Cookie.\n\nLet\u0027s return an error in calipso_req_setattr() and calipso_req_delattr()\nin the SYN Cookie case.\n\nThis can be reproduced by [1] on Fedora and now connect() of nc times out.\n\n[0]:\nTCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies.\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\nCPU: 3 UID: 0 PID: 12262 Comm: syz.1.2611 Not tainted 6.14.0 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:read_pnet include/net/net_namespace.h:406 [inline]\nRIP: 0010:sock_net include/net/sock.h:655 [inline]\nRIP: 0010:sock_kmalloc+0x35/0x170 net/core/sock.c:2806\nCode: 89 d5 41 54 55 89 f5 53 48 89 fb e8 25 e3 c6 fd e8 f0 91 e3 00 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 26 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b\nRSP: 0018:ffff88811af89038 EFLAGS: 00010216\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888105266400\nRDX: 0000000000000006 RSI: ffff88800c890000 RDI: 0000000000000030\nRBP: 0000000000000050 R08: 0000000000000000 R09: ffff88810526640e\nR10: ffffed1020a4cc81 R11: ffff88810526640f R12: 0000000000000000\nR13: 0000000000000820 R14: ffff888105266400 R15: 0000000000000050\nFS: 00007f0653a07640(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f863ba096f4 CR3: 00000000163c0005 CR4: 0000000000770ef0\nPKRU: 80000000\nCall Trace:\n \u003cIRQ\u003e\n ipv6_renew_options+0x279/0x950 net/ipv6/exthdrs.c:1288\n calipso_req_setattr+0x181/0x340 net/ipv6/calipso.c:1204\n calipso_req_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:597\n netlbl_req_setattr+0x18a/0x440 net/netlabel/netlabel_kapi.c:1249\n selinux_netlbl_inet_conn_request+0x1fb/0x320 security/selinux/netlabel.c:342\n selinux_inet_conn_request+0x1eb/0x2c0 security/selinux/hooks.c:5551\n security_inet_conn_request+0x50/0xa0 security/security.c:4945\n tcp_v6_route_req+0x22c/0x550 net/ipv6/tcp_ipv6.c:825\n tcp_conn_request+0xec8/0x2b70 net/ipv4/tcp_input.c:7275\n tcp_v6_conn_request+0x1e3/0x440 net/ipv6/tcp_ipv6.c:1328\n tcp_rcv_state_process+0xafa/0x52b0 net/ipv4/tcp_input.c:6781\n tcp_v6_do_rcv+0x8a6/0x1a40 net/ipv6/tcp_ipv6.c:1667\n tcp_v6_rcv+0x505e/0x5b50 net/ipv6/tcp_ipv6.c:1904\n ip6_protocol_deliver_rcu+0x17c/0x1da0 net/ipv6/ip6_input.c:436\n ip6_input_finish+0x103/0x180 net/ipv6/ip6_input.c:480\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip6_input+0x13c/0x6b0 net/ipv6/ip6_input.c:491\n dst_input include/net/dst.h:469 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n ip6_rcv_finish+0xb6/0x490 net/ipv6/ip6_input.c:69\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netf\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:14:23.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/956f1499412ed0953f6a116df7fdb855e9f1fc66"
},
{
"url": "https://git.kernel.org/stable/c/f4ae0f61dd9a63329ecb49b1e6356139d43240b8"
},
{
"url": "https://git.kernel.org/stable/c/dc724bd34d56f5589f7587a091a8cda2386826c4"
},
{
"url": "https://git.kernel.org/stable/c/058dd4a370f23a5553a9449f2db53d5bfa88d45e"
},
{
"url": "https://git.kernel.org/stable/c/bde8833eb075ba8e8674de88e32de6b669966451"
},
{
"url": "https://git.kernel.org/stable/c/988edde4d52d5c02ea4dd95d7619372a5e2fb7b7"
},
{
"url": "https://git.kernel.org/stable/c/d092c7fd8e220b23d6c47e03d7d0cc79e731f379"
},
{
"url": "https://git.kernel.org/stable/c/10876da918fa1aec0227fb4c67647513447f53a9"
}
],
"title": "calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38181",
"datePublished": "2025-07-04T13:37:08.985Z",
"dateReserved": "2025-04-16T04:51:23.992Z",
"dateUpdated": "2025-11-03T17:35:06.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40035 (GCVE-0-2025-40035)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
Struct ff_effect_compat is embedded twice inside
uinput_ff_upload_compat, contains internal padding. In particular, there
is a hole after struct ff_replay to satisfy alignment requirements for
the following union member. Without clearing the structure,
copy_to_user() may leak stack data to userspace.
Initialize ff_up_compat to zero before filling valid fields.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b317796013f666ae5040edbf0f230ec61496d42",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "877172b97786ed1678640dff0b2d35abb328844c",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "e63aade22a33e77b93c98c9f02db504d897a76b4",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "933b87c4590b42500299f00ff55f555903056803",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "fd8a23ecbc602d00e47b27f20b07350867d0ebe5",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "48c96b7e9e03516936d6deba54b5553097eae817",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "f5e1f3b85aadce74268c46676772c3e9fa79897e",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "d3366a04770eea807f2826cbdb96934dd8c9bf79",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak\n\nStruct ff_effect_compat is embedded twice inside\nuinput_ff_upload_compat, contains internal padding. In particular, there\nis a hole after struct ff_replay to satisfy alignment requirements for\nthe following union member. Without clearing the structure,\ncopy_to_user() may leak stack data to userspace.\n\nInitialize ff_up_compat to zero before filling valid fields."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:36.823Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b317796013f666ae5040edbf0f230ec61496d42"
},
{
"url": "https://git.kernel.org/stable/c/877172b97786ed1678640dff0b2d35abb328844c"
},
{
"url": "https://git.kernel.org/stable/c/e63aade22a33e77b93c98c9f02db504d897a76b4"
},
{
"url": "https://git.kernel.org/stable/c/933b87c4590b42500299f00ff55f555903056803"
},
{
"url": "https://git.kernel.org/stable/c/fd8a23ecbc602d00e47b27f20b07350867d0ebe5"
},
{
"url": "https://git.kernel.org/stable/c/48c96b7e9e03516936d6deba54b5553097eae817"
},
{
"url": "https://git.kernel.org/stable/c/f5e1f3b85aadce74268c46676772c3e9fa79897e"
},
{
"url": "https://git.kernel.org/stable/c/d3366a04770eea807f2826cbdb96934dd8c9bf79"
}
],
"title": "Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40035",
"datePublished": "2025-10-28T11:48:17.030Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-10-29T13:19:36.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53593 (GCVE-0-2023-53593)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Release folio lock on fscache read hit.
Under the current code, when cifs_readpage_worker is called, the call
contract is that the callee should unlock the page. This is documented
in the read_folio section of Documentation/filesystems/vfs.rst as:
> The filesystem should unlock the folio once the read has completed,
> whether it was successful or not.
Without this change, when fscache is in use and cache hit occurs during
a read, the page lock is leaked, producing the following stack on
subsequent reads (via mmap) to the page:
$ cat /proc/3890/task/12864/stack
[<0>] folio_wait_bit_common+0x124/0x350
[<0>] filemap_read_folio+0xad/0xf0
[<0>] filemap_fault+0x8b1/0xab0
[<0>] __do_fault+0x39/0x150
[<0>] do_fault+0x25c/0x3e0
[<0>] __handle_mm_fault+0x6ca/0xc70
[<0>] handle_mm_fault+0xe9/0x350
[<0>] do_user_addr_fault+0x225/0x6c0
[<0>] exc_page_fault+0x84/0x1b0
[<0>] asm_exc_page_fault+0x27/0x30
This requires a reboot to resolve; it is a deadlock.
Note however that the call to cifs_readpage_from_fscache does mark the
page clean, but does not free the folio lock. This happens in
__cifs_readpage_from_fscache on success. Releasing the lock at that
point however is not appropriate as cifs_readahead also calls
cifs_readpage_from_fscache and *does* unconditionally release the lock
after its return. This change therefore effectively makes
cifs_readpage_worker work like cifs_readahead.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c3ac8323f2f5b50e32681c254b8318f7fa2dc3f4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5a87735675147f848445f05fd1f06168188f91af",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4259dd534245579c966c53c15187cc8e9461d6e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e74926ede96470be84e66a1c576982fe4f8ea79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "961f7ce16223aee2db583a43877d84e6d1f2b857",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e725386d4262ef23ae51993f04602bc535b5be2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a9fb689c1a1dc373887621a3bfa3810df0abde4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "69513dd669e243928f7450893190915a88f84a2b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Release folio lock on fscache read hit.\n\nUnder the current code, when cifs_readpage_worker is called, the call\ncontract is that the callee should unlock the page. This is documented\nin the read_folio section of Documentation/filesystems/vfs.rst as:\n\n\u003e The filesystem should unlock the folio once the read has completed,\n\u003e whether it was successful or not.\n\nWithout this change, when fscache is in use and cache hit occurs during\na read, the page lock is leaked, producing the following stack on\nsubsequent reads (via mmap) to the page:\n\n$ cat /proc/3890/task/12864/stack\n[\u003c0\u003e] folio_wait_bit_common+0x124/0x350\n[\u003c0\u003e] filemap_read_folio+0xad/0xf0\n[\u003c0\u003e] filemap_fault+0x8b1/0xab0\n[\u003c0\u003e] __do_fault+0x39/0x150\n[\u003c0\u003e] do_fault+0x25c/0x3e0\n[\u003c0\u003e] __handle_mm_fault+0x6ca/0xc70\n[\u003c0\u003e] handle_mm_fault+0xe9/0x350\n[\u003c0\u003e] do_user_addr_fault+0x225/0x6c0\n[\u003c0\u003e] exc_page_fault+0x84/0x1b0\n[\u003c0\u003e] asm_exc_page_fault+0x27/0x30\n\nThis requires a reboot to resolve; it is a deadlock.\n\nNote however that the call to cifs_readpage_from_fscache does mark the\npage clean, but does not free the folio lock. This happens in\n__cifs_readpage_from_fscache on success. Releasing the lock at that\npoint however is not appropriate as cifs_readahead also calls\ncifs_readpage_from_fscache and *does* unconditionally release the lock\nafter its return. This change therefore effectively makes\ncifs_readpage_worker work like cifs_readahead."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:06.853Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c3ac8323f2f5b50e32681c254b8318f7fa2dc3f4"
},
{
"url": "https://git.kernel.org/stable/c/5a87735675147f848445f05fd1f06168188f91af"
},
{
"url": "https://git.kernel.org/stable/c/4259dd534245579c966c53c15187cc8e9461d6e9"
},
{
"url": "https://git.kernel.org/stable/c/6e74926ede96470be84e66a1c576982fe4f8ea79"
},
{
"url": "https://git.kernel.org/stable/c/961f7ce16223aee2db583a43877d84e6d1f2b857"
},
{
"url": "https://git.kernel.org/stable/c/9e725386d4262ef23ae51993f04602bc535b5be2"
},
{
"url": "https://git.kernel.org/stable/c/7a9fb689c1a1dc373887621a3bfa3810df0abde4"
},
{
"url": "https://git.kernel.org/stable/c/69513dd669e243928f7450893190915a88f84a2b"
}
],
"title": "cifs: Release folio lock on fscache read hit.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53593",
"datePublished": "2025-10-04T15:44:06.853Z",
"dateReserved": "2025-10-04T15:40:38.478Z",
"dateUpdated": "2025-10-04T15:44:06.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39965 (GCVE-0-2025-39965)
Vulnerability from cvelistv5
Published
2025-10-13 13:48
Modified
2025-10-13 13:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: xfrm_alloc_spi shouldn't use 0 as SPI
x->id.spi == 0 means "no SPI assigned", but since commit
94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states
and add them to the byspi list with this value.
__xfrm_state_delete doesn't remove those states from the byspi list,
since they shouldn't be there, and this shows up as a UAF the next
time we go through the byspi list.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0baf92d0b1590b903c1f4ead75e61715e50e8146",
"status": "affected",
"version": "3d8090bb53424432fa788fe9a49e8ceca74f0544",
"versionType": "git"
},
{
"lessThan": "9fcedabaae0096f712bbb4ccca6a8538af1cd1c8",
"status": "affected",
"version": "2fc5b54368a1bf1d2d74b4d3b8eea5309a653e38",
"versionType": "git"
},
{
"lessThan": "a78e55776522373c446f18d5002a8de4b09e6bf7",
"status": "affected",
"version": "29e9158f91f99057dbd35db5e8674d93b38549fe",
"versionType": "git"
},
{
"lessThan": "cd8ae32e4e4652db55bce6b9c79267d8946765a9",
"status": "affected",
"version": "94f39804d891cffe4ce17737d295f3b195bc7299",
"versionType": "git"
},
{
"status": "affected",
"version": "c67d4e7a8f90fb6361ca89d4d5c9a28f4e935e47",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.6.109",
"status": "affected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThan": "6.12.50",
"status": "affected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThan": "6.16.10",
"status": "affected",
"version": "6.16.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: xfrm_alloc_spi shouldn\u0027t use 0 as SPI\n\nx-\u003eid.spi == 0 means \"no SPI assigned\", but since commit\n94f39804d891 (\"xfrm: Duplicate SPI Handling\"), we now create states\nand add them to the byspi list with this value.\n\n__xfrm_state_delete doesn\u0027t remove those states from the byspi list,\nsince they shouldn\u0027t be there, and this shows up as a UAF the next\ntime we go through the byspi list."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-13T13:48:31.033Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0baf92d0b1590b903c1f4ead75e61715e50e8146"
},
{
"url": "https://git.kernel.org/stable/c/9fcedabaae0096f712bbb4ccca6a8538af1cd1c8"
},
{
"url": "https://git.kernel.org/stable/c/a78e55776522373c446f18d5002a8de4b09e6bf7"
},
{
"url": "https://git.kernel.org/stable/c/cd8ae32e4e4652db55bce6b9c79267d8946765a9"
}
],
"title": "xfrm: xfrm_alloc_spi shouldn\u0027t use 0 as SPI",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39965",
"datePublished": "2025-10-13T13:48:31.033Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-13T13:48:31.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53354 (GCVE-0-2023-53354)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
skbuff: skb_segment, Call zero copy functions before using skbuff frags
Commit bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions
once per nskb") added the call to zero copy functions in skb_segment().
The change introduced a bug in skb_segment() because skb_orphan_frags()
may possibly change the number of fragments or allocate new fragments
altogether leaving nrfrags and frag to point to the old values. This can
cause a panic with stacktrace like the one below.
[ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc
[ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26
[ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0
[ 194.021892] Call Trace:
[ 194.027422] <TASK>
[ 194.072861] tcp_gso_segment+0x107/0x540
[ 194.082031] inet_gso_segment+0x15c/0x3d0
[ 194.090783] skb_mac_gso_segment+0x9f/0x110
[ 194.095016] __skb_gso_segment+0xc1/0x190
[ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem]
[ 194.107071] dev_qdisc_enqueue+0x16/0x70
[ 194.110884] __dev_queue_xmit+0x63b/0xb30
[ 194.121670] bond_start_xmit+0x159/0x380 [bonding]
[ 194.128506] dev_hard_start_xmit+0xc3/0x1e0
[ 194.131787] __dev_queue_xmit+0x8a0/0xb30
[ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan]
[ 194.141477] dev_hard_start_xmit+0xc3/0x1e0
[ 194.144622] sch_direct_xmit+0xe3/0x280
[ 194.147748] __dev_queue_xmit+0x54a/0xb30
[ 194.154131] tap_get_user+0x2a8/0x9c0 [tap]
[ 194.157358] tap_sendmsg+0x52/0x8e0 [tap]
[ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net]
[ 194.173631] handle_tx+0xcd/0xe0 [vhost_net]
[ 194.176959] vhost_worker+0x76/0xb0 [vhost]
[ 194.183667] kthread+0x118/0x140
[ 194.190358] ret_from_fork+0x1f/0x30
[ 194.193670] </TASK>
In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags
local variable in skb_segment() stale. This resulted in the code hitting
i >= nrfrags prematurely and trying to move to next frag_skb using
list_skb pointer, which was NULL, and caused kernel panic. Move the call
to zero copy functions before using frags and nr_frags.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 Version: bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 Version: bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 Version: bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 Version: bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 Version: bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 Version: bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 Version: bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fcab3f661dbfd88e27ddbbe65368f3fa2d823175",
"status": "affected",
"version": "bf5c25d608613eaf4dcdba5a9cac5b2afe67d635",
"versionType": "git"
},
{
"lessThan": "d44403ec0676317b7f7edf2a035bb219fee3304e",
"status": "affected",
"version": "bf5c25d608613eaf4dcdba5a9cac5b2afe67d635",
"versionType": "git"
},
{
"lessThan": "8836c266201c29a5acb4f582227686f47b65ad61",
"status": "affected",
"version": "bf5c25d608613eaf4dcdba5a9cac5b2afe67d635",
"versionType": "git"
},
{
"lessThan": "d5790386595d06ea9decfd9ba5f1ea48cf09aa02",
"status": "affected",
"version": "bf5c25d608613eaf4dcdba5a9cac5b2afe67d635",
"versionType": "git"
},
{
"lessThan": "04c3eee4e13f60bf6f9a366ad39f88a01a57166e",
"status": "affected",
"version": "bf5c25d608613eaf4dcdba5a9cac5b2afe67d635",
"versionType": "git"
},
{
"lessThan": "f99006e840a4dbc8f5a34cecc6b5b26c73ef49bb",
"status": "affected",
"version": "bf5c25d608613eaf4dcdba5a9cac5b2afe67d635",
"versionType": "git"
},
{
"lessThan": "6c26ed3c6abe86ddab0510529000b970b05c9b40",
"status": "affected",
"version": "bf5c25d608613eaf4dcdba5a9cac5b2afe67d635",
"versionType": "git"
},
{
"lessThan": "2ea35288c83b3d501a88bc17f2df8f176b5cc96f",
"status": "affected",
"version": "bf5c25d608613eaf4dcdba5a9cac5b2afe67d635",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nskbuff: skb_segment, Call zero copy functions before using skbuff frags\n\nCommit bf5c25d60861 (\"skbuff: in skb_segment, call zerocopy functions\nonce per nskb\") added the call to zero copy functions in skb_segment().\nThe change introduced a bug in skb_segment() because skb_orphan_frags()\nmay possibly change the number of fragments or allocate new fragments\naltogether leaving nrfrags and frag to point to the old values. This can\ncause a panic with stacktrace like the one below.\n\n[ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc\n[ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26\n[ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0\n[ 194.021892] Call Trace:\n[ 194.027422] \u003cTASK\u003e\n[ 194.072861] tcp_gso_segment+0x107/0x540\n[ 194.082031] inet_gso_segment+0x15c/0x3d0\n[ 194.090783] skb_mac_gso_segment+0x9f/0x110\n[ 194.095016] __skb_gso_segment+0xc1/0x190\n[ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem]\n[ 194.107071] dev_qdisc_enqueue+0x16/0x70\n[ 194.110884] __dev_queue_xmit+0x63b/0xb30\n[ 194.121670] bond_start_xmit+0x159/0x380 [bonding]\n[ 194.128506] dev_hard_start_xmit+0xc3/0x1e0\n[ 194.131787] __dev_queue_xmit+0x8a0/0xb30\n[ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan]\n[ 194.141477] dev_hard_start_xmit+0xc3/0x1e0\n[ 194.144622] sch_direct_xmit+0xe3/0x280\n[ 194.147748] __dev_queue_xmit+0x54a/0xb30\n[ 194.154131] tap_get_user+0x2a8/0x9c0 [tap]\n[ 194.157358] tap_sendmsg+0x52/0x8e0 [tap]\n[ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net]\n[ 194.173631] handle_tx+0xcd/0xe0 [vhost_net]\n[ 194.176959] vhost_worker+0x76/0xb0 [vhost]\n[ 194.183667] kthread+0x118/0x140\n[ 194.190358] ret_from_fork+0x1f/0x30\n[ 194.193670] \u003c/TASK\u003e\n\nIn this case calling skb_orphan_frags() updated nr_frags leaving nrfrags\nlocal variable in skb_segment() stale. This resulted in the code hitting\ni \u003e= nrfrags prematurely and trying to move to next frag_skb using\nlist_skb pointer, which was NULL, and caused kernel panic. Move the call\nto zero copy functions before using frags and nr_frags."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:44.388Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fcab3f661dbfd88e27ddbbe65368f3fa2d823175"
},
{
"url": "https://git.kernel.org/stable/c/d44403ec0676317b7f7edf2a035bb219fee3304e"
},
{
"url": "https://git.kernel.org/stable/c/8836c266201c29a5acb4f582227686f47b65ad61"
},
{
"url": "https://git.kernel.org/stable/c/d5790386595d06ea9decfd9ba5f1ea48cf09aa02"
},
{
"url": "https://git.kernel.org/stable/c/04c3eee4e13f60bf6f9a366ad39f88a01a57166e"
},
{
"url": "https://git.kernel.org/stable/c/f99006e840a4dbc8f5a34cecc6b5b26c73ef49bb"
},
{
"url": "https://git.kernel.org/stable/c/6c26ed3c6abe86ddab0510529000b970b05c9b40"
},
{
"url": "https://git.kernel.org/stable/c/2ea35288c83b3d501a88bc17f2df8f176b5cc96f"
}
],
"title": "skbuff: skb_segment, Call zero copy functions before using skbuff frags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53354",
"datePublished": "2025-09-17T14:56:44.388Z",
"dateReserved": "2025-09-16T16:08:59.567Z",
"dateUpdated": "2025-09-17T14:56:44.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53395 (GCVE-0-2023-53395)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5
According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode.
When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed.
=============================================================
UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]'
CPU: 37 PID: 1678 Comm: cat Not tainted
6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k
HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace:
dump_backtrace+0xe0/0x130
show_stack+0x20/0x60
dump_stack_lvl+0x68/0x84
dump_stack+0x18/0x34
ubsan_epilogue+0x10/0x50
__ubsan_handle_out_of_bounds+0x80/0x90
acpi_ds_exec_end_op+0x1bc/0x6d8
acpi_ps_parse_loop+0x57c/0x618
acpi_ps_parse_aml+0x1e0/0x4b4
acpi_ps_execute_method+0x24c/0x2b8
acpi_ns_evaluate+0x3a8/0x4bc
acpi_evaluate_object+0x15c/0x37c
acpi_evaluate_integer+0x54/0x15c
show_power+0x8c/0x12c [acpi_power_meter]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/psopcode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f2a5905303ae230b5159fcd8cdcd5b3e7ad5e2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "23c67fa615c52712bfa02a6dfadbd4656c87c066",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3bf4463e40a17a23f2f261dfd7fe23129bdd04a4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "625c12dc04a607b79f180ef3ee5a12bf2e3324c0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "430787056dd3c591eb553d5c3b2717efcf307d4e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e1f686930ee4b059c7baa3c3904b2401829f2589",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b102113469487b460e9e77fe9e00d49c50fe8c86",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/psopcode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer\n\nACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5\n\nAccording to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode.\n\nWhen ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed.\n\n=============================================================\nUBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type \u0027union acpi_operand_object *[9]\u0027\nCPU: 37 PID: 1678 Comm: cat Not tainted\n6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k\nHW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace:\n dump_backtrace+0xe0/0x130\n show_stack+0x20/0x60\n dump_stack_lvl+0x68/0x84\n dump_stack+0x18/0x34\n ubsan_epilogue+0x10/0x50\n __ubsan_handle_out_of_bounds+0x80/0x90\n acpi_ds_exec_end_op+0x1bc/0x6d8\n acpi_ps_parse_loop+0x57c/0x618\n acpi_ps_parse_aml+0x1e0/0x4b4\n acpi_ps_execute_method+0x24c/0x2b8\n acpi_ns_evaluate+0x3a8/0x4bc\n acpi_evaluate_object+0x15c/0x37c\n acpi_evaluate_integer+0x54/0x15c\n show_power+0x8c/0x12c [acpi_power_meter]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:36.624Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f2a5905303ae230b5159fcd8cdcd5b3e7ad5e2d"
},
{
"url": "https://git.kernel.org/stable/c/23c67fa615c52712bfa02a6dfadbd4656c87c066"
},
{
"url": "https://git.kernel.org/stable/c/3bf4463e40a17a23f2f261dfd7fe23129bdd04a4"
},
{
"url": "https://git.kernel.org/stable/c/625c12dc04a607b79f180ef3ee5a12bf2e3324c0"
},
{
"url": "https://git.kernel.org/stable/c/430787056dd3c591eb553d5c3b2717efcf307d4e"
},
{
"url": "https://git.kernel.org/stable/c/e1f686930ee4b059c7baa3c3904b2401829f2589"
},
{
"url": "https://git.kernel.org/stable/c/b102113469487b460e9e77fe9e00d49c50fe8c86"
},
{
"url": "https://git.kernel.org/stable/c/3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e"
}
],
"title": "ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53395",
"datePublished": "2025-09-18T13:33:36.624Z",
"dateReserved": "2025-09-17T14:54:09.738Z",
"dateUpdated": "2025-09-18T13:33:36.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39991 (GCVE-0-2025-39991)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-10-15 07:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()
If ab->fw.m3_data points to data, then fw pointer remains null.
Further, if m3_mem is not allocated, then fw is dereferenced to be
passed to ath11k_err function.
Replace fw->size by m3_len.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/qmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f52119809b76d43759fc47da1cf708690b740a1",
"status": "affected",
"version": "7db88b962f06a52af5e9a32971012e8f3427cec0",
"versionType": "git"
},
{
"lessThan": "888830b2cbc035838bebefe94502976da94332a5",
"status": "affected",
"version": "7db88b962f06a52af5e9a32971012e8f3427cec0",
"versionType": "git"
},
{
"lessThan": "500fcc31e488d798937a23dbb1f62db46820c5b2",
"status": "affected",
"version": "7db88b962f06a52af5e9a32971012e8f3427cec0",
"versionType": "git"
},
{
"lessThan": "3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782",
"status": "affected",
"version": "7db88b962f06a52af5e9a32971012e8f3427cec0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/qmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()\n\nIf ab-\u003efw.m3_data points to data, then fw pointer remains null.\nFurther, if m3_mem is not allocated, then fw is dereferenced to be\npassed to ath11k_err function.\n\nReplace fw-\u003esize by m3_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:58:17.257Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f52119809b76d43759fc47da1cf708690b740a1"
},
{
"url": "https://git.kernel.org/stable/c/888830b2cbc035838bebefe94502976da94332a5"
},
{
"url": "https://git.kernel.org/stable/c/500fcc31e488d798937a23dbb1f62db46820c5b2"
},
{
"url": "https://git.kernel.org/stable/c/3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782"
}
],
"title": "wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39991",
"datePublished": "2025-10-15T07:58:17.257Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:58:17.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53425 (GCVE-0-2023-53425)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: platform: mediatek: vpu: fix NULL ptr dereference
If pdev is NULL, then it is still dereferenced.
This fixes this smatch warning:
drivers/media/platform/mediatek/vpu/mtk_vpu.c:570 vpu_load_firmware() warn: address of NULL pointer 'pdev'
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vpu/mtk_vpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "099e929e7477f37ca16738fc158d7101c0189ca1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b3f25d3894a091abc247eadab266a2c9be64389",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c1c5826223ae05a48d21f6708c6f34ee9006238c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2caeb722f0ea5d2d24af30bb1753a89d449b6aa0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "776b34615a29551d69d82a0082e7319d5ea284bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b7bd48f0be84e24d21aa3a8f59a8a9cb8633a1c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4d299e6e0ac3cf8ab4517dc29c9294bc4bf72398",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3df55cd773e8603b623425cc97b05e542854ad27",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vpu/mtk_vpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: platform: mediatek: vpu: fix NULL ptr dereference\n\nIf pdev is NULL, then it is still dereferenced.\n\nThis fixes this smatch warning:\n\ndrivers/media/platform/mediatek/vpu/mtk_vpu.c:570 vpu_load_firmware() warn: address of NULL pointer \u0027pdev\u0027"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:07.335Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/099e929e7477f37ca16738fc158d7101c0189ca1"
},
{
"url": "https://git.kernel.org/stable/c/1b3f25d3894a091abc247eadab266a2c9be64389"
},
{
"url": "https://git.kernel.org/stable/c/c1c5826223ae05a48d21f6708c6f34ee9006238c"
},
{
"url": "https://git.kernel.org/stable/c/2caeb722f0ea5d2d24af30bb1753a89d449b6aa0"
},
{
"url": "https://git.kernel.org/stable/c/776b34615a29551d69d82a0082e7319d5ea284bd"
},
{
"url": "https://git.kernel.org/stable/c/b7bd48f0be84e24d21aa3a8f59a8a9cb8633a1c4"
},
{
"url": "https://git.kernel.org/stable/c/4d299e6e0ac3cf8ab4517dc29c9294bc4bf72398"
},
{
"url": "https://git.kernel.org/stable/c/3df55cd773e8603b623425cc97b05e542854ad27"
}
],
"title": "media: platform: mediatek: vpu: fix NULL ptr dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53425",
"datePublished": "2025-09-18T16:04:07.335Z",
"dateReserved": "2025-09-17T14:54:09.742Z",
"dateUpdated": "2025-09-18T16:04:07.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39742 (GCVE-0-2025-39742)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
The function divides number of online CPUs by num_core_siblings, and
later checks the divider by zero. This implies a possibility to get
and divide-by-zero runtime error. Fix it by moving the check prior to
division. This also helps to save one indentation level.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:57.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/affinity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9bba1a9994c523b44db64f63b564b4719ea2b7ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a7cf828ed861de5be1aff99e10f114b363c19d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d3211cb61a0773a2440d0a0698c1e6e7429f907",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b4317b0d758ff92ba96f4e448a8992a6fe607bf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "89fdac333a17ed990b41565630ef4791782e02f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9b05e91afe948ed819bf87d7ba0fccf451ed79a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "31d0599a23efdbfe579bfbd1eb8f8c942f13744d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ac53f377393cc85156afdc90b636e84e544a6f96",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/affinity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()\n\nThe function divides number of online CPUs by num_core_siblings, and\nlater checks the divider by zero. This implies a possibility to get\nand divide-by-zero runtime error. Fix it by moving the check prior to\ndivision. This also helps to save one indentation level."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:29.559Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9bba1a9994c523b44db64f63b564b4719ea2b7ef"
},
{
"url": "https://git.kernel.org/stable/c/1a7cf828ed861de5be1aff99e10f114b363c19d3"
},
{
"url": "https://git.kernel.org/stable/c/9d3211cb61a0773a2440d0a0698c1e6e7429f907"
},
{
"url": "https://git.kernel.org/stable/c/4b4317b0d758ff92ba96f4e448a8992a6fe607bf"
},
{
"url": "https://git.kernel.org/stable/c/89fdac333a17ed990b41565630ef4791782e02f5"
},
{
"url": "https://git.kernel.org/stable/c/9b05e91afe948ed819bf87d7ba0fccf451ed79a6"
},
{
"url": "https://git.kernel.org/stable/c/31d0599a23efdbfe579bfbd1eb8f8c942f13744d"
},
{
"url": "https://git.kernel.org/stable/c/ac53f377393cc85156afdc90b636e84e544a6f96"
},
{
"url": "https://git.kernel.org/stable/c/59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a"
}
],
"title": "RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39742",
"datePublished": "2025-09-11T16:52:16.339Z",
"dateReserved": "2025-04-16T07:20:57.120Z",
"dateUpdated": "2025-11-03T17:42:57.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53731 (GCVE-0-2023-53731)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: fix potential deadlock in netlink_set_err()
syzbot reported a possible deadlock in netlink_set_err() [1]
A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs
for netlink_lock_table()") in netlink_lock_table()
This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump()
which were not covered by cited commit.
[1]
WARNING: possible irq lock inversion dependency detected
6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted
syz-executor.2/23011 just changed the state of lock:
ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612
but this lock was taken by another, SOFTIRQ-safe lock in the past:
(&local->queue_stop_reason_lock){..-.}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(nl_table_lock);
local_irq_disable();
lock(&local->queue_stop_reason_lock);
lock(nl_table_lock);
<Interrupt>
lock(&local->queue_stop_reason_lock);
*** DEADLOCK ***
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 82b2ea5f904b3826934df4a00f3b8806272185f6 Version: 59fba11d649854134c75ad88c8adafa9304ac419 Version: 21df0c2e7d195de4a3c650de9361b3037fa6c59a Version: 1d6d43d4805da9b3fa0f5841e8b1083c89868f35 Version: 1d482e666b8e74c7555dbdfbfb77205eeed3ff2d Version: 1d482e666b8e74c7555dbdfbfb77205eeed3ff2d Version: 1d482e666b8e74c7555dbdfbfb77205eeed3ff2d Version: 1d482e666b8e74c7555dbdfbfb77205eeed3ff2d Version: 1d482e666b8e74c7555dbdfbfb77205eeed3ff2d Version: 5f155c4046200f067b1dc3140ea99ef56e4e0b74 Version: a8e9111a8625dd11e70edd61f7a1ccd26c041442 Version: 76cc8e04f38c2bbfcba07f62864a011f142bd40c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c",
"net/netlink/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c09e8e3f7fd432984bf5422302b093d2371dfc48",
"status": "affected",
"version": "82b2ea5f904b3826934df4a00f3b8806272185f6",
"versionType": "git"
},
{
"lessThan": "4b9adb8d4a62ff7608d4a7d4eb42036a88f30980",
"status": "affected",
"version": "59fba11d649854134c75ad88c8adafa9304ac419",
"versionType": "git"
},
{
"lessThan": "8f6652ed2ad98fe6d13b903483d9257762ab2ec6",
"status": "affected",
"version": "21df0c2e7d195de4a3c650de9361b3037fa6c59a",
"versionType": "git"
},
{
"lessThan": "cde7b90e0539a3b11da377e463dfd2288a162dbf",
"status": "affected",
"version": "1d6d43d4805da9b3fa0f5841e8b1083c89868f35",
"versionType": "git"
},
{
"lessThan": "a641240b7e071c5538dc0e7894ece833fce459dd",
"status": "affected",
"version": "1d482e666b8e74c7555dbdfbfb77205eeed3ff2d",
"versionType": "git"
},
{
"lessThan": "61ffe8b1ee084e5c82a4e4bbf9e7b68e0c06e464",
"status": "affected",
"version": "1d482e666b8e74c7555dbdfbfb77205eeed3ff2d",
"versionType": "git"
},
{
"lessThan": "eb8e27c8fa9397b4a7b181c48fa58157dbe9902e",
"status": "affected",
"version": "1d482e666b8e74c7555dbdfbfb77205eeed3ff2d",
"versionType": "git"
},
{
"lessThan": "1556ba034b95cfd4f75ea93c1a2679ae0444bba1",
"status": "affected",
"version": "1d482e666b8e74c7555dbdfbfb77205eeed3ff2d",
"versionType": "git"
},
{
"lessThan": "8d61f926d42045961e6b65191c09e3678d86a9cf",
"status": "affected",
"version": "1d482e666b8e74c7555dbdfbfb77205eeed3ff2d",
"versionType": "git"
},
{
"status": "affected",
"version": "5f155c4046200f067b1dc3140ea99ef56e4e0b74",
"versionType": "git"
},
{
"status": "affected",
"version": "a8e9111a8625dd11e70edd61f7a1ccd26c041442",
"versionType": "git"
},
{
"status": "affected",
"version": "76cc8e04f38c2bbfcba07f62864a011f142bd40c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c",
"net/netlink/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.14.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.19.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4.126",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.10.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: fix potential deadlock in netlink_set_err()\n\nsyzbot reported a possible deadlock in netlink_set_err() [1]\n\nA similar issue was fixed in commit 1d482e666b8e (\"netlink: disable IRQs\nfor netlink_lock_table()\") in netlink_lock_table()\n\nThis patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump()\nwhich were not covered by cited commit.\n\n[1]\n\nWARNING: possible irq lock inversion dependency detected\n6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted\n\nsyz-executor.2/23011 just changed the state of lock:\nffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612\nbut this lock was taken by another, SOFTIRQ-safe lock in the past:\n (\u0026local-\u003equeue_stop_reason_lock){..-.}-{2:2}\n\nand interrupts could create inverse lock ordering between them.\n\nother info that might help us debug this:\n Possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(nl_table_lock);\n local_irq_disable();\n lock(\u0026local-\u003equeue_stop_reason_lock);\n lock(nl_table_lock);\n \u003cInterrupt\u003e\n lock(\u0026local-\u003equeue_stop_reason_lock);\n\n *** DEADLOCK ***"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:59.055Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c09e8e3f7fd432984bf5422302b093d2371dfc48"
},
{
"url": "https://git.kernel.org/stable/c/4b9adb8d4a62ff7608d4a7d4eb42036a88f30980"
},
{
"url": "https://git.kernel.org/stable/c/8f6652ed2ad98fe6d13b903483d9257762ab2ec6"
},
{
"url": "https://git.kernel.org/stable/c/cde7b90e0539a3b11da377e463dfd2288a162dbf"
},
{
"url": "https://git.kernel.org/stable/c/a641240b7e071c5538dc0e7894ece833fce459dd"
},
{
"url": "https://git.kernel.org/stable/c/61ffe8b1ee084e5c82a4e4bbf9e7b68e0c06e464"
},
{
"url": "https://git.kernel.org/stable/c/eb8e27c8fa9397b4a7b181c48fa58157dbe9902e"
},
{
"url": "https://git.kernel.org/stable/c/1556ba034b95cfd4f75ea93c1a2679ae0444bba1"
},
{
"url": "https://git.kernel.org/stable/c/8d61f926d42045961e6b65191c09e3678d86a9cf"
}
],
"title": "netlink: fix potential deadlock in netlink_set_err()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53731",
"datePublished": "2025-10-22T13:23:59.055Z",
"dateReserved": "2025-10-22T13:21:37.349Z",
"dateUpdated": "2025-10-22T13:23:59.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39783 (GCVE-0-2025-39783)
Vulnerability from cvelistv5
Published
2025-09-11 16:56
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Fix configfs group list head handling
Doing a list_del() on the epf_group field of struct pci_epf_driver in
pci_epf_remove_cfs() is not correct as this field is a list head, not
a list entry. This list_del() call triggers a KASAN warning when an
endpoint function driver which has a configfs attribute group is torn
down:
==================================================================
BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198
Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319
CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE
Hardware name: Radxa ROCK 5B (DT)
Call trace:
show_stack+0x2c/0x84 (C)
dump_stack_lvl+0x70/0x98
print_report+0x17c/0x538
kasan_report+0xb8/0x190
__asan_report_store8_noabort+0x20/0x2c
pci_epf_remove_cfs+0x17c/0x198
pci_epf_unregister_driver+0x18/0x30
nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]
__arm64_sys_delete_module+0x264/0x424
invoke_syscall+0x70/0x260
el0_svc_common.constprop.0+0xac/0x230
do_el0_svc+0x40/0x58
el0_svc+0x48/0xdc
el0t_64_sync_handler+0x10c/0x138
el0t_64_sync+0x198/0x19c
...
Remove this incorrect list_del() call from pci_epf_remove_cfs().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ef1433f717a2c63747a519d86965d73ff9bd08b3 Version: ef1433f717a2c63747a519d86965d73ff9bd08b3 Version: ef1433f717a2c63747a519d86965d73ff9bd08b3 Version: ef1433f717a2c63747a519d86965d73ff9bd08b3 Version: ef1433f717a2c63747a519d86965d73ff9bd08b3 Version: ef1433f717a2c63747a519d86965d73ff9bd08b3 Version: ef1433f717a2c63747a519d86965d73ff9bd08b3 Version: ef1433f717a2c63747a519d86965d73ff9bd08b3 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:19.404Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/pci-epf-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80ea6e6904fb2ba4ccb5d909579988466ec65358",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "d5aecddc3452371d9da82cdbb0c715812524b54b",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "dc4ffbd571716ff3b171418fb03abe80e720a7b1",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "409af8b9f7b4f23cd0464e71c6cd6fe13c076ae2",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "0758862386f114d9ab1e23181461bd1e2e9ec4c6",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "6cf65505523224cab1449d726d2ce8180c2941ee",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "a302bd89db35d8b7e279de4d2b41c16c7f191069",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
},
{
"lessThan": "d79123d79a8154b4318529b7b2ff7e15806f480b",
"status": "affected",
"version": "ef1433f717a2c63747a519d86965d73ff9bd08b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/pci-epf-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix configfs group list head handling\n\nDoing a list_del() on the epf_group field of struct pci_epf_driver in\npci_epf_remove_cfs() is not correct as this field is a list head, not\na list entry. This list_del() call triggers a KASAN warning when an\nendpoint function driver which has a configfs attribute group is torn\ndown:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198\nWrite of size 8 at addr ffff00010f4a0d80 by task rmmod/319\n\nCPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE\nHardware name: Radxa ROCK 5B (DT)\nCall trace:\nshow_stack+0x2c/0x84 (C)\ndump_stack_lvl+0x70/0x98\nprint_report+0x17c/0x538\nkasan_report+0xb8/0x190\n__asan_report_store8_noabort+0x20/0x2c\npci_epf_remove_cfs+0x17c/0x198\npci_epf_unregister_driver+0x18/0x30\nnvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]\n__arm64_sys_delete_module+0x264/0x424\ninvoke_syscall+0x70/0x260\nel0_svc_common.constprop.0+0xac/0x230\ndo_el0_svc+0x40/0x58\nel0_svc+0x48/0xdc\nel0t_64_sync_handler+0x10c/0x138\nel0t_64_sync+0x198/0x19c\n...\n\nRemove this incorrect list_del() call from pci_epf_remove_cfs()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:19.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80ea6e6904fb2ba4ccb5d909579988466ec65358"
},
{
"url": "https://git.kernel.org/stable/c/d5aecddc3452371d9da82cdbb0c715812524b54b"
},
{
"url": "https://git.kernel.org/stable/c/dc4ffbd571716ff3b171418fb03abe80e720a7b1"
},
{
"url": "https://git.kernel.org/stable/c/409af8b9f7b4f23cd0464e71c6cd6fe13c076ae2"
},
{
"url": "https://git.kernel.org/stable/c/0758862386f114d9ab1e23181461bd1e2e9ec4c6"
},
{
"url": "https://git.kernel.org/stable/c/6cf65505523224cab1449d726d2ce8180c2941ee"
},
{
"url": "https://git.kernel.org/stable/c/a302bd89db35d8b7e279de4d2b41c16c7f191069"
},
{
"url": "https://git.kernel.org/stable/c/d79123d79a8154b4318529b7b2ff7e15806f480b"
}
],
"title": "PCI: endpoint: Fix configfs group list head handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39783",
"datePublished": "2025-09-11T16:56:33.376Z",
"dateReserved": "2025-04-16T07:20:57.130Z",
"dateUpdated": "2025-11-03T17:43:19.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39982 (GCVE-0-2025-39982)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
This fixes the following UFA in hci_acl_create_conn_sync where a
connection still pending is command submission (conn->state == BT_OPEN)
maybe freed, also since this also can happen with the likes of
hci_le_create_conn_sync fix it as well:
BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861
Write of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541
CPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci3 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 123736:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
__hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939
hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]
hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634
pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x54b/0xa90 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 103680:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x18e/0x440 mm/slub.c:4842
device_release+0x9c/0x1c0
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x22b/0x480 lib/kobject.c:737
hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]
hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173
hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199
hci_event_func net/bluetooth/hci_event.c:7477 [inline]
hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6243bda271a628c48875e3e473206e7f584892ce",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "bcce99f613163a43de24674b717e7a6c135fc879",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "484c7d571a3d1b3fd298fa691b660438c4548a53",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
},
{
"lessThan": "9e622804d57e2d08f0271200606bd1270f75126f",
"status": "affected",
"version": "aef2aa4fa98e18ea5d9345bf777ee698c8598728",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync\n\nThis fixes the following UFA in hci_acl_create_conn_sync where a\nconnection still pending is command submission (conn-\u003estate == BT_OPEN)\nmaybe freed, also since this also can happen with the likes of\nhci_le_create_conn_sync fix it as well:\n\nBUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861\nWrite of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541\n\nCPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci3 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x230 mm/kasan/report.c:480\n kasan_report+0x118/0x150 mm/kasan/report.c:593\n hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861\n hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 123736:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n __hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939\n hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]\n hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634\n pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n sock_write_iter+0x258/0x330 net/socket.c:1131\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x54b/0xa90 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 103680:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4643 [inline]\n kfree+0x18e/0x440 mm/slub.c:4842\n device_release+0x9c/0x1c0\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x22b/0x480 lib/kobject.c:737\n hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]\n hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173\n hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199\n hci_event_func net/bluetooth/hci_event.c:7477 [inline]\n hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531\n hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:02.024Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6243bda271a628c48875e3e473206e7f584892ce"
},
{
"url": "https://git.kernel.org/stable/c/bcce99f613163a43de24674b717e7a6c135fc879"
},
{
"url": "https://git.kernel.org/stable/c/484c7d571a3d1b3fd298fa691b660438c4548a53"
},
{
"url": "https://git.kernel.org/stable/c/a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08"
},
{
"url": "https://git.kernel.org/stable/c/9e622804d57e2d08f0271200606bd1270f75126f"
}
],
"title": "Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39982",
"datePublished": "2025-10-15T07:56:02.024Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:02.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53647 (GCVE-0-2023-53647)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Drivers: hv: vmbus: Don't dereference ACPI root object handle
Since the commit referenced in the Fixes: tag below the VMBus client driver
is walking the ACPI namespace up from the VMBus ACPI device to the ACPI
namespace root object trying to find Hyper-V MMIO ranges.
However, if it is not able to find them it ends trying to walk resources of
the ACPI namespace root object itself.
This object has all-ones handle, which causes a NULL pointer dereference
in the ACPI code (from dereferencing this pointer with an offset).
This in turn causes an oops on boot with VMBus host implementations that do
not provide Hyper-V MMIO ranges in their VMBus ACPI device or its
ancestors.
The QEMU VMBus implementation is an example of such implementation.
I guess providing these ranges is optional, since all tested Windows
versions seem to be able to use VMBus devices without them.
Fix this by explicitly terminating the lookup at the ACPI namespace root
object.
Note that Linux guests under KVM/QEMU do not use the Hyper-V PV interface
by default - they only do so if the KVM PV interface is missing or
disabled.
Example stack trace of such oops:
[ 3.710827] ? __die+0x1f/0x60
[ 3.715030] ? page_fault_oops+0x159/0x460
[ 3.716008] ? exc_page_fault+0x73/0x170
[ 3.716959] ? asm_exc_page_fault+0x22/0x30
[ 3.717957] ? acpi_ns_lookup+0x7a/0x4b0
[ 3.718898] ? acpi_ns_internalize_name+0x79/0xc0
[ 3.720018] acpi_ns_get_node_unlocked+0xb5/0xe0
[ 3.721120] ? acpi_ns_check_object_type+0xfe/0x200
[ 3.722285] ? acpi_rs_convert_aml_to_resource+0x37/0x6e0
[ 3.723559] ? down_timeout+0x3a/0x60
[ 3.724455] ? acpi_ns_get_node+0x3a/0x60
[ 3.725412] acpi_ns_get_node+0x3a/0x60
[ 3.726335] acpi_ns_evaluate+0x1c3/0x2c0
[ 3.727295] acpi_ut_evaluate_object+0x64/0x1b0
[ 3.728400] acpi_rs_get_method_data+0x2b/0x70
[ 3.729476] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]
[ 3.730940] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]
[ 3.732411] acpi_walk_resources+0x78/0xd0
[ 3.733398] vmbus_platform_driver_probe+0x9f/0x1d0 [hv_vmbus]
[ 3.734802] platform_probe+0x3d/0x90
[ 3.735684] really_probe+0x19b/0x400
[ 3.736570] ? __device_attach_driver+0x100/0x100
[ 3.737697] __driver_probe_device+0x78/0x160
[ 3.738746] driver_probe_device+0x1f/0x90
[ 3.739743] __driver_attach+0xc2/0x1b0
[ 3.740671] bus_for_each_dev+0x70/0xc0
[ 3.741601] bus_add_driver+0x10e/0x210
[ 3.742527] driver_register+0x55/0xf0
[ 3.744412] ? 0xffffffffc039a000
[ 3.745207] hv_acpi_init+0x3c/0x1000 [hv_vmbus]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hv/vmbus_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96db43aced395844a7abc9a0a5cc702513e3534a",
"status": "affected",
"version": "7f163a6fd957a85f7f66a129db1ad243a44399ee",
"versionType": "git"
},
{
"lessThan": "9fc162c59edc841032a3553eb2334320abab0784",
"status": "affected",
"version": "7f163a6fd957a85f7f66a129db1ad243a44399ee",
"versionType": "git"
},
{
"lessThan": "64f09d45e94547fbf219f36d1d02ac42742c028c",
"status": "affected",
"version": "7f163a6fd957a85f7f66a129db1ad243a44399ee",
"versionType": "git"
},
{
"lessThan": "78e04bbff849b51b56f5925b1945db2c6e128b61",
"status": "affected",
"version": "7f163a6fd957a85f7f66a129db1ad243a44399ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hv/vmbus_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Don\u0027t dereference ACPI root object handle\n\nSince the commit referenced in the Fixes: tag below the VMBus client driver\nis walking the ACPI namespace up from the VMBus ACPI device to the ACPI\nnamespace root object trying to find Hyper-V MMIO ranges.\n\nHowever, if it is not able to find them it ends trying to walk resources of\nthe ACPI namespace root object itself.\nThis object has all-ones handle, which causes a NULL pointer dereference\nin the ACPI code (from dereferencing this pointer with an offset).\n\nThis in turn causes an oops on boot with VMBus host implementations that do\nnot provide Hyper-V MMIO ranges in their VMBus ACPI device or its\nancestors.\nThe QEMU VMBus implementation is an example of such implementation.\n\nI guess providing these ranges is optional, since all tested Windows\nversions seem to be able to use VMBus devices without them.\n\nFix this by explicitly terminating the lookup at the ACPI namespace root\nobject.\n\nNote that Linux guests under KVM/QEMU do not use the Hyper-V PV interface\nby default - they only do so if the KVM PV interface is missing or\ndisabled.\n\nExample stack trace of such oops:\n[ 3.710827] ? __die+0x1f/0x60\n[ 3.715030] ? page_fault_oops+0x159/0x460\n[ 3.716008] ? exc_page_fault+0x73/0x170\n[ 3.716959] ? asm_exc_page_fault+0x22/0x30\n[ 3.717957] ? acpi_ns_lookup+0x7a/0x4b0\n[ 3.718898] ? acpi_ns_internalize_name+0x79/0xc0\n[ 3.720018] acpi_ns_get_node_unlocked+0xb5/0xe0\n[ 3.721120] ? acpi_ns_check_object_type+0xfe/0x200\n[ 3.722285] ? acpi_rs_convert_aml_to_resource+0x37/0x6e0\n[ 3.723559] ? down_timeout+0x3a/0x60\n[ 3.724455] ? acpi_ns_get_node+0x3a/0x60\n[ 3.725412] acpi_ns_get_node+0x3a/0x60\n[ 3.726335] acpi_ns_evaluate+0x1c3/0x2c0\n[ 3.727295] acpi_ut_evaluate_object+0x64/0x1b0\n[ 3.728400] acpi_rs_get_method_data+0x2b/0x70\n[ 3.729476] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]\n[ 3.730940] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]\n[ 3.732411] acpi_walk_resources+0x78/0xd0\n[ 3.733398] vmbus_platform_driver_probe+0x9f/0x1d0 [hv_vmbus]\n[ 3.734802] platform_probe+0x3d/0x90\n[ 3.735684] really_probe+0x19b/0x400\n[ 3.736570] ? __device_attach_driver+0x100/0x100\n[ 3.737697] __driver_probe_device+0x78/0x160\n[ 3.738746] driver_probe_device+0x1f/0x90\n[ 3.739743] __driver_attach+0xc2/0x1b0\n[ 3.740671] bus_for_each_dev+0x70/0xc0\n[ 3.741601] bus_add_driver+0x10e/0x210\n[ 3.742527] driver_register+0x55/0xf0\n[ 3.744412] ? 0xffffffffc039a000\n[ 3.745207] hv_acpi_init+0x3c/0x1000 [hv_vmbus]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:45.083Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96db43aced395844a7abc9a0a5cc702513e3534a"
},
{
"url": "https://git.kernel.org/stable/c/9fc162c59edc841032a3553eb2334320abab0784"
},
{
"url": "https://git.kernel.org/stable/c/64f09d45e94547fbf219f36d1d02ac42742c028c"
},
{
"url": "https://git.kernel.org/stable/c/78e04bbff849b51b56f5925b1945db2c6e128b61"
}
],
"title": "Drivers: hv: vmbus: Don\u0027t dereference ACPI root object handle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53647",
"datePublished": "2025-10-07T15:19:45.083Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:45.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39986 (GCVE-0-2025-39986)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, sun4ican_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN frame.
This can result in a buffer overflow. The driver will consume cf->len
as-is with no further checks on this line:
dlc = cf->len;
Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs a
couple line below when doing:
for (i = 0; i < dlc; i++)
writel(cf->data[i], priv->base + (dreg + i * 4));
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/sun4i_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "063539db42203b29d5aa2adf0cae3d68c646a6b6",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "4f382cc887adca8478b9d3e6b81aa6698a95fff4",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "60463a1c138900494cb3adae41142a11cd8feb3c",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "a61ff7ac93270d20ca426c027d6d01c8ac8e904c",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "2e423e1990f3972cbea779883fef52c2f2acb858",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "de77841652e57afbc46e9e1dbf51ee364fc008e1",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "7f7b21026a6febdb749f6f6f950427245aa86cce",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "61da0bd4102c459823fbe6b8b43b01fb6ace4a22",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/sun4i_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the sun4i_can driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, sun4ican_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN frame.\n\nThis can result in a buffer overflow. The driver will consume cf-\u003elen\nas-is with no further checks on this line:\n\n\tdlc = cf-\u003elen;\n\nHere, cf-\u003elen corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame-\u003eflags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs a\ncouple line below when doing:\n\n\tfor (i = 0; i \u003c dlc; i++)\n\t\twritel(cf-\u003edata[i], priv-\u003ebase + (dreg + i * 4));\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:05.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/063539db42203b29d5aa2adf0cae3d68c646a6b6"
},
{
"url": "https://git.kernel.org/stable/c/4f382cc887adca8478b9d3e6b81aa6698a95fff4"
},
{
"url": "https://git.kernel.org/stable/c/60463a1c138900494cb3adae41142a11cd8feb3c"
},
{
"url": "https://git.kernel.org/stable/c/a61ff7ac93270d20ca426c027d6d01c8ac8e904c"
},
{
"url": "https://git.kernel.org/stable/c/2e423e1990f3972cbea779883fef52c2f2acb858"
},
{
"url": "https://git.kernel.org/stable/c/de77841652e57afbc46e9e1dbf51ee364fc008e1"
},
{
"url": "https://git.kernel.org/stable/c/7f7b21026a6febdb749f6f6f950427245aa86cce"
},
{
"url": "https://git.kernel.org/stable/c/61da0bd4102c459823fbe6b8b43b01fb6ace4a22"
}
],
"title": "can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39986",
"datePublished": "2025-10-15T07:56:05.143Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:05.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53331 (GCVE-0-2023-53331)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-16 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pstore/ram: Check start of empty przs during init
After commit 30696378f68a ("pstore/ram: Do not treat empty buffers as
valid"), initialization would assume a prz was valid after seeing that
the buffer_size is zero (regardless of the buffer start position). This
unchecked start value means it could be outside the bounds of the buffer,
leading to future access panics when written to:
sysdump_panic_event+0x3b4/0x5b8
atomic_notifier_call_chain+0x54/0x90
panic+0x1c8/0x42c
die+0x29c/0x2a8
die_kernel_fault+0x68/0x78
__do_kernel_fault+0x1c4/0x1e0
do_bad_area+0x40/0x100
do_translation_fault+0x68/0x80
do_mem_abort+0x68/0xf8
el1_da+0x1c/0xc0
__raw_writeb+0x38/0x174
__memcpy_toio+0x40/0xac
persistent_ram_update+0x44/0x12c
persistent_ram_write+0x1a8/0x1b8
ramoops_pstore_write+0x198/0x1e8
pstore_console_write+0x94/0xe0
...
To avoid this, also check if the prz start is 0 during the initialization
phase. If not, the next prz sanity check case will discover it (start >
size) and zap the buffer back to a sane state.
[kees: update commit log with backtrace and clarifications]
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e1e3a46706bd4037e8b7407dc660ae6e05b8ac56 Version: 265242d82a3c6a8bd9120d06b4801f8d7ae9a346 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: ec7f99261da9a20d63cbd273511a11a2efe698f2 Version: f250e4c562a3bd106575032666e9ef46f31231f8 Version: fffdbf586866e9500b53c9d4b061d3983720375a Version: 9e969ba431b46b1891c88cea36f722f3bfe8a180 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89312657337e6e03ad6e9ea1a462bd9c158c85c8",
"status": "affected",
"version": "e1e3a46706bd4037e8b7407dc660ae6e05b8ac56",
"versionType": "git"
},
{
"lessThan": "c807ccdd812d18985860504b503899f3140a9549",
"status": "affected",
"version": "265242d82a3c6a8bd9120d06b4801f8d7ae9a346",
"versionType": "git"
},
{
"lessThan": "e972231db29b5d1dccc13bf9d5ba55b6979a69ed",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "dc2f60de9a7d3efd982440117dab5579898d808c",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "fedecaeef88899d940b69368c996e8b3b0b8650d",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "e95d7a8a6edd14f8fab44c777dd7281db91f6ae2",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "f77990358628b01bdc03752126ff5f716ea37615",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "25fb4e3402d46f425ec135ef6f09792a4c1b3003",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "fe8c3623ab06603eb760444a032d426542212021",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"status": "affected",
"version": "ec7f99261da9a20d63cbd273511a11a2efe698f2",
"versionType": "git"
},
{
"status": "affected",
"version": "f250e4c562a3bd106575032666e9ef46f31231f8",
"versionType": "git"
},
{
"status": "affected",
"version": "fffdbf586866e9500b53c9d4b061d3983720375a",
"versionType": "git"
},
{
"status": "affected",
"version": "9e969ba431b46b1891c88cea36f722f3bfe8a180",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.14.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.19.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.20.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Check start of empty przs during init\n\nAfter commit 30696378f68a (\"pstore/ram: Do not treat empty buffers as\nvalid\"), initialization would assume a prz was valid after seeing that\nthe buffer_size is zero (regardless of the buffer start position). This\nunchecked start value means it could be outside the bounds of the buffer,\nleading to future access panics when written to:\n\n sysdump_panic_event+0x3b4/0x5b8\n atomic_notifier_call_chain+0x54/0x90\n panic+0x1c8/0x42c\n die+0x29c/0x2a8\n die_kernel_fault+0x68/0x78\n __do_kernel_fault+0x1c4/0x1e0\n do_bad_area+0x40/0x100\n do_translation_fault+0x68/0x80\n do_mem_abort+0x68/0xf8\n el1_da+0x1c/0xc0\n __raw_writeb+0x38/0x174\n __memcpy_toio+0x40/0xac\n persistent_ram_update+0x44/0x12c\n persistent_ram_write+0x1a8/0x1b8\n ramoops_pstore_write+0x198/0x1e8\n pstore_console_write+0x94/0xe0\n ...\n\nTo avoid this, also check if the prz start is 0 during the initialization\nphase. If not, the next prz sanity check case will discover it (start \u003e\nsize) and zap the buffer back to a sane state.\n\n[kees: update commit log with backtrace and clarifications]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:06.788Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89312657337e6e03ad6e9ea1a462bd9c158c85c8"
},
{
"url": "https://git.kernel.org/stable/c/c807ccdd812d18985860504b503899f3140a9549"
},
{
"url": "https://git.kernel.org/stable/c/e972231db29b5d1dccc13bf9d5ba55b6979a69ed"
},
{
"url": "https://git.kernel.org/stable/c/dc2f60de9a7d3efd982440117dab5579898d808c"
},
{
"url": "https://git.kernel.org/stable/c/fedecaeef88899d940b69368c996e8b3b0b8650d"
},
{
"url": "https://git.kernel.org/stable/c/e95d7a8a6edd14f8fab44c777dd7281db91f6ae2"
},
{
"url": "https://git.kernel.org/stable/c/f77990358628b01bdc03752126ff5f716ea37615"
},
{
"url": "https://git.kernel.org/stable/c/25fb4e3402d46f425ec135ef6f09792a4c1b3003"
},
{
"url": "https://git.kernel.org/stable/c/fe8c3623ab06603eb760444a032d426542212021"
}
],
"title": "pstore/ram: Check start of empty przs during init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53331",
"datePublished": "2025-09-16T16:12:06.788Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-16T16:12:06.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38653 (GCVE-0-2025-38653)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-11-03 17:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al
Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario.
It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in
proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same
manner.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 Version: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 Version: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 Version: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 Version: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 Version: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:46.576Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/proc/generic.c",
"fs/proc/inode.c",
"fs/proc/internal.h",
"include/linux/proc_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c35b0feb80b48720dfbbf4e33759c7be3faaebb6",
"status": "affected",
"version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
"versionType": "git"
},
{
"lessThan": "33c778ea0bd0fa62ff590497e72562ff90f82b13",
"status": "affected",
"version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
"versionType": "git"
},
{
"lessThan": "fc1072d934f687e1221d685cf1a49a5068318f34",
"status": "affected",
"version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
"versionType": "git"
},
{
"lessThan": "d136502e04d8853a9aecb335d07bbefd7a1519a8",
"status": "affected",
"version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
"versionType": "git"
},
{
"lessThan": "1fccbfbae1dd36198dc47feac696563244ad81d3",
"status": "affected",
"version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
"versionType": "git"
},
{
"lessThan": "ff7ec8dc1b646296f8d94c39339e8d3833d16c05",
"status": "affected",
"version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/proc/generic.c",
"fs/proc/inode.c",
"fs/proc/internal.h",
"include/linux/proc_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al\n\nCheck pde-\u003eproc_ops-\u003eproc_lseek directly may cause UAF in rmmod scenario. \nIt\u0027s a gap in proc_reg_open() after commit 654b33ada4ab(\"proc: fix UAF in\nproc_get_inode()\"). Followed by AI Viro\u0027s suggestion, fix it in same\nmanner."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:34.510Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c35b0feb80b48720dfbbf4e33759c7be3faaebb6"
},
{
"url": "https://git.kernel.org/stable/c/33c778ea0bd0fa62ff590497e72562ff90f82b13"
},
{
"url": "https://git.kernel.org/stable/c/fc1072d934f687e1221d685cf1a49a5068318f34"
},
{
"url": "https://git.kernel.org/stable/c/d136502e04d8853a9aecb335d07bbefd7a1519a8"
},
{
"url": "https://git.kernel.org/stable/c/1fccbfbae1dd36198dc47feac696563244ad81d3"
},
{
"url": "https://git.kernel.org/stable/c/ff7ec8dc1b646296f8d94c39339e8d3833d16c05"
}
],
"title": "proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38653",
"datePublished": "2025-08-22T16:00:57.413Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2025-11-03T17:40:46.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50556 (GCVE-0-2022-50556)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: Fix potential null-ptr-deref due to drmm_mode_config_init()
drmm_mode_config_init() will call drm_mode_create_standard_properties()
and won't check the ret value. When drm_mode_create_standard_properties()
failed due to alloc, property will be a NULL pointer and may causes the
null-ptr-deref. Fix the null-ptr-deref by adding the ret value check.
Found null-ptr-deref while testing insert module bochs:
general protection fault, probably for non-canonical address
0xdffffc000000000c: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067]
CPU: 3 PID: 249 Comm: modprobe Not tainted 6.1.0-rc1+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:drm_object_attach_property+0x73/0x3c0 [drm]
Call Trace:
<TASK>
__drm_connector_init+0xb6c/0x1100 [drm]
bochs_pci_probe.cold.11+0x4cb/0x7fe [bochs]
pci_device_probe+0x17d/0x340
really_probe+0x1db/0x5d0
__driver_probe_device+0x1e7/0x250
driver_probe_device+0x4a/0x120
__driver_attach+0xcd/0x2c0
bus_for_each_dev+0x11a/0x1b0
bus_add_driver+0x3d7/0x500
driver_register+0x18e/0x320
do_one_initcall+0xc4/0x3e0
do_init_module+0x1b4/0x630
load_module+0x5dca/0x7230
__do_sys_finit_module+0x100/0x170
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff65af9f839
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_mode_config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ae70041a6d7de62a0cdb2bbcfe0c9cf753035d0",
"status": "affected",
"version": "6b4959f43a04e12d39c5700607727f2cbcfeac31",
"versionType": "git"
},
{
"lessThan": "d06e827a65a6bcd2e329045d891d0739cec1cf4a",
"status": "affected",
"version": "6b4959f43a04e12d39c5700607727f2cbcfeac31",
"versionType": "git"
},
{
"lessThan": "b14147464251f66e38fa39f0aae9780466db8610",
"status": "affected",
"version": "6b4959f43a04e12d39c5700607727f2cbcfeac31",
"versionType": "git"
},
{
"lessThan": "961620ad67611a7320a49f4b6f3c5e2906833a03",
"status": "affected",
"version": "6b4959f43a04e12d39c5700607727f2cbcfeac31",
"versionType": "git"
},
{
"lessThan": "834c23e4f798dcdc8af251b3c428ceef94741991",
"status": "affected",
"version": "6b4959f43a04e12d39c5700607727f2cbcfeac31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_mode_config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Fix potential null-ptr-deref due to drmm_mode_config_init()\n\ndrmm_mode_config_init() will call drm_mode_create_standard_properties()\nand won\u0027t check the ret value. When drm_mode_create_standard_properties()\nfailed due to alloc, property will be a NULL pointer and may causes the\nnull-ptr-deref. Fix the null-ptr-deref by adding the ret value check.\n\nFound null-ptr-deref while testing insert module bochs:\ngeneral protection fault, probably for non-canonical address\n 0xdffffc000000000c: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067]\nCPU: 3 PID: 249 Comm: modprobe Not tainted 6.1.0-rc1+ #364\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:drm_object_attach_property+0x73/0x3c0 [drm]\nCall Trace:\n \u003cTASK\u003e\n __drm_connector_init+0xb6c/0x1100 [drm]\n bochs_pci_probe.cold.11+0x4cb/0x7fe [bochs]\n pci_device_probe+0x17d/0x340\n really_probe+0x1db/0x5d0\n __driver_probe_device+0x1e7/0x250\n driver_probe_device+0x4a/0x120\n __driver_attach+0xcd/0x2c0\n bus_for_each_dev+0x11a/0x1b0\n bus_add_driver+0x3d7/0x500\n driver_register+0x18e/0x320\n do_one_initcall+0xc4/0x3e0\n do_init_module+0x1b4/0x630\n load_module+0x5dca/0x7230\n __do_sys_finit_module+0x100/0x170\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7ff65af9f839"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:17.527Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ae70041a6d7de62a0cdb2bbcfe0c9cf753035d0"
},
{
"url": "https://git.kernel.org/stable/c/d06e827a65a6bcd2e329045d891d0739cec1cf4a"
},
{
"url": "https://git.kernel.org/stable/c/b14147464251f66e38fa39f0aae9780466db8610"
},
{
"url": "https://git.kernel.org/stable/c/961620ad67611a7320a49f4b6f3c5e2906833a03"
},
{
"url": "https://git.kernel.org/stable/c/834c23e4f798dcdc8af251b3c428ceef94741991"
}
],
"title": "drm: Fix potential null-ptr-deref due to drmm_mode_config_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50556",
"datePublished": "2025-10-22T13:23:17.527Z",
"dateReserved": "2025-10-22T13:20:23.758Z",
"dateUpdated": "2025-10-22T13:23:17.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39969 (GCVE-0-2025-39969)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix validation of VF state in get resources
VF state I40E_VF_STATE_ACTIVE is not the only state in which
VF is actually active so it should not be used to determine
if a VF is allowed to obtain resources.
Use I40E_VF_STATE_RESOURCES_LOADED that is set only in
i40e_vc_get_vf_resources_msg() and cleared during reset.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 171527da84149c2c7aa6a60a64b09d24f3546298 Version: eb87117c27e729b0aeef4d72ed40d6a1761b0f68 Version: 2132643b956f553f5abddc9bae20dae267b082e0 Version: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 Version: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 Version: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 Version: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 Version: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c",
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "185745d56ec958bf8aa773828213237dfcc32f5a",
"status": "affected",
"version": "171527da84149c2c7aa6a60a64b09d24f3546298",
"versionType": "git"
},
{
"lessThan": "f47876788a23de296c42ef9d505b5c1630f0b4b8",
"status": "affected",
"version": "eb87117c27e729b0aeef4d72ed40d6a1761b0f68",
"versionType": "git"
},
{
"lessThan": "8e35c80f8570426fe0f0cc92b151ebd835975f22",
"status": "affected",
"version": "2132643b956f553f5abddc9bae20dae267b082e0",
"versionType": "git"
},
{
"lessThan": "6c3981fd59ef11a75005ac9978f034da5a168b6a",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "e748f1ee493f88e38b77363a60499f979d42c58a",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "6128bbc7adc25c87c2f64b5eb66a280b78ef7ab7",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "a991dc56d3e9a2c3db87d0c3f03c24f6595400f1",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "877b7e6ffc23766448236e8732254534c518ba42",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c",
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.10.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.15.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix validation of VF state in get resources\n\nVF state I40E_VF_STATE_ACTIVE is not the only state in which\nVF is actually active so it should not be used to determine\nif a VF is allowed to obtain resources.\n\nUse I40E_VF_STATE_RESOURCES_LOADED that is set only in\ni40e_vc_get_vf_resources_msg() and cleared during reset."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:52.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/185745d56ec958bf8aa773828213237dfcc32f5a"
},
{
"url": "https://git.kernel.org/stable/c/f47876788a23de296c42ef9d505b5c1630f0b4b8"
},
{
"url": "https://git.kernel.org/stable/c/8e35c80f8570426fe0f0cc92b151ebd835975f22"
},
{
"url": "https://git.kernel.org/stable/c/6c3981fd59ef11a75005ac9978f034da5a168b6a"
},
{
"url": "https://git.kernel.org/stable/c/e748f1ee493f88e38b77363a60499f979d42c58a"
},
{
"url": "https://git.kernel.org/stable/c/6128bbc7adc25c87c2f64b5eb66a280b78ef7ab7"
},
{
"url": "https://git.kernel.org/stable/c/a991dc56d3e9a2c3db87d0c3f03c24f6595400f1"
},
{
"url": "https://git.kernel.org/stable/c/877b7e6ffc23766448236e8732254534c518ba42"
}
],
"title": "i40e: fix validation of VF state in get resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39969",
"datePublished": "2025-10-15T07:55:52.948Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:52.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39972 (GCVE-0-2025-39972)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix idx validation in i40e_validate_queue_map
Ensure idx is within range of active/initialized TCs when iterating over
vf->ch[idx] in i40e_validate_queue_map().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6cb93a7ff208f324c7ec581d72995f80e115e0e",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "6f15a7b34fae75e745bdc2ec05e06ddfd0dd2f3c",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "34dfac0c904829967d500c51f216916ce1452957",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "4d5e804a9e19b639b18fd13664dbad3c03c79e61",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "50a1e2f50f6c22b93b94eb8d168a1be3c05bf5cd",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "cc4191e8ef40d2249c1b9a8617d22ec8a976b574",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "d4e3eaaa3cb3af77836d806c89cd6ebf533a7320",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "aa68d3c3ac8d1dcec40d52ae27e39f6d32207009",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix idx validation in i40e_validate_queue_map\n\nEnsure idx is within range of active/initialized TCs when iterating over\nvf-\u003ech[idx] in i40e_validate_queue_map()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:54.929Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6cb93a7ff208f324c7ec581d72995f80e115e0e"
},
{
"url": "https://git.kernel.org/stable/c/6f15a7b34fae75e745bdc2ec05e06ddfd0dd2f3c"
},
{
"url": "https://git.kernel.org/stable/c/34dfac0c904829967d500c51f216916ce1452957"
},
{
"url": "https://git.kernel.org/stable/c/4d5e804a9e19b639b18fd13664dbad3c03c79e61"
},
{
"url": "https://git.kernel.org/stable/c/50a1e2f50f6c22b93b94eb8d168a1be3c05bf5cd"
},
{
"url": "https://git.kernel.org/stable/c/cc4191e8ef40d2249c1b9a8617d22ec8a976b574"
},
{
"url": "https://git.kernel.org/stable/c/d4e3eaaa3cb3af77836d806c89cd6ebf533a7320"
},
{
"url": "https://git.kernel.org/stable/c/aa68d3c3ac8d1dcec40d52ae27e39f6d32207009"
}
],
"title": "i40e: fix idx validation in i40e_validate_queue_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39972",
"datePublished": "2025-10-15T07:55:54.929Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:54.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53576 (GCVE-0-2023-53576)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
null_blk: Always check queue mode setting from configfs
Make sure to check device queue mode in the null_validate_conf() and
return error for NULL_Q_RQ as we don't allow legacy I/O path, without
this patch we get OOPs when queue mode is set to 1 from configfs,
following are repro steps :-
modprobe null_blk nr_devices=0
mkdir config/nullb/nullb0
echo 1 > config/nullb/nullb0/memory_backed
echo 4096 > config/nullb/nullb0/blocksize
echo 20480 > config/nullb/nullb0/size
echo 1 > config/nullb/nullb0/queue_mode
echo 1 > config/nullb/nullb0/power
Entering kdb (current=0xffff88810acdd080, pid 2372) on processor 42 Oops: (null)
due to oops @ 0xffffffffc041c329
CPU: 42 PID: 2372 Comm: sh Tainted: G O N 6.3.0-rc5lblk+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:null_add_dev.part.0+0xd9/0x720 [null_blk]
Code: 01 00 00 85 d2 0f 85 a1 03 00 00 48 83 bb 08 01 00 00 00 0f 85 f7 03 00 00 80 bb 62 01 00 00 00 48 8b 75 20 0f 85 6d 02 00 00 <48> 89 6e 60 48 8b 75 20 bf 06 00 00 00 e8 f5 37 2c c1 48 8b 75 20
RSP: 0018:ffffc900052cbde0 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff88811084d800 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888100042e00
RBP: ffff8881053d8200 R08: ffffc900052cbd68 R09: ffff888105db2000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002
R13: ffff888104765200 R14: ffff88810eec1748 R15: ffff88810eec1740
FS: 00007fd445fd1740(0000) GS:ffff8897dfc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000060 CR3: 0000000166a00000 CR4: 0000000000350ee0
DR0: ffffffff8437a488 DR1: ffffffff8437a489 DR2: ffffffff8437a48a
DR3: ffffffff8437a48b DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nullb_device_power_store+0xd1/0x120 [null_blk]
configfs_write_iter+0xb4/0x120
vfs_write+0x2ba/0x3c0
ksys_write+0x5f/0xe0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fd4460c57a7
Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007ffd3792a4a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd4460c57a7
RDX: 0000000000000002 RSI: 000055b43c02e4c0 RDI: 0000000000000001
RBP: 000055b43c02e4c0 R08: 000000000000000a R09: 00007fd44615b4e0
R10: 00007fd44615b3e0 R11: 0000000000000246 R12: 0000000000000002
R13: 00007fd446198520 R14: 0000000000000002 R15: 00007fd446198700
</TASK>
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e732a266b973cd4e115e2cc2ea5007119e8a7fbc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "35e304dbcefa95237a3d6f94c007bfb10f012b17",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd35b7bb6d5a329c427924886949ab51f210200a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "651260e563d9f50827dac496dc8a0b9b23d5db1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "63f8793ee60513a09f110ea460a6ff2c33811cdb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: Always check queue mode setting from configfs\n\nMake sure to check device queue mode in the null_validate_conf() and\nreturn error for NULL_Q_RQ as we don\u0027t allow legacy I/O path, without\nthis patch we get OOPs when queue mode is set to 1 from configfs,\nfollowing are repro steps :-\n\nmodprobe null_blk nr_devices=0\nmkdir config/nullb/nullb0\necho 1 \u003e config/nullb/nullb0/memory_backed\necho 4096 \u003e config/nullb/nullb0/blocksize\necho 20480 \u003e config/nullb/nullb0/size\necho 1 \u003e config/nullb/nullb0/queue_mode\necho 1 \u003e config/nullb/nullb0/power\n\nEntering kdb (current=0xffff88810acdd080, pid 2372) on processor 42 Oops: (null)\ndue to oops @ 0xffffffffc041c329\nCPU: 42 PID: 2372 Comm: sh Tainted: G O N 6.3.0-rc5lblk+ #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nRIP: 0010:null_add_dev.part.0+0xd9/0x720 [null_blk]\nCode: 01 00 00 85 d2 0f 85 a1 03 00 00 48 83 bb 08 01 00 00 00 0f 85 f7 03 00 00 80 bb 62 01 00 00 00 48 8b 75 20 0f 85 6d 02 00 00 \u003c48\u003e 89 6e 60 48 8b 75 20 bf 06 00 00 00 e8 f5 37 2c c1 48 8b 75 20\nRSP: 0018:ffffc900052cbde0 EFLAGS: 00010246\nRAX: 0000000000000001 RBX: ffff88811084d800 RCX: 0000000000000001\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888100042e00\nRBP: ffff8881053d8200 R08: ffffc900052cbd68 R09: ffff888105db2000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002\nR13: ffff888104765200 R14: ffff88810eec1748 R15: ffff88810eec1740\nFS: 00007fd445fd1740(0000) GS:ffff8897dfc80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000060 CR3: 0000000166a00000 CR4: 0000000000350ee0\nDR0: ffffffff8437a488 DR1: ffffffff8437a489 DR2: ffffffff8437a48a\nDR3: ffffffff8437a48b DR6: 00000000ffff0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n nullb_device_power_store+0xd1/0x120 [null_blk]\n configfs_write_iter+0xb4/0x120\n vfs_write+0x2ba/0x3c0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7fd4460c57a7\nCode: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\nRSP: 002b:00007ffd3792a4a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd4460c57a7\nRDX: 0000000000000002 RSI: 000055b43c02e4c0 RDI: 0000000000000001\nRBP: 000055b43c02e4c0 R08: 000000000000000a R09: 00007fd44615b4e0\nR10: 00007fd44615b3e0 R11: 0000000000000246 R12: 0000000000000002\nR13: 00007fd446198520 R14: 0000000000000002 R15: 00007fd446198700\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:15.931Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e732a266b973cd4e115e2cc2ea5007119e8a7fbc"
},
{
"url": "https://git.kernel.org/stable/c/35e304dbcefa95237a3d6f94c007bfb10f012b17"
},
{
"url": "https://git.kernel.org/stable/c/fd35b7bb6d5a329c427924886949ab51f210200a"
},
{
"url": "https://git.kernel.org/stable/c/651260e563d9f50827dac496dc8a0b9b23d5db1a"
},
{
"url": "https://git.kernel.org/stable/c/63f8793ee60513a09f110ea460a6ff2c33811cdb"
}
],
"title": "null_blk: Always check queue mode setting from configfs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53576",
"datePublished": "2025-10-04T15:17:15.931Z",
"dateReserved": "2025-10-04T15:14:15.925Z",
"dateUpdated": "2025-10-04T15:17:15.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40020 (GCVE-0-2025-40020)
Vulnerability from cvelistv5
Published
2025-10-24 12:24
Modified
2025-10-24 12:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: peak_usb: fix shift-out-of-bounds issue
Explicitly uses a 64-bit constant when the number of bits used for its
shifting is 32 (which is the case for PC CAN FD interfaces supported by
this driver).
[mkl: update subject, apply manually]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/peak_usb/pcan_usb_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "572c656802781cc57f4a3231eefa83547e75ed78",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "61b1dd4c614935169d12bdecc26906e37b508618",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "48822a59ecc47d353400d38b1941d3ae7591ffff",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "176c81cbf9c4e348610a421aad800087c0401f60",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "17edec1830e48c0becd61642d0e40bc753243b16",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "eb79ed970670344380e77d62f8188e8015648d94",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "394c58017e5f41043584c345106cae16a4613710",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "c443be70aaee42c2d1d251e0329e0a69dd96ae54",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/peak_usb/pcan_usb_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: peak_usb: fix shift-out-of-bounds issue\n\nExplicitly uses a 64-bit constant when the number of bits used for its\nshifting is 32 (which is the case for PC CAN FD interfaces supported by\nthis driver).\n\n[mkl: update subject, apply manually]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:24:56.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/572c656802781cc57f4a3231eefa83547e75ed78"
},
{
"url": "https://git.kernel.org/stable/c/61b1dd4c614935169d12bdecc26906e37b508618"
},
{
"url": "https://git.kernel.org/stable/c/48822a59ecc47d353400d38b1941d3ae7591ffff"
},
{
"url": "https://git.kernel.org/stable/c/176c81cbf9c4e348610a421aad800087c0401f60"
},
{
"url": "https://git.kernel.org/stable/c/17edec1830e48c0becd61642d0e40bc753243b16"
},
{
"url": "https://git.kernel.org/stable/c/eb79ed970670344380e77d62f8188e8015648d94"
},
{
"url": "https://git.kernel.org/stable/c/394c58017e5f41043584c345106cae16a4613710"
},
{
"url": "https://git.kernel.org/stable/c/c443be70aaee42c2d1d251e0329e0a69dd96ae54"
}
],
"title": "can: peak_usb: fix shift-out-of-bounds issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40020",
"datePublished": "2025-10-24T12:24:56.311Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-10-24T12:24:56.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50541 (GCVE-0-2022-50541)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-30 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow
UDMA_CHAN_RT_*BCNT_REG stores the real-time channel bytecount statistics.
These registers are 32-bit hardware counters and the driver uses these
counters to monitor the operational progress status for a channel, when
transferring more than 4GB of data it was observed that these counters
overflow and completion calculation of a operation gets affected and the
transfer hangs indefinitely.
This commit adds changes to decrease the byte count for every complete
transaction so that these registers never overflow and the proper byte
count statistics is maintained for ongoing transaction by the RT counters.
Earlier uc->bcnt used to maintain a count of the completed bytes at driver
side, since the RT counters maintain the statistics of current transaction
now, the maintenance of uc->bcnt is not necessary.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/k3-udma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d68da10b0cceb4177b653833e794b2923a4ffbd7",
"status": "affected",
"version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94",
"versionType": "git"
},
{
"lessThan": "e0b16bfbd3a4a8d09614046335f4482313e7c0c4",
"status": "affected",
"version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94",
"versionType": "git"
},
{
"lessThan": "a065657643a62a24b4435ddcaea45f1e9378749e",
"status": "affected",
"version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94",
"versionType": "git"
},
{
"lessThan": "7c94dcfa8fcff2dba53915f1dabfee49a3df8b88",
"status": "affected",
"version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/k3-udma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow\n\nUDMA_CHAN_RT_*BCNT_REG stores the real-time channel bytecount statistics.\nThese registers are 32-bit hardware counters and the driver uses these\ncounters to monitor the operational progress status for a channel, when\ntransferring more than 4GB of data it was observed that these counters\noverflow and completion calculation of a operation gets affected and the\ntransfer hangs indefinitely.\n\nThis commit adds changes to decrease the byte count for every complete\ntransaction so that these registers never overflow and the proper byte\ncount statistics is maintained for ongoing transaction by the RT counters.\n\nEarlier uc-\u003ebcnt used to maintain a count of the completed bytes at driver\nside, since the RT counters maintain the statistics of current transaction\nnow, the maintenance of uc-\u003ebcnt is not necessary."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T19:33:04.866Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d68da10b0cceb4177b653833e794b2923a4ffbd7"
},
{
"url": "https://git.kernel.org/stable/c/e0b16bfbd3a4a8d09614046335f4482313e7c0c4"
},
{
"url": "https://git.kernel.org/stable/c/a065657643a62a24b4435ddcaea45f1e9378749e"
},
{
"url": "https://git.kernel.org/stable/c/7c94dcfa8fcff2dba53915f1dabfee49a3df8b88"
}
],
"title": "dmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50541",
"datePublished": "2025-10-07T15:21:06.548Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-30T19:33:04.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53552 (GCVE-0-2023-53552)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: mark requests for GuC virtual engines to avoid use-after-free
References to i915_requests may be trapped by userspace inside a
sync_file or dmabuf (dma-resv) and held indefinitely across different
proceses. To counter-act the memory leaks, we try to not to keep
references from the request past their completion.
On the other side on fence release we need to know if rq->engine
is valid and points to hw engine (true for non-virtual requests).
To make it possible extra bit has been added to rq->execution_mask,
for marking virtual engines.
(cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_engine_types.h",
"drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c",
"drivers/gpu/drm/i915/i915_request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8017a27cec32eac8c8f9430b0a3055840136b856",
"status": "affected",
"version": "bcb9aa45d5a0e11ef91245330c53cde214d15e8d",
"versionType": "git"
},
{
"lessThan": "7fb464d52fa41c31a6fd1ad82888e67c65935d94",
"status": "affected",
"version": "bcb9aa45d5a0e11ef91245330c53cde214d15e8d",
"versionType": "git"
},
{
"lessThan": "5eefc5307c983b59344a4cb89009819f580c84fa",
"status": "affected",
"version": "bcb9aa45d5a0e11ef91245330c53cde214d15e8d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_engine_types.h",
"drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c",
"drivers/gpu/drm/i915/i915_request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: mark requests for GuC virtual engines to avoid use-after-free\n\nReferences to i915_requests may be trapped by userspace inside a\nsync_file or dmabuf (dma-resv) and held indefinitely across different\nproceses. To counter-act the memory leaks, we try to not to keep\nreferences from the request past their completion.\nOn the other side on fence release we need to know if rq-\u003eengine\nis valid and points to hw engine (true for non-virtual requests).\nTo make it possible extra bit has been added to rq-\u003eexecution_mask,\nfor marking virtual engines.\n\n(cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:58.429Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8017a27cec32eac8c8f9430b0a3055840136b856"
},
{
"url": "https://git.kernel.org/stable/c/7fb464d52fa41c31a6fd1ad82888e67c65935d94"
},
{
"url": "https://git.kernel.org/stable/c/5eefc5307c983b59344a4cb89009819f580c84fa"
}
],
"title": "drm/i915: mark requests for GuC virtual engines to avoid use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53552",
"datePublished": "2025-10-04T15:16:58.429Z",
"dateReserved": "2025-10-04T15:14:15.922Z",
"dateUpdated": "2025-10-04T15:16:58.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53633 (GCVE-0-2023-53633)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: Fix a leak in map_user_pages()
If get_user_pages_fast() allocates some pages but not as many as we
wanted, then the current code leaks those pages. Call put_page() on
the pages before returning.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cdcba752a3d48fbe6f05cf2c91ab9497c8daad0c",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
},
{
"lessThan": "73274c33d961f4aa0f968f763e2c9f4210b4f4a3",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Fix a leak in map_user_pages()\n\nIf get_user_pages_fast() allocates some pages but not as many as we\nwanted, then the current code leaks those pages. Call put_page() on\nthe pages before returning."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:35.647Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cdcba752a3d48fbe6f05cf2c91ab9497c8daad0c"
},
{
"url": "https://git.kernel.org/stable/c/73274c33d961f4aa0f968f763e2c9f4210b4f4a3"
}
],
"title": "accel/qaic: Fix a leak in map_user_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53633",
"datePublished": "2025-10-07T15:19:35.647Z",
"dateReserved": "2025-10-07T15:16:59.657Z",
"dateUpdated": "2025-10-07T15:19:35.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45016 (GCVE-0-2024-45016)
Vulnerability from cvelistv5
Published
2024-09-11 15:13
Modified
2025-11-03 22:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netem: fix return value if duplicate enqueue fails
There is a bug in netem_enqueue() introduced by
commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
that can lead to a use-after-free.
This commit made netem_enqueue() always return NET_XMIT_SUCCESS
when a packet is duplicated, which can cause the parent qdisc's q.qlen
to be mistakenly incremented. When this happens qlen_notify() may be
skipped on the parent during destruction, leaving a dangling pointer
for some classful qdiscs like DRR.
There are two ways for the bug happen:
- If the duplicated packet is dropped by rootq->enqueue() and then
the original packet is also dropped.
- If rootq->enqueue() sends the duplicated packet to a different qdisc
and the original packet is dropped.
In both cases NET_XMIT_SUCCESS is returned even though no packets
are enqueued at the netem qdisc.
The fix is to defer the enqueue of the duplicate packet until after
the original packet has been guaranteed to return NET_XMIT_SUCCESS.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5845f706388a4cde0f6b80f9e5d33527e942b7d9 Version: 5845f706388a4cde0f6b80f9e5d33527e942b7d9 Version: 5845f706388a4cde0f6b80f9e5d33527e942b7d9 Version: 5845f706388a4cde0f6b80f9e5d33527e942b7d9 Version: 5845f706388a4cde0f6b80f9e5d33527e942b7d9 Version: 5845f706388a4cde0f6b80f9e5d33527e942b7d9 Version: 5845f706388a4cde0f6b80f9e5d33527e942b7d9 Version: a550a01b8af856f2684b0f79d552f5119eb5006c Version: 009510a90e230bb495f3fe25c7db956679263b07 Version: 4de7d30668cb8b06330992e1cd336f91700a2ce7 Version: d1dd2e15c85e890a1cc9bde5ba07ae63331e5c73 Version: 0148fe458b5705e2fea7cb88294fed7e36066ca2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45016",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T15:49:19.675501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T15:49:33.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:15:21.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_netem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "759e3e8c4a6a6b4e52ebc4547123a457f0ce90d4",
"status": "affected",
"version": "5845f706388a4cde0f6b80f9e5d33527e942b7d9",
"versionType": "git"
},
{
"lessThan": "c414000da1c2ea1ba9a5e5bb1a4ba774e51e202d",
"status": "affected",
"version": "5845f706388a4cde0f6b80f9e5d33527e942b7d9",
"versionType": "git"
},
{
"lessThan": "52d99a69f3d556c6426048c9d481b912205919d8",
"status": "affected",
"version": "5845f706388a4cde0f6b80f9e5d33527e942b7d9",
"versionType": "git"
},
{
"lessThan": "0486d31dd8198e22b63a4730244b38fffce6d469",
"status": "affected",
"version": "5845f706388a4cde0f6b80f9e5d33527e942b7d9",
"versionType": "git"
},
{
"lessThan": "577d6c0619467fe90f7e8e57e45cb5bd9d936014",
"status": "affected",
"version": "5845f706388a4cde0f6b80f9e5d33527e942b7d9",
"versionType": "git"
},
{
"lessThan": "e5bb2988a310667abed66c7d3ffa28880cf0f883",
"status": "affected",
"version": "5845f706388a4cde0f6b80f9e5d33527e942b7d9",
"versionType": "git"
},
{
"lessThan": "c07ff8592d57ed258afee5a5e04991a48dbaf382",
"status": "affected",
"version": "5845f706388a4cde0f6b80f9e5d33527e942b7d9",
"versionType": "git"
},
{
"status": "affected",
"version": "a550a01b8af856f2684b0f79d552f5119eb5006c",
"versionType": "git"
},
{
"status": "affected",
"version": "009510a90e230bb495f3fe25c7db956679263b07",
"versionType": "git"
},
{
"status": "affected",
"version": "4de7d30668cb8b06330992e1cd336f91700a2ce7",
"versionType": "git"
},
{
"status": "affected",
"version": "d1dd2e15c85e890a1cc9bde5ba07ae63331e5c73",
"versionType": "git"
},
{
"status": "affected",
"version": "0148fe458b5705e2fea7cb88294fed7e36066ca2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_netem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.225",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.283",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.225",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.166",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.107",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.48",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.7",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.20.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetem: fix return value if duplicate enqueue fails\n\nThere is a bug in netem_enqueue() introduced by\ncommit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\")\nthat can lead to a use-after-free.\n\nThis commit made netem_enqueue() always return NET_XMIT_SUCCESS\nwhen a packet is duplicated, which can cause the parent qdisc\u0027s q.qlen\nto be mistakenly incremented. When this happens qlen_notify() may be\nskipped on the parent during destruction, leaving a dangling pointer\nfor some classful qdiscs like DRR.\n\nThere are two ways for the bug happen:\n\n- If the duplicated packet is dropped by rootq-\u003eenqueue() and then\n the original packet is also dropped.\n- If rootq-\u003eenqueue() sends the duplicated packet to a different qdisc\n and the original packet is dropped.\n\nIn both cases NET_XMIT_SUCCESS is returned even though no packets\nare enqueued at the netem qdisc.\n\nThe fix is to defer the enqueue of the duplicate packet until after\nthe original packet has been guaranteed to return NET_XMIT_SUCCESS."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:58:33.332Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/759e3e8c4a6a6b4e52ebc4547123a457f0ce90d4"
},
{
"url": "https://git.kernel.org/stable/c/c414000da1c2ea1ba9a5e5bb1a4ba774e51e202d"
},
{
"url": "https://git.kernel.org/stable/c/52d99a69f3d556c6426048c9d481b912205919d8"
},
{
"url": "https://git.kernel.org/stable/c/0486d31dd8198e22b63a4730244b38fffce6d469"
},
{
"url": "https://git.kernel.org/stable/c/577d6c0619467fe90f7e8e57e45cb5bd9d936014"
},
{
"url": "https://git.kernel.org/stable/c/e5bb2988a310667abed66c7d3ffa28880cf0f883"
},
{
"url": "https://git.kernel.org/stable/c/c07ff8592d57ed258afee5a5e04991a48dbaf382"
}
],
"title": "netem: fix return value if duplicate enqueue fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-45016",
"datePublished": "2024-09-11T15:13:52.053Z",
"dateReserved": "2024-08-21T05:34:56.682Z",
"dateUpdated": "2025-11-03T22:15:21.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53518 (GCVE-0-2023-53518)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM / devfreq: Fix leak in devfreq_dev_release()
srcu_init_notifier_head() allocates resources that need to be released
with a srcu_cleanup_notifier_head() call.
Reported by kmemleak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 Version: 0fe3a66410a3ba96679be903f1e287d7a0a264a9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7462483446cb9986568ad7adae746ce5f18d2968",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "64e6e0dc2d578c0a9e31cb4edd719f0a3ed98f6d",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "29811f4b8255d4238cf326f3bb7129784766beab",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "ab192e5e5d3b48415909a8408acfd007a607bcc0",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "111bafa210ae546bee7644be730c42df9c35b66e",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "8918025feb2f5f7c73f2495c158f22997e25cb02",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "1640e9c72173911ad0fddb05012c01eafe082c4e",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "3354c401c68d70567d1ef25d12f4e22a7813a3c6",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
},
{
"lessThan": "5693d077595de721f9ddbf9d37f40e5409707dfe",
"status": "affected",
"version": "0fe3a66410a3ba96679be903f1e287d7a0a264a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Fix leak in devfreq_dev_release()\n\nsrcu_init_notifier_head() allocates resources that need to be released\nwith a srcu_cleanup_notifier_head() call.\n\nReported by kmemleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:05.446Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7462483446cb9986568ad7adae746ce5f18d2968"
},
{
"url": "https://git.kernel.org/stable/c/64e6e0dc2d578c0a9e31cb4edd719f0a3ed98f6d"
},
{
"url": "https://git.kernel.org/stable/c/29811f4b8255d4238cf326f3bb7129784766beab"
},
{
"url": "https://git.kernel.org/stable/c/ab192e5e5d3b48415909a8408acfd007a607bcc0"
},
{
"url": "https://git.kernel.org/stable/c/111bafa210ae546bee7644be730c42df9c35b66e"
},
{
"url": "https://git.kernel.org/stable/c/8918025feb2f5f7c73f2495c158f22997e25cb02"
},
{
"url": "https://git.kernel.org/stable/c/1640e9c72173911ad0fddb05012c01eafe082c4e"
},
{
"url": "https://git.kernel.org/stable/c/3354c401c68d70567d1ef25d12f4e22a7813a3c6"
},
{
"url": "https://git.kernel.org/stable/c/5693d077595de721f9ddbf9d37f40e5409707dfe"
}
],
"title": "PM / devfreq: Fix leak in devfreq_dev_release()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53518",
"datePublished": "2025-10-01T11:46:05.446Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2025-10-01T11:46:05.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21772 (GCVE-0-2025-21772)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
partitions: mac: fix handling of bogus partition table
Fix several issues in partition probing:
- The bailout for a bad partoffset must use put_dev_sector(), since the
preceding read_part_sector() succeeded.
- If the partition table claims a silly sector size like 0xfff bytes
(which results in partition table entries straddling sector boundaries),
bail out instead of accessing out-of-bounds memory.
- We must not assume that the partition table contains proper NUL
termination - use strnlen() and strncmp() instead of strlen() and
strcmp().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:27.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/partitions/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3e77da9f843e4ab93917d30c314f0283e28c124",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "213ba5bd81b7e97ac6e6190b8f3bc6ba76123625",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40a35d14f3c0dc72b689061ec72fc9b193f37d1f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "27a39d006f85e869be68c1d5d2ce05e5d6445bf5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "92527100be38ede924768f4277450dfe8a40e16b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6578717ebca91678131d2b1f4ba4258e60536e9f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7fa9706722882f634090bfc9af642bf9ed719e27",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "80e648042e512d5a767da251d44132553fe04ae0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/partitions/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npartitions: mac: fix handling of bogus partition table\n\nFix several issues in partition probing:\n\n - The bailout for a bad partoffset must use put_dev_sector(), since the\n preceding read_part_sector() succeeded.\n - If the partition table claims a silly sector size like 0xfff bytes\n (which results in partition table entries straddling sector boundaries),\n bail out instead of accessing out-of-bounds memory.\n - We must not assume that the partition table contains proper NUL\n termination - use strnlen() and strncmp() instead of strlen() and\n strcmp()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:46.575Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3e77da9f843e4ab93917d30c314f0283e28c124"
},
{
"url": "https://git.kernel.org/stable/c/213ba5bd81b7e97ac6e6190b8f3bc6ba76123625"
},
{
"url": "https://git.kernel.org/stable/c/40a35d14f3c0dc72b689061ec72fc9b193f37d1f"
},
{
"url": "https://git.kernel.org/stable/c/27a39d006f85e869be68c1d5d2ce05e5d6445bf5"
},
{
"url": "https://git.kernel.org/stable/c/92527100be38ede924768f4277450dfe8a40e16b"
},
{
"url": "https://git.kernel.org/stable/c/6578717ebca91678131d2b1f4ba4258e60536e9f"
},
{
"url": "https://git.kernel.org/stable/c/7fa9706722882f634090bfc9af642bf9ed719e27"
},
{
"url": "https://git.kernel.org/stable/c/80e648042e512d5a767da251d44132553fe04ae0"
}
],
"title": "partitions: mac: fix handling of bogus partition table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21772",
"datePublished": "2025-02-27T02:18:19.528Z",
"dateReserved": "2024-12-29T08:45:45.762Z",
"dateUpdated": "2025-11-03T19:37:27.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39706 (GCVE-0-2025-39706)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Destroy KFD debugfs after destroy KFD wq
Since KFD proc content was moved to kernel debugfs, we can't destroy KFD
debugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior
to kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens
when /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but
kfd_process_destroy_wq calls kfd_debugfs_remove_process. This line
debugfs_remove_recursive(entry->proc_dentry);
tries to remove /sys/kernel/debug/kfd/proc/<pid> while
/sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel
NULL pointer.
(cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233)
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:33.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_module.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc35c955da799ba62f6f977d58e0866d0251e3f8",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "74ee7445c3b61c3bd899a54bd82c1982cb3a8206",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "96609a51e6134542bf90e053c2cd2fe4f61ebce3",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "910735ded17cc306625e7e1cdcc8102f7ac60994",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "2e58401a24e7b2d4ec619104e1a76590c1284a4c",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_module.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Destroy KFD debugfs after destroy KFD wq\n\nSince KFD proc content was moved to kernel debugfs, we can\u0027t destroy KFD\ndebugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior\nto kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens\nwhen /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but\nkfd_process_destroy_wq calls kfd_debugfs_remove_process. This line\n debugfs_remove_recursive(entry-\u003eproc_dentry);\ntries to remove /sys/kernel/debug/kfd/proc/\u003cpid\u003e while\n/sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel\nNULL pointer.\n\n(cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:49.169Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc35c955da799ba62f6f977d58e0866d0251e3f8"
},
{
"url": "https://git.kernel.org/stable/c/74ee7445c3b61c3bd899a54bd82c1982cb3a8206"
},
{
"url": "https://git.kernel.org/stable/c/96609a51e6134542bf90e053c2cd2fe4f61ebce3"
},
{
"url": "https://git.kernel.org/stable/c/910735ded17cc306625e7e1cdcc8102f7ac60994"
},
{
"url": "https://git.kernel.org/stable/c/2e58401a24e7b2d4ec619104e1a76590c1284a4c"
}
],
"title": "drm/amdkfd: Destroy KFD debugfs after destroy KFD wq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39706",
"datePublished": "2025-09-05T17:21:12.841Z",
"dateReserved": "2025-04-16T07:20:57.116Z",
"dateUpdated": "2025-11-03T17:42:33.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53704 (GCVE-0-2023-53704)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()
Replace of_iomap() and kzalloc() with devm_of_iomap() and devm_kzalloc()
which can automatically release the related memory when the device
or driver is removed or unloaded to avoid potential memory leak.
In this case, iounmap(anatop_base) in line 427,433 are removed
as manual release is not required.
Besides, referring to clk-imx8mq.c, check the return code of
of_clk_add_hw_provider, if it returns negtive, print error info
and unregister hws, which makes the program more robust.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9c140d9926761b0f5d329ff6c09a1540f3d5e1d3 Version: 9c140d9926761b0f5d329ff6c09a1540f3d5e1d3 Version: 9c140d9926761b0f5d329ff6c09a1540f3d5e1d3 Version: 9c140d9926761b0f5d329ff6c09a1540f3d5e1d3 Version: 9c140d9926761b0f5d329ff6c09a1540f3d5e1d3 Version: 9c140d9926761b0f5d329ff6c09a1540f3d5e1d3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-imx8mp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb047c13bbf9018693ae31f03a5a26b212d02f13",
"status": "affected",
"version": "9c140d9926761b0f5d329ff6c09a1540f3d5e1d3",
"versionType": "git"
},
{
"lessThan": "bcea444ab4c045864b55d67313833d606676602a",
"status": "affected",
"version": "9c140d9926761b0f5d329ff6c09a1540f3d5e1d3",
"versionType": "git"
},
{
"lessThan": "6317d0302655f7e854cd4f31e93b47d35cb058bb",
"status": "affected",
"version": "9c140d9926761b0f5d329ff6c09a1540f3d5e1d3",
"versionType": "git"
},
{
"lessThan": "5bcf140e9e6cf76f1f1bd1f489a14ca4d49f9a1a",
"status": "affected",
"version": "9c140d9926761b0f5d329ff6c09a1540f3d5e1d3",
"versionType": "git"
},
{
"lessThan": "92ce7629a11ae62292e1cfaa6132dab081fc80ee",
"status": "affected",
"version": "9c140d9926761b0f5d329ff6c09a1540f3d5e1d3",
"versionType": "git"
},
{
"lessThan": "878b02d5f3b56cb090dbe2c70c89273be144087f",
"status": "affected",
"version": "9c140d9926761b0f5d329ff6c09a1540f3d5e1d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-imx8mp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()\n\nReplace of_iomap() and kzalloc() with devm_of_iomap() and devm_kzalloc()\nwhich can automatically release the related memory when the device\nor driver is removed or unloaded to avoid potential memory leak.\n\nIn this case, iounmap(anatop_base) in line 427,433 are removed\nas manual release is not required.\n\nBesides, referring to clk-imx8mq.c, check the return code of\nof_clk_add_hw_provider, if it returns negtive, print error info\nand unregister hws, which makes the program more robust."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:42.067Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb047c13bbf9018693ae31f03a5a26b212d02f13"
},
{
"url": "https://git.kernel.org/stable/c/bcea444ab4c045864b55d67313833d606676602a"
},
{
"url": "https://git.kernel.org/stable/c/6317d0302655f7e854cd4f31e93b47d35cb058bb"
},
{
"url": "https://git.kernel.org/stable/c/5bcf140e9e6cf76f1f1bd1f489a14ca4d49f9a1a"
},
{
"url": "https://git.kernel.org/stable/c/92ce7629a11ae62292e1cfaa6132dab081fc80ee"
},
{
"url": "https://git.kernel.org/stable/c/878b02d5f3b56cb090dbe2c70c89273be144087f"
}
],
"title": "clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53704",
"datePublished": "2025-10-22T13:23:42.067Z",
"dateReserved": "2025-10-22T13:21:37.345Z",
"dateUpdated": "2025-10-22T13:23:42.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53309 (GCVE-0-2023-53309)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: Fix integer overflow in radeon_cs_parser_init
The type of size is unsigned, if size is 0x40000000, there will be an
integer overflow, size will be zero after size *= sizeof(uint32_t),
will cause uninitialized memory to be referenced later
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d05ba46134d07e889de7d23cf8503574a22ede09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cfa9148bafb2d3292b65de1bac79dcca65be2643",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b8fab6aebdf2115ec2d7bd2f3498d5b911ff351e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6825b30d37fe89ceb87f926d33d4fad321a331e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c0d7dbc6b7a61a56028118c00af2c8319d44a682",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e1be420b86980c25a75325e90dfc3fc73126f61",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "25e634d7f44eb13113139040e5366bebe48c882f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f828b681d0cd566f86351c0b913e6cb6ed8c7b9c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Fix integer overflow in radeon_cs_parser_init\n\nThe type of size is unsigned, if size is 0x40000000, there will be an\ninteger overflow, size will be zero after size *= sizeof(uint32_t),\nwill cause uninitialized memory to be referenced later"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:47.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d05ba46134d07e889de7d23cf8503574a22ede09"
},
{
"url": "https://git.kernel.org/stable/c/cfa9148bafb2d3292b65de1bac79dcca65be2643"
},
{
"url": "https://git.kernel.org/stable/c/b8fab6aebdf2115ec2d7bd2f3498d5b911ff351e"
},
{
"url": "https://git.kernel.org/stable/c/e6825b30d37fe89ceb87f926d33d4fad321a331e"
},
{
"url": "https://git.kernel.org/stable/c/c0d7dbc6b7a61a56028118c00af2c8319d44a682"
},
{
"url": "https://git.kernel.org/stable/c/2e1be420b86980c25a75325e90dfc3fc73126f61"
},
{
"url": "https://git.kernel.org/stable/c/25e634d7f44eb13113139040e5366bebe48c882f"
},
{
"url": "https://git.kernel.org/stable/c/f828b681d0cd566f86351c0b913e6cb6ed8c7b9c"
}
],
"title": "drm/radeon: Fix integer overflow in radeon_cs_parser_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53309",
"datePublished": "2025-09-16T16:11:47.700Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:47.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53436 (GCVE-0-2023-53436)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: snic: Fix possible memory leak if device_add() fails
If device_add() returns error, the name allocated by dev_set_name() needs
be freed. As the comment of device_add() says, put_device() should be used
to give up the reference in the error path. So fix this by calling
put_device(), then the name can be freed in kobject_cleanp().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa Version: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa Version: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa Version: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa Version: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa Version: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa Version: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa Version: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/snic/snic_disc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "789275f7c0544374d40bc8d9c81f96751a41df45",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "f830968d464f55e11bc9260a132fc77daa266aa3",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "cea09922f5f75652d55b481ee34011fc7f19868b",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "58889d5ad74cbc1c9595db74e13522b58b69b0ec",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "461f8ac666fa232afee5ed6420099913ec4e4ba2",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "7723a5d5d187626c4c640842e522cf4e9e39492e",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "ed0acb1ee2e9322b96611635a9ca9303d15ac76c",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "41320b18a0e0dfb236dba4edb9be12dba1878156",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/snic/snic_disc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: snic: Fix possible memory leak if device_add() fails\n\nIf device_add() returns error, the name allocated by dev_set_name() needs\nbe freed. As the comment of device_add() says, put_device() should be used\nto give up the reference in the error path. So fix this by calling\nput_device(), then the name can be freed in kobject_cleanp()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:15.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/789275f7c0544374d40bc8d9c81f96751a41df45"
},
{
"url": "https://git.kernel.org/stable/c/f830968d464f55e11bc9260a132fc77daa266aa3"
},
{
"url": "https://git.kernel.org/stable/c/cea09922f5f75652d55b481ee34011fc7f19868b"
},
{
"url": "https://git.kernel.org/stable/c/58889d5ad74cbc1c9595db74e13522b58b69b0ec"
},
{
"url": "https://git.kernel.org/stable/c/461f8ac666fa232afee5ed6420099913ec4e4ba2"
},
{
"url": "https://git.kernel.org/stable/c/7723a5d5d187626c4c640842e522cf4e9e39492e"
},
{
"url": "https://git.kernel.org/stable/c/ed0acb1ee2e9322b96611635a9ca9303d15ac76c"
},
{
"url": "https://git.kernel.org/stable/c/41320b18a0e0dfb236dba4edb9be12dba1878156"
}
],
"title": "scsi: snic: Fix possible memory leak if device_add() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53436",
"datePublished": "2025-09-18T16:04:15.138Z",
"dateReserved": "2025-09-17T14:54:09.751Z",
"dateUpdated": "2025-09-18T16:04:15.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53557 (GCVE-0-2023-53557)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fprobe: Release rethook after the ftrace_ops is unregistered
While running bpf selftests it's possible to get following fault:
general protection fault, probably for non-canonical address \
0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI
...
Call Trace:
<TASK>
fprobe_handler+0xc1/0x270
? __pfx_bpf_testmod_init+0x10/0x10
? __pfx_bpf_testmod_init+0x10/0x10
? bpf_fentry_test1+0x5/0x10
? bpf_fentry_test1+0x5/0x10
? bpf_testmod_init+0x22/0x80
? do_one_initcall+0x63/0x2e0
? rcu_is_watching+0xd/0x40
? kmalloc_trace+0xaf/0xc0
? do_init_module+0x60/0x250
? __do_sys_finit_module+0xac/0x120
? do_syscall_64+0x37/0x90
? entry_SYSCALL_64_after_hwframe+0x72/0xdc
</TASK>
In unregister_fprobe function we can't release fp->rethook while it's
possible there are some of its users still running on another cpu.
Moving rethook_free call after fp->ops is unregistered with
unregister_ftrace_function call.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/fprobe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce3ec57faff559ccae1e0150c1f077eb2df648a4",
"status": "affected",
"version": "5b0ab78998e32564a011b14c4c7f9c81e2d42b9d",
"versionType": "git"
},
{
"lessThan": "03d63255a5783243c110aec5e6ae2f1475c3be76",
"status": "affected",
"version": "5b0ab78998e32564a011b14c4c7f9c81e2d42b9d",
"versionType": "git"
},
{
"lessThan": "5f81018753dfd4989e33ece1f0cb6b8aae498b82",
"status": "affected",
"version": "5b0ab78998e32564a011b14c4c7f9c81e2d42b9d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/fprobe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfprobe: Release rethook after the ftrace_ops is unregistered\n\nWhile running bpf selftests it\u0027s possible to get following fault:\n\n general protection fault, probably for non-canonical address \\\n 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI\n ...\n Call Trace:\n \u003cTASK\u003e\n fprobe_handler+0xc1/0x270\n ? __pfx_bpf_testmod_init+0x10/0x10\n ? __pfx_bpf_testmod_init+0x10/0x10\n ? bpf_fentry_test1+0x5/0x10\n ? bpf_fentry_test1+0x5/0x10\n ? bpf_testmod_init+0x22/0x80\n ? do_one_initcall+0x63/0x2e0\n ? rcu_is_watching+0xd/0x40\n ? kmalloc_trace+0xaf/0xc0\n ? do_init_module+0x60/0x250\n ? __do_sys_finit_module+0xac/0x120\n ? do_syscall_64+0x37/0x90\n ? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n \u003c/TASK\u003e\n\nIn unregister_fprobe function we can\u0027t release fp-\u003erethook while it\u0027s\npossible there are some of its users still running on another cpu.\n\nMoving rethook_free call after fp-\u003eops is unregistered with\nunregister_ftrace_function call."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:02.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce3ec57faff559ccae1e0150c1f077eb2df648a4"
},
{
"url": "https://git.kernel.org/stable/c/03d63255a5783243c110aec5e6ae2f1475c3be76"
},
{
"url": "https://git.kernel.org/stable/c/5f81018753dfd4989e33ece1f0cb6b8aae498b82"
}
],
"title": "fprobe: Release rethook after the ftrace_ops is unregistered",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53557",
"datePublished": "2025-10-04T15:17:02.077Z",
"dateReserved": "2025-10-04T15:14:15.923Z",
"dateUpdated": "2025-10-04T15:17:02.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53567 (GCVE-0-2023-53567)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: qup: Don't skip cleanup in remove's error path
Returning early in a platform driver's remove callback is wrong. In this
case the dma resources are not released in the error path. this is never
retried later and so this is a permanent leak. To fix this, only skip
hardware disabling if waking the device fails.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 64ff247a978facc437d40f0c9b754675846a98f0 Version: 64ff247a978facc437d40f0c9b754675846a98f0 Version: 64ff247a978facc437d40f0c9b754675846a98f0 Version: 64ff247a978facc437d40f0c9b754675846a98f0 Version: 64ff247a978facc437d40f0c9b754675846a98f0 Version: 64ff247a978facc437d40f0c9b754675846a98f0 Version: 64ff247a978facc437d40f0c9b754675846a98f0 Version: 64ff247a978facc437d40f0c9b754675846a98f0 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-qup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd53f41bd86daa39b454fd4637a908ff2123547f",
"status": "affected",
"version": "64ff247a978facc437d40f0c9b754675846a98f0",
"versionType": "git"
},
{
"lessThan": "8632384337038b97910c2f7bb5a3f377aa68d001",
"status": "affected",
"version": "64ff247a978facc437d40f0c9b754675846a98f0",
"versionType": "git"
},
{
"lessThan": "bc88243bbe6140d289bb32b4ee4607ba5ce1124a",
"status": "affected",
"version": "64ff247a978facc437d40f0c9b754675846a98f0",
"versionType": "git"
},
{
"lessThan": "f345d4d71e87d878437417ffbb9a7d4e16d235eb",
"status": "affected",
"version": "64ff247a978facc437d40f0c9b754675846a98f0",
"versionType": "git"
},
{
"lessThan": "2d0f63077f481f11a07f20eab1c1f4367dfaef32",
"status": "affected",
"version": "64ff247a978facc437d40f0c9b754675846a98f0",
"versionType": "git"
},
{
"lessThan": "55ecdcd12bc176b86fecbcb125ac814ac8fe857a",
"status": "affected",
"version": "64ff247a978facc437d40f0c9b754675846a98f0",
"versionType": "git"
},
{
"lessThan": "49c17fccae36505550c9121891722fff337f148a",
"status": "affected",
"version": "64ff247a978facc437d40f0c9b754675846a98f0",
"versionType": "git"
},
{
"lessThan": "61f49171a43ab1f80c73c5c88c508770c461e0f2",
"status": "affected",
"version": "64ff247a978facc437d40f0c9b754675846a98f0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-qup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: qup: Don\u0027t skip cleanup in remove\u0027s error path\n\nReturning early in a platform driver\u0027s remove callback is wrong. In this\ncase the dma resources are not released in the error path. this is never\nretried later and so this is a permanent leak. To fix this, only skip\nhardware disabling if waking the device fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:09.350Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd53f41bd86daa39b454fd4637a908ff2123547f"
},
{
"url": "https://git.kernel.org/stable/c/8632384337038b97910c2f7bb5a3f377aa68d001"
},
{
"url": "https://git.kernel.org/stable/c/bc88243bbe6140d289bb32b4ee4607ba5ce1124a"
},
{
"url": "https://git.kernel.org/stable/c/f345d4d71e87d878437417ffbb9a7d4e16d235eb"
},
{
"url": "https://git.kernel.org/stable/c/2d0f63077f481f11a07f20eab1c1f4367dfaef32"
},
{
"url": "https://git.kernel.org/stable/c/55ecdcd12bc176b86fecbcb125ac814ac8fe857a"
},
{
"url": "https://git.kernel.org/stable/c/49c17fccae36505550c9121891722fff337f148a"
},
{
"url": "https://git.kernel.org/stable/c/61f49171a43ab1f80c73c5c88c508770c461e0f2"
}
],
"title": "spi: qup: Don\u0027t skip cleanup in remove\u0027s error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53567",
"datePublished": "2025-10-04T15:17:09.350Z",
"dateReserved": "2025-10-04T15:14:15.924Z",
"dateUpdated": "2025-10-04T15:17:09.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53572 (GCVE-0-2023-53572)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: imx: scu: use _safe list iterator to avoid a use after free
This loop is freeing "clk" so it needs to use list_for_each_entry_safe().
Otherwise it dereferences a freed variable to get the next item on the
loop.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-scu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f95ff838ac39f861d1f95a0f3bbb1e01c2517d79",
"status": "affected",
"version": "77d8f3068c63ee0983f0b5ba3207d3f7cce11be4",
"versionType": "git"
},
{
"lessThan": "08cc7cd2c2a29a2abf5bceb8f048c0734d3694ba",
"status": "affected",
"version": "77d8f3068c63ee0983f0b5ba3207d3f7cce11be4",
"versionType": "git"
},
{
"lessThan": "3d90921f91fc6a8c801d527bb5848c99e335c1cf",
"status": "affected",
"version": "77d8f3068c63ee0983f0b5ba3207d3f7cce11be4",
"versionType": "git"
},
{
"lessThan": "0a719f0e4b6f233979e219baff73923e76a96e09",
"status": "affected",
"version": "77d8f3068c63ee0983f0b5ba3207d3f7cce11be4",
"versionType": "git"
},
{
"lessThan": "632c60ecd25dbacee54d5581fe3aeb834b57010a",
"status": "affected",
"version": "77d8f3068c63ee0983f0b5ba3207d3f7cce11be4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-scu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: scu: use _safe list iterator to avoid a use after free\n\nThis loop is freeing \"clk\" so it needs to use list_for_each_entry_safe().\nOtherwise it dereferences a freed variable to get the next item on the\nloop."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:13.089Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f95ff838ac39f861d1f95a0f3bbb1e01c2517d79"
},
{
"url": "https://git.kernel.org/stable/c/08cc7cd2c2a29a2abf5bceb8f048c0734d3694ba"
},
{
"url": "https://git.kernel.org/stable/c/3d90921f91fc6a8c801d527bb5848c99e335c1cf"
},
{
"url": "https://git.kernel.org/stable/c/0a719f0e4b6f233979e219baff73923e76a96e09"
},
{
"url": "https://git.kernel.org/stable/c/632c60ecd25dbacee54d5581fe3aeb834b57010a"
}
],
"title": "clk: imx: scu: use _safe list iterator to avoid a use after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53572",
"datePublished": "2025-10-04T15:17:13.089Z",
"dateReserved": "2025-10-04T15:14:15.925Z",
"dateUpdated": "2025-10-04T15:17:13.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39750 (GCVE-0-2025-39750)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-09-29 05:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Correct tid cleanup when tid setup fails
Currently, if any error occurs during ath12k_dp_rx_peer_tid_setup(),
the tid value is already incremented, even though the corresponding
TID is not actually allocated. Proceed to
ath12k_dp_rx_peer_tid_delete() starting from unallocated tid,
which might leads to freeing unallocated TID and cause potential
crash or out-of-bounds access.
Hence, fix by correctly decrementing tid before cleanup to match only
the successfully allocated TIDs.
Also, remove tid-- from failure case of ath12k_dp_rx_peer_frag_setup(),
as decrementing the tid before cleanup in loop will take care of this.
Compile tested only.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30cad87978057516c93467516bc481a3eacfd66a",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "2ef17d1476ab26bce89764e2f16833d7f52acc38",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "907c630e58af9e86e215f3951c7b287bd86d0f15",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "6301fe4f209165334d251a1c6da8ae47f93cb32c",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "4a2bf707270f897ab8077baee8ed5842a5321686",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Correct tid cleanup when tid setup fails\n\nCurrently, if any error occurs during ath12k_dp_rx_peer_tid_setup(),\nthe tid value is already incremented, even though the corresponding\nTID is not actually allocated. Proceed to\nath12k_dp_rx_peer_tid_delete() starting from unallocated tid,\nwhich might leads to freeing unallocated TID and cause potential\ncrash or out-of-bounds access.\n\nHence, fix by correctly decrementing tid before cleanup to match only\nthe successfully allocated TIDs.\n\nAlso, remove tid-- from failure case of ath12k_dp_rx_peer_frag_setup(),\nas decrementing the tid before cleanup in loop will take care of this.\n\nCompile tested only."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:39.644Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30cad87978057516c93467516bc481a3eacfd66a"
},
{
"url": "https://git.kernel.org/stable/c/2ef17d1476ab26bce89764e2f16833d7f52acc38"
},
{
"url": "https://git.kernel.org/stable/c/907c630e58af9e86e215f3951c7b287bd86d0f15"
},
{
"url": "https://git.kernel.org/stable/c/6301fe4f209165334d251a1c6da8ae47f93cb32c"
},
{
"url": "https://git.kernel.org/stable/c/4a2bf707270f897ab8077baee8ed5842a5321686"
}
],
"title": "wifi: ath12k: Correct tid cleanup when tid setup fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39750",
"datePublished": "2025-09-11T16:52:21.917Z",
"dateReserved": "2025-04-16T07:20:57.125Z",
"dateUpdated": "2025-09-29T05:58:39.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53208 (GCVE-0-2023-53208)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state
When emulating nested VM-Exit, load L1's TSC multiplier if L1's desired
ratio doesn't match the current ratio, not if the ratio L1 is using for
L2 diverges from the default. Functionally, the end result is the same
as KVM will run L2 with L1's multiplier if L2's multiplier is the default,
i.e. checking that L1's multiplier is loaded is equivalent to checking if
L2 has a non-default multiplier.
However, the assertion that TSC scaling is exposed to L1 is flawed, as
userspace can trigger the WARN at will by writing the MSR and then
updating guest CPUID to hide the feature (modifying guest CPUID is
allowed anytime before KVM_RUN). E.g. hacking KVM's state_test
selftest to do
vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);
vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);
after restoring state in a new VM+vCPU yields an endless supply of:
------------[ cut here ]------------
WARNING: CPU: 10 PID: 206939 at arch/x86/kvm/svm/nested.c:1105
nested_svm_vmexit+0x6af/0x720 [kvm_amd]
Call Trace:
nested_svm_exit_handled+0x102/0x1f0 [kvm_amd]
svm_handle_exit+0xb9/0x180 [kvm_amd]
kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]
kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]
? trace_hardirqs_off+0x4d/0xa0
__se_sys_ioctl+0x7a/0xc0
__x64_sys_ioctl+0x21/0x30
do_syscall_64+0x41/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Unlike the nested VMRUN path, hoisting the svm->tsc_scaling_enabled check
into the if-statement is wrong as KVM needs to ensure L1's multiplier is
loaded in the above scenario. Alternatively, the WARN_ON() could simply
be deleted, but that would make KVM's behavior even more subtle, e.g. it's
not immediately obvious why it's safe to write MSR_AMD64_TSC_RATIO when
checking only tsc_ratio_msr.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b2b0535fa7adee7e295fed0a3095082131a8d05",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
},
{
"lessThan": "e91c07f6cf7060d2acb3aeee31a6baebe3773d3f",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
},
{
"lessThan": "0c94e2468491cbf0754f49a5136ab51294a96b69",
"status": "affected",
"version": "5228eb96a4875f8cf5d61d486e3795ac14df8904",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Load L1\u0027s TSC multiplier based on L1 state, not L2 state\n\nWhen emulating nested VM-Exit, load L1\u0027s TSC multiplier if L1\u0027s desired\nratio doesn\u0027t match the current ratio, not if the ratio L1 is using for\nL2 diverges from the default. Functionally, the end result is the same\nas KVM will run L2 with L1\u0027s multiplier if L2\u0027s multiplier is the default,\ni.e. checking that L1\u0027s multiplier is loaded is equivalent to checking if\nL2 has a non-default multiplier.\n\nHowever, the assertion that TSC scaling is exposed to L1 is flawed, as\nuserspace can trigger the WARN at will by writing the MSR and then\nupdating guest CPUID to hide the feature (modifying guest CPUID is\nallowed anytime before KVM_RUN). E.g. hacking KVM\u0027s state_test\nselftest to do\n\n vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);\n vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);\n\nafter restoring state in a new VM+vCPU yields an endless supply of:\n\n ------------[ cut here ]------------\n WARNING: CPU: 10 PID: 206939 at arch/x86/kvm/svm/nested.c:1105\n nested_svm_vmexit+0x6af/0x720 [kvm_amd]\n Call Trace:\n nested_svm_exit_handled+0x102/0x1f0 [kvm_amd]\n svm_handle_exit+0xb9/0x180 [kvm_amd]\n kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]\n kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]\n ? trace_hardirqs_off+0x4d/0xa0\n __se_sys_ioctl+0x7a/0xc0\n __x64_sys_ioctl+0x21/0x30\n do_syscall_64+0x41/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUnlike the nested VMRUN path, hoisting the svm-\u003etsc_scaling_enabled check\ninto the if-statement is wrong as KVM needs to ensure L1\u0027s multiplier is\nloaded in the above scenario. Alternatively, the WARN_ON() could simply\nbe deleted, but that would make KVM\u0027s behavior even more subtle, e.g. it\u0027s\nnot immediately obvious why it\u0027s safe to write MSR_AMD64_TSC_RATIO when\nchecking only tsc_ratio_msr."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:36.170Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b2b0535fa7adee7e295fed0a3095082131a8d05"
},
{
"url": "https://git.kernel.org/stable/c/e91c07f6cf7060d2acb3aeee31a6baebe3773d3f"
},
{
"url": "https://git.kernel.org/stable/c/0c94e2468491cbf0754f49a5136ab51294a96b69"
}
],
"title": "KVM: nSVM: Load L1\u0027s TSC multiplier based on L1 state, not L2 state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53208",
"datePublished": "2025-09-15T14:21:36.170Z",
"dateReserved": "2025-09-15T13:59:19.068Z",
"dateUpdated": "2025-09-15T14:21:36.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53238 (GCVE-0-2023-53238)
Vulnerability from cvelistv5
Published
2025-09-15 14:22
Modified
2025-09-15 14:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()
The size of array 'priv->ports[]' is INNO_PHY_PORT_NUM.
In the for loop, 'i' is used as the index for array 'priv->ports[]'
with a check (i > INNO_PHY_PORT_NUM) which indicates that
INNO_PHY_PORT_NUM is allowed value for 'i' in the same loop.
This > comparison needs to be changed to >=, otherwise it potentially leads
to an out of bounds write on the next iteration through the loop
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ba8b0ee81fbbc249e60f84bf097bd56e8047c742 Version: ba8b0ee81fbbc249e60f84bf097bd56e8047c742 Version: ba8b0ee81fbbc249e60f84bf097bd56e8047c742 Version: ba8b0ee81fbbc249e60f84bf097bd56e8047c742 Version: ba8b0ee81fbbc249e60f84bf097bd56e8047c742 Version: ba8b0ee81fbbc249e60f84bf097bd56e8047c742 Version: ba8b0ee81fbbc249e60f84bf097bd56e8047c742 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/hisilicon/phy-hisi-inno-usb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2843a2e703f5cb85c9eeca11b7ee90861635a010",
"status": "affected",
"version": "ba8b0ee81fbbc249e60f84bf097bd56e8047c742",
"versionType": "git"
},
{
"lessThan": "195e806b2afb0bad6470c9094f7e45e0cf109ee0",
"status": "affected",
"version": "ba8b0ee81fbbc249e60f84bf097bd56e8047c742",
"versionType": "git"
},
{
"lessThan": "ad249aa3c38f329f91fba8b4b3cd087e79fb0ce8",
"status": "affected",
"version": "ba8b0ee81fbbc249e60f84bf097bd56e8047c742",
"versionType": "git"
},
{
"lessThan": "6d8a71e4c3a2fa4960cc50996e76a42b62fab677",
"status": "affected",
"version": "ba8b0ee81fbbc249e60f84bf097bd56e8047c742",
"versionType": "git"
},
{
"lessThan": "01cb355bb92e8fcf8306e11a4774d610c5864e39",
"status": "affected",
"version": "ba8b0ee81fbbc249e60f84bf097bd56e8047c742",
"versionType": "git"
},
{
"lessThan": "ce69eac840db0b559994dc4290fce3d7c0d7bccd",
"status": "affected",
"version": "ba8b0ee81fbbc249e60f84bf097bd56e8047c742",
"versionType": "git"
},
{
"lessThan": "13c088cf3657d70893d75cf116be937f1509cc0f",
"status": "affected",
"version": "ba8b0ee81fbbc249e60f84bf097bd56e8047c742",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/hisilicon/phy-hisi-inno-usb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()\n\nThe size of array \u0027priv-\u003eports[]\u0027 is INNO_PHY_PORT_NUM.\n\nIn the for loop, \u0027i\u0027 is used as the index for array \u0027priv-\u003eports[]\u0027\nwith a check (i \u003e INNO_PHY_PORT_NUM) which indicates that\nINNO_PHY_PORT_NUM is allowed value for \u0027i\u0027 in the same loop.\n\nThis \u003e comparison needs to be changed to \u003e=, otherwise it potentially leads\nto an out of bounds write on the next iteration through the loop"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:22:12.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2843a2e703f5cb85c9eeca11b7ee90861635a010"
},
{
"url": "https://git.kernel.org/stable/c/195e806b2afb0bad6470c9094f7e45e0cf109ee0"
},
{
"url": "https://git.kernel.org/stable/c/ad249aa3c38f329f91fba8b4b3cd087e79fb0ce8"
},
{
"url": "https://git.kernel.org/stable/c/6d8a71e4c3a2fa4960cc50996e76a42b62fab677"
},
{
"url": "https://git.kernel.org/stable/c/01cb355bb92e8fcf8306e11a4774d610c5864e39"
},
{
"url": "https://git.kernel.org/stable/c/ce69eac840db0b559994dc4290fce3d7c0d7bccd"
},
{
"url": "https://git.kernel.org/stable/c/13c088cf3657d70893d75cf116be937f1509cc0f"
}
],
"title": "phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53238",
"datePublished": "2025-09-15T14:22:12.160Z",
"dateReserved": "2025-09-15T14:19:21.847Z",
"dateUpdated": "2025-09-15T14:22:12.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53563 (GCVE-0-2023-53563)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: amd-pstate-ut: Fix kernel panic when loading the driver
After loading the amd-pstate-ut driver, amd_pstate_ut_check_perf()
and amd_pstate_ut_check_freq() use cpufreq_cpu_get() to get the policy
of the CPU and mark it as busy.
In these functions, cpufreq_cpu_put() should be used to release the
policy, but it is not, so any other entity trying to access the policy
is blocked indefinitely.
One such scenario is when amd_pstate mode is changed, leading to the
following splat:
[ 1332.103727] INFO: task bash:2929 blocked for more than 120 seconds.
[ 1332.110001] Not tainted 6.5.0-rc2-amd-pstate-ut #5
[ 1332.115315] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 1332.123140] task:bash state:D stack:0 pid:2929 ppid:2873 flags:0x00004006
[ 1332.123143] Call Trace:
[ 1332.123145] <TASK>
[ 1332.123148] __schedule+0x3c1/0x16a0
[ 1332.123154] ? _raw_read_lock_irqsave+0x2d/0x70
[ 1332.123157] schedule+0x6f/0x110
[ 1332.123160] schedule_timeout+0x14f/0x160
[ 1332.123162] ? preempt_count_add+0x86/0xd0
[ 1332.123165] __wait_for_common+0x92/0x190
[ 1332.123168] ? __pfx_schedule_timeout+0x10/0x10
[ 1332.123170] wait_for_completion+0x28/0x30
[ 1332.123173] cpufreq_policy_put_kobj+0x4d/0x90
[ 1332.123177] cpufreq_policy_free+0x157/0x1d0
[ 1332.123178] ? preempt_count_add+0x58/0xd0
[ 1332.123180] cpufreq_remove_dev+0xb6/0x100
[ 1332.123182] subsys_interface_unregister+0x114/0x120
[ 1332.123185] ? preempt_count_add+0x58/0xd0
[ 1332.123187] ? __pfx_amd_pstate_change_driver_mode+0x10/0x10
[ 1332.123190] cpufreq_unregister_driver+0x3b/0xd0
[ 1332.123192] amd_pstate_change_driver_mode+0x1e/0x50
[ 1332.123194] store_status+0xe9/0x180
[ 1332.123197] dev_attr_store+0x1b/0x30
[ 1332.123199] sysfs_kf_write+0x42/0x50
[ 1332.123202] kernfs_fop_write_iter+0x143/0x1d0
[ 1332.123204] vfs_write+0x2df/0x400
[ 1332.123208] ksys_write+0x6b/0xf0
[ 1332.123210] __x64_sys_write+0x1d/0x30
[ 1332.123213] do_syscall_64+0x60/0x90
[ 1332.123216] ? fpregs_assert_state_consistent+0x2e/0x50
[ 1332.123219] ? exit_to_user_mode_prepare+0x49/0x1a0
[ 1332.123223] ? irqentry_exit_to_user_mode+0xd/0x20
[ 1332.123225] ? irqentry_exit+0x3f/0x50
[ 1332.123226] ? exc_page_fault+0x8e/0x190
[ 1332.123228] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 1332.123232] RIP: 0033:0x7fa74c514a37
[ 1332.123234] RSP: 002b:00007ffe31dd0788 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 1332.123238] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007fa74c514a37
[ 1332.123239] RDX: 0000000000000008 RSI: 000055e27c447aa0 RDI: 0000000000000001
[ 1332.123241] RBP: 000055e27c447aa0 R08: 00007fa74c5d1460 R09: 000000007fffffff
[ 1332.123242] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008
[ 1332.123244] R13: 00007fa74c61a780 R14: 00007fa74c616600 R15: 00007fa74c615a00
[ 1332.123247] </TASK>
Fix this by calling cpufreq_cpu_put() wherever necessary.
[ rjw: Subject and changelog edits ]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/amd-pstate-ut.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fcf78a17bbb94bebaa912f0460a1848f7d374c94",
"status": "affected",
"version": "14eb1c96e3a3fd9cd377ac9af3c7a410f8bf1015",
"versionType": "git"
},
{
"lessThan": "84857640c67405eed258c461b3ef909002f1e201",
"status": "affected",
"version": "14eb1c96e3a3fd9cd377ac9af3c7a410f8bf1015",
"versionType": "git"
},
{
"lessThan": "0f74f12ee042fd72e45f0e8700e063c84ef3883b",
"status": "affected",
"version": "14eb1c96e3a3fd9cd377ac9af3c7a410f8bf1015",
"versionType": "git"
},
{
"lessThan": "60dd283804479c4a52f995b713f448e2cd65b8c8",
"status": "affected",
"version": "14eb1c96e3a3fd9cd377ac9af3c7a410f8bf1015",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/amd-pstate-ut.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate-ut: Fix kernel panic when loading the driver\n\nAfter loading the amd-pstate-ut driver, amd_pstate_ut_check_perf()\nand amd_pstate_ut_check_freq() use cpufreq_cpu_get() to get the policy\nof the CPU and mark it as busy.\n\nIn these functions, cpufreq_cpu_put() should be used to release the\npolicy, but it is not, so any other entity trying to access the policy\nis blocked indefinitely.\n\nOne such scenario is when amd_pstate mode is changed, leading to the\nfollowing splat:\n\n[ 1332.103727] INFO: task bash:2929 blocked for more than 120 seconds.\n[ 1332.110001] Not tainted 6.5.0-rc2-amd-pstate-ut #5\n[ 1332.115315] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 1332.123140] task:bash state:D stack:0 pid:2929 ppid:2873 flags:0x00004006\n[ 1332.123143] Call Trace:\n[ 1332.123145] \u003cTASK\u003e\n[ 1332.123148] __schedule+0x3c1/0x16a0\n[ 1332.123154] ? _raw_read_lock_irqsave+0x2d/0x70\n[ 1332.123157] schedule+0x6f/0x110\n[ 1332.123160] schedule_timeout+0x14f/0x160\n[ 1332.123162] ? preempt_count_add+0x86/0xd0\n[ 1332.123165] __wait_for_common+0x92/0x190\n[ 1332.123168] ? __pfx_schedule_timeout+0x10/0x10\n[ 1332.123170] wait_for_completion+0x28/0x30\n[ 1332.123173] cpufreq_policy_put_kobj+0x4d/0x90\n[ 1332.123177] cpufreq_policy_free+0x157/0x1d0\n[ 1332.123178] ? preempt_count_add+0x58/0xd0\n[ 1332.123180] cpufreq_remove_dev+0xb6/0x100\n[ 1332.123182] subsys_interface_unregister+0x114/0x120\n[ 1332.123185] ? preempt_count_add+0x58/0xd0\n[ 1332.123187] ? __pfx_amd_pstate_change_driver_mode+0x10/0x10\n[ 1332.123190] cpufreq_unregister_driver+0x3b/0xd0\n[ 1332.123192] amd_pstate_change_driver_mode+0x1e/0x50\n[ 1332.123194] store_status+0xe9/0x180\n[ 1332.123197] dev_attr_store+0x1b/0x30\n[ 1332.123199] sysfs_kf_write+0x42/0x50\n[ 1332.123202] kernfs_fop_write_iter+0x143/0x1d0\n[ 1332.123204] vfs_write+0x2df/0x400\n[ 1332.123208] ksys_write+0x6b/0xf0\n[ 1332.123210] __x64_sys_write+0x1d/0x30\n[ 1332.123213] do_syscall_64+0x60/0x90\n[ 1332.123216] ? fpregs_assert_state_consistent+0x2e/0x50\n[ 1332.123219] ? exit_to_user_mode_prepare+0x49/0x1a0\n[ 1332.123223] ? irqentry_exit_to_user_mode+0xd/0x20\n[ 1332.123225] ? irqentry_exit+0x3f/0x50\n[ 1332.123226] ? exc_page_fault+0x8e/0x190\n[ 1332.123228] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 1332.123232] RIP: 0033:0x7fa74c514a37\n[ 1332.123234] RSP: 002b:00007ffe31dd0788 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 1332.123238] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007fa74c514a37\n[ 1332.123239] RDX: 0000000000000008 RSI: 000055e27c447aa0 RDI: 0000000000000001\n[ 1332.123241] RBP: 000055e27c447aa0 R08: 00007fa74c5d1460 R09: 000000007fffffff\n[ 1332.123242] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008\n[ 1332.123244] R13: 00007fa74c61a780 R14: 00007fa74c616600 R15: 00007fa74c615a00\n[ 1332.123247] \u003c/TASK\u003e\n\nFix this by calling cpufreq_cpu_put() wherever necessary.\n\n[ rjw: Subject and changelog edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:06.340Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fcf78a17bbb94bebaa912f0460a1848f7d374c94"
},
{
"url": "https://git.kernel.org/stable/c/84857640c67405eed258c461b3ef909002f1e201"
},
{
"url": "https://git.kernel.org/stable/c/0f74f12ee042fd72e45f0e8700e063c84ef3883b"
},
{
"url": "https://git.kernel.org/stable/c/60dd283804479c4a52f995b713f448e2cd65b8c8"
}
],
"title": "cpufreq: amd-pstate-ut: Fix kernel panic when loading the driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53563",
"datePublished": "2025-10-04T15:17:06.340Z",
"dateReserved": "2025-10-04T15:14:15.923Z",
"dateUpdated": "2025-10-04T15:17:06.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39806 (GCVE-0-2025-39806)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
A malicious HID device can trigger a slab out-of-bounds during
mt_report_fixup() by passing in report descriptor smaller than
607 bytes. mt_report_fixup() attempts to patch byte offset 607
of the descriptor with 0x25 by first checking if byte offset
607 is 0x15 however it lacks bounds checks to verify if the
descriptor is big enough before conducting this check. Fix
this bug by ensuring the descriptor size is at least 608
bytes before accessing it.
Below is the KASAN splat after the out of bounds access happens:
[ 13.671954] ==================================================================
[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
[ 13.673297]
[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
[ 13.673297] Call Trace:
[ 13.673297] <TASK>
[ 13.673297] dump_stack_lvl+0x5f/0x80
[ 13.673297] print_report+0xd1/0x660
[ 13.673297] kasan_report+0xe5/0x120
[ 13.673297] __asan_report_load1_noabort+0x18/0x20
[ 13.673297] mt_report_fixup+0x103/0x110
[ 13.673297] hid_open_report+0x1ef/0x810
[ 13.673297] mt_probe+0x422/0x960
[ 13.673297] hid_device_probe+0x2e2/0x6f0
[ 13.673297] really_probe+0x1c6/0x6b0
[ 13.673297] __driver_probe_device+0x24f/0x310
[ 13.673297] driver_probe_device+0x4e/0x220
[ 13.673297] __device_attach_driver+0x169/0x320
[ 13.673297] bus_for_each_drv+0x11d/0x1b0
[ 13.673297] __device_attach+0x1b8/0x3e0
[ 13.673297] device_initial_probe+0x12/0x20
[ 13.673297] bus_probe_device+0x13d/0x180
[ 13.673297] device_add+0xe3a/0x1670
[ 13.673297] hid_add_device+0x31d/0xa40
[...]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0 Version: 45ec9f17ce46417fc4eccecf388c99e81fb7fcc1 Version: 1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b Version: c8000deb68365b461b324d68c7ea89d730f0bb85 Version: c8000deb68365b461b324d68c7ea89d730f0bb85 Version: c8000deb68365b461b324d68c7ea89d730f0bb85 Version: d189e24a42b8bd0ece3d28801d751bf66dba8e92 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:32.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d",
"status": "affected",
"version": "7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0",
"versionType": "git"
},
{
"lessThan": "7ab7311c43ae19c66c53ccd8c5052a9072a4e338",
"status": "affected",
"version": "45ec9f17ce46417fc4eccecf388c99e81fb7fcc1",
"versionType": "git"
},
{
"lessThan": "d4e6e2680807671e1c73cd6a986b33659ce92f2b",
"status": "affected",
"version": "1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b",
"versionType": "git"
},
{
"lessThan": "3055309821dd3da92888f88bad10f0324c3c89fe",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"lessThan": "c13e95587583d018cfbcc277df7e02d41902ac5a",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"lessThan": "0379eb8691b9c4477da0277ae0832036ca4410b4",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"status": "affected",
"version": "d189e24a42b8bd0ece3d28801d751bf66dba8e92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "5.15.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "6.1.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "6.6.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: fix slab out-of-bounds access in mt_report_fixup()\n\nA malicious HID device can trigger a slab out-of-bounds during\nmt_report_fixup() by passing in report descriptor smaller than\n607 bytes. mt_report_fixup() attempts to patch byte offset 607\nof the descriptor with 0x25 by first checking if byte offset\n607 is 0x15 however it lacks bounds checks to verify if the\ndescriptor is big enough before conducting this check. Fix\nthis bug by ensuring the descriptor size is at least 608\nbytes before accessing it.\n\nBelow is the KASAN splat after the out of bounds access happens:\n\n[ 13.671954] ==================================================================\n[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110\n[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10\n[ 13.673297]\n[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3\n[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04\n[ 13.673297] Call Trace:\n[ 13.673297] \u003cTASK\u003e\n[ 13.673297] dump_stack_lvl+0x5f/0x80\n[ 13.673297] print_report+0xd1/0x660\n[ 13.673297] kasan_report+0xe5/0x120\n[ 13.673297] __asan_report_load1_noabort+0x18/0x20\n[ 13.673297] mt_report_fixup+0x103/0x110\n[ 13.673297] hid_open_report+0x1ef/0x810\n[ 13.673297] mt_probe+0x422/0x960\n[ 13.673297] hid_device_probe+0x2e2/0x6f0\n[ 13.673297] really_probe+0x1c6/0x6b0\n[ 13.673297] __driver_probe_device+0x24f/0x310\n[ 13.673297] driver_probe_device+0x4e/0x220\n[ 13.673297] __device_attach_driver+0x169/0x320\n[ 13.673297] bus_for_each_drv+0x11d/0x1b0\n[ 13.673297] __device_attach+0x1b8/0x3e0\n[ 13.673297] device_initial_probe+0x12/0x20\n[ 13.673297] bus_probe_device+0x13d/0x180\n[ 13.673297] device_add+0xe3a/0x1670\n[ 13.673297] hid_add_device+0x31d/0xa40\n[...]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:48.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d"
},
{
"url": "https://git.kernel.org/stable/c/7ab7311c43ae19c66c53ccd8c5052a9072a4e338"
},
{
"url": "https://git.kernel.org/stable/c/d4e6e2680807671e1c73cd6a986b33659ce92f2b"
},
{
"url": "https://git.kernel.org/stable/c/3055309821dd3da92888f88bad10f0324c3c89fe"
},
{
"url": "https://git.kernel.org/stable/c/c13e95587583d018cfbcc277df7e02d41902ac5a"
},
{
"url": "https://git.kernel.org/stable/c/0379eb8691b9c4477da0277ae0832036ca4410b4"
}
],
"title": "HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39806",
"datePublished": "2025-09-16T13:00:09.524Z",
"dateReserved": "2025-04-16T07:20:57.136Z",
"dateUpdated": "2025-11-03T17:43:32.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53713 (GCVE-0-2023-53713)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: sme: Use STR P to clear FFR context field in streaming SVE mode
The FFR is a predicate register which can vary between 16 and 256 bits
in size depending upon the configured vector length. When saving the
SVE state in streaming SVE mode, the FFR register is inaccessible and
so commit 9f5848665788 ("arm64/sve: Make access to FFR optional") simply
clears the FFR field of the in-memory context structure. Unfortunately,
it achieves this using an unconditional 8-byte store and so if the SME
vector length is anything other than 64 bytes in size we will either
fail to clear the entire field or, worse, we will corrupt memory
immediately following the structure. This has led to intermittent kfence
splats in CI [1] and can trigger kmalloc Redzone corruption messages
when running the 'fp-stress' kselftest:
| =============================================================================
| BUG kmalloc-1k (Not tainted): kmalloc Redzone overwritten
| -----------------------------------------------------------------------------
|
| 0xffff000809bf1e22-0xffff000809bf1e27 @offset=7714. First byte 0x0 instead of 0xcc
| Allocated in do_sme_acc+0x9c/0x220 age=2613 cpu=1 pid=531
| __kmalloc+0x8c/0xcc
| do_sme_acc+0x9c/0x220
| ...
Replace the 8-byte store with a store of a predicate register which has
been zero-initialised with PFALSE, ensuring that the entire field is
cleared in memory.
[1] https://lore.kernel.org/r/CA+G9fYtU7HsV0R0dp4XEH5xXHSJFw8KyDf5VQrLLfMxWfxQkag@mail.gmail.com
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/fpsimdmacros.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "97669214944e80d3756657c21c4f286f3da6a423",
"status": "affected",
"version": "9f5848665788a0f07bc175cb2cdd06d367b7556e",
"versionType": "git"
},
{
"lessThan": "8769a62faacbbb6cac5e35d9047ce445183d4e9f",
"status": "affected",
"version": "9f5848665788a0f07bc175cb2cdd06d367b7556e",
"versionType": "git"
},
{
"lessThan": "1403a899153a12d93fd510e463fd6d0eafba4336",
"status": "affected",
"version": "9f5848665788a0f07bc175cb2cdd06d367b7556e",
"versionType": "git"
},
{
"lessThan": "893b24181b4c4bf1fa2841b1ed192e5413a97cb1",
"status": "affected",
"version": "9f5848665788a0f07bc175cb2cdd06d367b7556e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/fpsimdmacros.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: sme: Use STR P to clear FFR context field in streaming SVE mode\n\nThe FFR is a predicate register which can vary between 16 and 256 bits\nin size depending upon the configured vector length. When saving the\nSVE state in streaming SVE mode, the FFR register is inaccessible and\nso commit 9f5848665788 (\"arm64/sve: Make access to FFR optional\") simply\nclears the FFR field of the in-memory context structure. Unfortunately,\nit achieves this using an unconditional 8-byte store and so if the SME\nvector length is anything other than 64 bytes in size we will either\nfail to clear the entire field or, worse, we will corrupt memory\nimmediately following the structure. This has led to intermittent kfence\nsplats in CI [1] and can trigger kmalloc Redzone corruption messages\nwhen running the \u0027fp-stress\u0027 kselftest:\n\n | =============================================================================\n | BUG kmalloc-1k (Not tainted): kmalloc Redzone overwritten\n | -----------------------------------------------------------------------------\n |\n | 0xffff000809bf1e22-0xffff000809bf1e27 @offset=7714. First byte 0x0 instead of 0xcc\n | Allocated in do_sme_acc+0x9c/0x220 age=2613 cpu=1 pid=531\n | __kmalloc+0x8c/0xcc\n | do_sme_acc+0x9c/0x220\n | ...\n\nReplace the 8-byte store with a store of a predicate register which has\nbeen zero-initialised with PFALSE, ensuring that the entire field is\ncleared in memory.\n\n[1] https://lore.kernel.org/r/CA+G9fYtU7HsV0R0dp4XEH5xXHSJFw8KyDf5VQrLLfMxWfxQkag@mail.gmail.com"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:47.720Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/97669214944e80d3756657c21c4f286f3da6a423"
},
{
"url": "https://git.kernel.org/stable/c/8769a62faacbbb6cac5e35d9047ce445183d4e9f"
},
{
"url": "https://git.kernel.org/stable/c/1403a899153a12d93fd510e463fd6d0eafba4336"
},
{
"url": "https://git.kernel.org/stable/c/893b24181b4c4bf1fa2841b1ed192e5413a97cb1"
}
],
"title": "arm64: sme: Use STR P to clear FFR context field in streaming SVE mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53713",
"datePublished": "2025-10-22T13:23:47.720Z",
"dateReserved": "2025-10-22T13:21:37.347Z",
"dateUpdated": "2025-10-22T13:23:47.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39957 (GCVE-0-2025-39957)
Vulnerability from cvelistv5
Published
2025-10-09 09:47
Modified
2025-10-09 09:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: increase scan_ies_len for S1G
Currently the S1G capability element is not taken into account
for the scan_ies_len, which leads to a buffer length validation
failure in ieee80211_prep_hw_scan() and subsequent WARN in
__ieee80211_start_scan(). This prevents hw scanning from functioning.
To fix ensure we accommodate for the S1G capability length.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16c9244a62116fe148f6961753b68e7160799f97",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "93e063f15e17acb8cd6ac90c8f0802c2624e1a74",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "32adb020b0c32939da1322dcc87fc0ae2bc935d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0dbad5f5549e54ac269cc04ce89f212892a98cab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7e2f3213e85eba00acb4cfe6d71647892d63c3a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: increase scan_ies_len for S1G\n\nCurrently the S1G capability element is not taken into account\nfor the scan_ies_len, which leads to a buffer length validation\nfailure in ieee80211_prep_hw_scan() and subsequent WARN in\n__ieee80211_start_scan(). This prevents hw scanning from functioning.\nTo fix ensure we accommodate for the S1G capability length."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T09:47:34.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16c9244a62116fe148f6961753b68e7160799f97"
},
{
"url": "https://git.kernel.org/stable/c/93e063f15e17acb8cd6ac90c8f0802c2624e1a74"
},
{
"url": "https://git.kernel.org/stable/c/32adb020b0c32939da1322dcc87fc0ae2bc935d1"
},
{
"url": "https://git.kernel.org/stable/c/0dbad5f5549e54ac269cc04ce89f212892a98cab"
},
{
"url": "https://git.kernel.org/stable/c/7e2f3213e85eba00acb4cfe6d71647892d63c3a1"
}
],
"title": "wifi: mac80211: increase scan_ies_len for S1G",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39957",
"datePublished": "2025-10-09T09:47:34.933Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-09T09:47:34.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38713 (GCVE-0-2025-38713)
Vulnerability from cvelistv5
Published
2025-09-04 15:33
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
The hfsplus_readdir() method is capable to crash by calling
hfsplus_uni2asc():
[ 667.121659][ T9805] ==================================================================
[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10
[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805
[ 667.124578][ T9805]
[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)
[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 667.124890][ T9805] Call Trace:
[ 667.124893][ T9805] <TASK>
[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0
[ 667.124911][ T9805] print_report+0xd0/0x660
[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610
[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180
[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10
[ 667.124942][ T9805] kasan_report+0xc6/0x100
[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10
[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10
[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360
[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0
[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10
[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0
[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20
[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0
[ 667.125022][ T9805] ? lock_acquire+0x30/0x80
[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20
[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0
[ 667.125044][ T9805] ? putname+0x154/0x1a0
[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10
[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0
[ 667.125069][ T9805] iterate_dir+0x296/0xb20
[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0
[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10
[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200
[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10
[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0
[ 667.125143][ T9805] do_syscall_64+0xc9/0x480
[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9
[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9
[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9
[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004
[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110
[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260
[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 667.125207][ T9805] </TASK>
[ 667.125210][ T9805]
[ 667.145632][ T9805] Allocated by task 9805:
[ 667.145991][ T9805] kasan_save_stack+0x20/0x40
[ 667.146352][ T9805] kasan_save_track+0x14/0x30
[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0
[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550
[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0
[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0
[ 667.148174][ T9805] iterate_dir+0x296/0xb20
[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0
[ 667.148937][ T9805] do_syscall_64+0xc9/0x480
[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 667.149809][ T9805]
[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000
[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048
[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of
[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)
[ 667.1
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:44.035Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73f7da507d787b489761a0fa280716f84fa32b2f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "76a4c6636a69d69409aa253b049b1be717a539c5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ccf0ad56a779e6704c0b27f555dec847f50c7557",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "13604b1d7e7b125fb428cddbec6b8d92baad25d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "291bb5d931c6f3cd7227b913302a17be21cf53b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1ca69007e52a73bd8b84b988b61b319816ca8b01",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "94458781aee6045bd3d0ad4b80b02886b9e2219b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\n\nThe hfsplus_readdir() method is capable to crash by calling\nhfsplus_uni2asc():\n\n[ 667.121659][ T9805] ==================================================================\n[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10\n[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805\n[ 667.124578][ T9805]\n[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)\n[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 667.124890][ T9805] Call Trace:\n[ 667.124893][ T9805] \u003cTASK\u003e\n[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0\n[ 667.124911][ T9805] print_report+0xd0/0x660\n[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610\n[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180\n[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10\n[ 667.124942][ T9805] kasan_report+0xc6/0x100\n[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10\n[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10\n[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360\n[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0\n[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10\n[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0\n[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20\n[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0\n[ 667.125022][ T9805] ? lock_acquire+0x30/0x80\n[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20\n[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0\n[ 667.125044][ T9805] ? putname+0x154/0x1a0\n[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10\n[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0\n[ 667.125069][ T9805] iterate_dir+0x296/0xb20\n[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0\n[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10\n[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200\n[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10\n[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0\n[ 667.125143][ T9805] do_syscall_64+0xc9/0x480\n[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9\n[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48\n[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9\n[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9\n[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004\n[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110\n[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260\n[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 667.125207][ T9805] \u003c/TASK\u003e\n[ 667.125210][ T9805]\n[ 667.145632][ T9805] Allocated by task 9805:\n[ 667.145991][ T9805] kasan_save_stack+0x20/0x40\n[ 667.146352][ T9805] kasan_save_track+0x14/0x30\n[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0\n[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550\n[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0\n[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0\n[ 667.148174][ T9805] iterate_dir+0x296/0xb20\n[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0\n[ 667.148937][ T9805] do_syscall_64+0xc9/0x480\n[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 667.149809][ T9805]\n[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000\n[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048\n[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of\n[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)\n[ 667.1\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:35.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73f7da507d787b489761a0fa280716f84fa32b2f"
},
{
"url": "https://git.kernel.org/stable/c/76a4c6636a69d69409aa253b049b1be717a539c5"
},
{
"url": "https://git.kernel.org/stable/c/ccf0ad56a779e6704c0b27f555dec847f50c7557"
},
{
"url": "https://git.kernel.org/stable/c/13604b1d7e7b125fb428cddbec6b8d92baad25d5"
},
{
"url": "https://git.kernel.org/stable/c/291bb5d931c6f3cd7227b913302a17be21cf53b0"
},
{
"url": "https://git.kernel.org/stable/c/f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee"
},
{
"url": "https://git.kernel.org/stable/c/6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9"
},
{
"url": "https://git.kernel.org/stable/c/1ca69007e52a73bd8b84b988b61b319816ca8b01"
},
{
"url": "https://git.kernel.org/stable/c/94458781aee6045bd3d0ad4b80b02886b9e2219b"
}
],
"title": "hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38713",
"datePublished": "2025-09-04T15:33:03.464Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:44.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53356 (GCVE-0-2023-53356)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: u_serial: Add null pointer check in gserial_suspend
Consider a case where gserial_disconnect has already cleared
gser->ioport. And if gserial_suspend gets called afterwards,
it will lead to accessing of gser->ioport and thus causing
null pointer dereference.
Avoid this by adding a null pointer check. Added a static
spinlock to prevent gser->ioport from becoming null after
the newly added null pointer check.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/u_serial.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2788a3553f7497075653210b42e2aeb6ba95e28e",
"status": "affected",
"version": "aba3a8d01d623a5efef48ab8e78752d58d4c90c3",
"versionType": "git"
},
{
"lessThan": "a8ea7ed644cbf6314b5b0136b5398754b549fb8f",
"status": "affected",
"version": "aba3a8d01d623a5efef48ab8e78752d58d4c90c3",
"versionType": "git"
},
{
"lessThan": "e60a827ac074ce6bd58305fe5a86afab5fce6a04",
"status": "affected",
"version": "aba3a8d01d623a5efef48ab8e78752d58d4c90c3",
"versionType": "git"
},
{
"lessThan": "374447e3367767156405bedd230c5d391f4b7962",
"status": "affected",
"version": "aba3a8d01d623a5efef48ab8e78752d58d4c90c3",
"versionType": "git"
},
{
"lessThan": "2f6ecb89fe8feb2b60a53325b0eeb9866d88909a",
"status": "affected",
"version": "aba3a8d01d623a5efef48ab8e78752d58d4c90c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/u_serial.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Add null pointer check in gserial_suspend\n\nConsider a case where gserial_disconnect has already cleared\ngser-\u003eioport. And if gserial_suspend gets called afterwards,\nit will lead to accessing of gser-\u003eioport and thus causing\nnull pointer dereference.\n\nAvoid this by adding a null pointer check. Added a static\nspinlock to prevent gser-\u003eioport from becoming null after\nthe newly added null pointer check."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:46.113Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2788a3553f7497075653210b42e2aeb6ba95e28e"
},
{
"url": "https://git.kernel.org/stable/c/a8ea7ed644cbf6314b5b0136b5398754b549fb8f"
},
{
"url": "https://git.kernel.org/stable/c/e60a827ac074ce6bd58305fe5a86afab5fce6a04"
},
{
"url": "https://git.kernel.org/stable/c/374447e3367767156405bedd230c5d391f4b7962"
},
{
"url": "https://git.kernel.org/stable/c/2f6ecb89fe8feb2b60a53325b0eeb9866d88909a"
}
],
"title": "usb: gadget: u_serial: Add null pointer check in gserial_suspend",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53356",
"datePublished": "2025-09-17T14:56:46.113Z",
"dateReserved": "2025-09-16T16:08:59.567Z",
"dateUpdated": "2025-09-17T14:56:46.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39970 (GCVE-0-2025-39970)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix input validation logic for action_meta
Fix condition to check 'greater or equal' to prevent OOB dereference.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a88c1b2746eccf00e2094b187945f0f1e990b400",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "28465770ca3b694286ff9ed6dfd558413f57d98f",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "f8c8e11825b24661596fa8db2f0981ba17ed0817",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "461e0917eedcd159d87f3ea846754a1e07d7e78a",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "3883e9702b6a4945e93b16c070f338a9f5b496f9",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "3118f41d8fa57b005f53ec3db2ba5eab1d7ba12b",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "560e1683410585fbd5df847f43433c4296f0d222",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "9739d5830497812b0bdeaee356ddefbe60830b88",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix input validation logic for action_meta\n\nFix condition to check \u0027greater or equal\u0027 to prevent OOB dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:53.610Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a88c1b2746eccf00e2094b187945f0f1e990b400"
},
{
"url": "https://git.kernel.org/stable/c/28465770ca3b694286ff9ed6dfd558413f57d98f"
},
{
"url": "https://git.kernel.org/stable/c/f8c8e11825b24661596fa8db2f0981ba17ed0817"
},
{
"url": "https://git.kernel.org/stable/c/461e0917eedcd159d87f3ea846754a1e07d7e78a"
},
{
"url": "https://git.kernel.org/stable/c/3883e9702b6a4945e93b16c070f338a9f5b496f9"
},
{
"url": "https://git.kernel.org/stable/c/3118f41d8fa57b005f53ec3db2ba5eab1d7ba12b"
},
{
"url": "https://git.kernel.org/stable/c/560e1683410585fbd5df847f43433c4296f0d222"
},
{
"url": "https://git.kernel.org/stable/c/9739d5830497812b0bdeaee356ddefbe60830b88"
}
],
"title": "i40e: fix input validation logic for action_meta",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39970",
"datePublished": "2025-10-15T07:55:53.610Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:53.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50494 (GCVE-0-2022-50494)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash
When CPU 0 is offline and intel_powerclamp is used to inject
idle, it generates kernel BUG:
BUG: using smp_processor_id() in preemptible [00000000] code: bash/15687
caller is debug_smp_processor_id+0x17/0x20
CPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57
Call Trace:
<TASK>
dump_stack_lvl+0x49/0x63
dump_stack+0x10/0x16
check_preemption_disabled+0xdd/0xe0
debug_smp_processor_id+0x17/0x20
powerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp]
...
...
Here CPU 0 is the control CPU by default and changed to the current CPU,
if CPU 0 offlined. This check has to be performed under cpus_read_lock(),
hence the above warning.
Use get_cpu() instead of smp_processor_id() to avoid this BUG.
[ rjw: Subject edits ]
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/intel/intel_powerclamp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e799e815097febbcb81b472285be824f5d089f9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f91f66c568b316b19cb042cf50584467b3bdff4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6904727db0eb62fb0c2dce1cf331c341d97ee4b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5a646c38f648185ee2c62f2a19da3c6f04e27612",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "513943bf879d45005213e6f5cfb7d9e9943f589f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5614908434451aafbf9b24cb5247cf1d21269f76",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e2a347b304224b2aeb1c0ea000d1cf8a02cc592",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "418fae0700e85a498062424f8656435c32cdb200",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "68b99e94a4a2db6ba9b31fe0485e057b9354a640",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/intel/intel_powerclamp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash\n\nWhen CPU 0 is offline and intel_powerclamp is used to inject\nidle, it generates kernel BUG:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: bash/15687\ncaller is debug_smp_processor_id+0x17/0x20\nCPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\ncheck_preemption_disabled+0xdd/0xe0\ndebug_smp_processor_id+0x17/0x20\npowerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp]\n...\n...\n\nHere CPU 0 is the control CPU by default and changed to the current CPU,\nif CPU 0 offlined. This check has to be performed under cpus_read_lock(),\nhence the above warning.\n\nUse get_cpu() instead of smp_processor_id() to avoid this BUG.\n\n[ rjw: Subject edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:46.562Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e799e815097febbcb81b472285be824f5d089f9"
},
{
"url": "https://git.kernel.org/stable/c/0f91f66c568b316b19cb042cf50584467b3bdff4"
},
{
"url": "https://git.kernel.org/stable/c/6904727db0eb62fb0c2dce1cf331c341d97ee4b7"
},
{
"url": "https://git.kernel.org/stable/c/5a646c38f648185ee2c62f2a19da3c6f04e27612"
},
{
"url": "https://git.kernel.org/stable/c/513943bf879d45005213e6f5cfb7d9e9943f589f"
},
{
"url": "https://git.kernel.org/stable/c/5614908434451aafbf9b24cb5247cf1d21269f76"
},
{
"url": "https://git.kernel.org/stable/c/6e2a347b304224b2aeb1c0ea000d1cf8a02cc592"
},
{
"url": "https://git.kernel.org/stable/c/418fae0700e85a498062424f8656435c32cdb200"
},
{
"url": "https://git.kernel.org/stable/c/68b99e94a4a2db6ba9b31fe0485e057b9354a640"
}
],
"title": "thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50494",
"datePublished": "2025-10-04T15:43:46.562Z",
"dateReserved": "2025-10-04T15:39:19.464Z",
"dateUpdated": "2025-10-04T15:43:46.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40032 (GCVE-0-2025-40032)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release
The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be
NULL even after EPF initialization. Then it is prudent to check that
they have non-NULL values before releasing the channels. Add the checks
in pci_epf_test_clean_dma_chan().
Without the checks, NULL pointer dereferences happen and they can lead
to a kernel panic in some cases:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
Call trace:
dma_release_channel+0x2c/0x120 (P)
pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test]
pci_epc_deinit_notify+0x74/0xc0
tegra_pcie_ep_pex_rst_irq+0x250/0x5d8
irq_thread_fn+0x34/0xb8
irq_thread+0x18c/0x2e8
kthread+0x14c/0x210
ret_from_fork+0x10/0x20
[mani: trimmed the stack trace]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/functions/pci-epf-test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6411f840a9b5c47c00ca8e004733de232553870d",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "0c5ce6b6ccc22d486cc7239ed908cb0ae5363a7b",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "fb54ffd60064c4e5139a3eb216e877b1acae1c8b",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "57f7fb0d1ac28540c0f6405c829bb9c3b89d8dba",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "85afa9ea122dd9d4a2ead104a951d318975dcd25",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/functions/pci-epf-test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release\n\nThe fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be\nNULL even after EPF initialization. Then it is prudent to check that\nthey have non-NULL values before releasing the channels. Add the checks\nin pci_epf_test_clean_dma_chan().\n\nWithout the checks, NULL pointer dereferences happen and they can lead\nto a kernel panic in some cases:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Call trace:\n dma_release_channel+0x2c/0x120 (P)\n pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test]\n pci_epc_deinit_notify+0x74/0xc0\n tegra_pcie_ep_pex_rst_irq+0x250/0x5d8\n irq_thread_fn+0x34/0xb8\n irq_thread+0x18c/0x2e8\n kthread+0x14c/0x210\n ret_from_fork+0x10/0x20\n\n[mani: trimmed the stack trace]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:14.876Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6411f840a9b5c47c00ca8e004733de232553870d"
},
{
"url": "https://git.kernel.org/stable/c/0c5ce6b6ccc22d486cc7239ed908cb0ae5363a7b"
},
{
"url": "https://git.kernel.org/stable/c/fb54ffd60064c4e5139a3eb216e877b1acae1c8b"
},
{
"url": "https://git.kernel.org/stable/c/57f7fb0d1ac28540c0f6405c829bb9c3b89d8dba"
},
{
"url": "https://git.kernel.org/stable/c/85afa9ea122dd9d4a2ead104a951d318975dcd25"
}
],
"title": "PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40032",
"datePublished": "2025-10-28T11:48:14.876Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-10-28T11:48:14.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53679 (GCVE-0-2023-53679)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt7601u: fix an integer underflow
Fix an integer underflow that leads to a null pointer dereference in
'mt7601u_rx_skb_from_seg()'. The variable 'dma_len' in the URB packet
could be manipulated, which could trigger an integer underflow of
'seg_len' in 'mt7601u_rx_process_seg()'. This underflow subsequently
causes the 'bad_frame' checks in 'mt7601u_rx_skb_from_seg()' to be
bypassed, eventually leading to a dereference of the pointer 'p', which
is a null pointer.
Ensure that 'dma_len' is greater than 'min_seg_len'.
Found by a modified version of syzkaller.
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W O 5.14.0+
#139
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
RIP: 0010:skb_add_rx_frag+0x143/0x370
Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
FS: 0000000000000000(0000) GS:ffff88811a800000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
mt7601u_rx_tasklet+0xc73/0x1270
? mt7601u_submit_rx_buf.isra.0+0x510/0x510
? tasklet_action_common.isra.0+0x79/0x2f0
tasklet_action_common.isra.0+0x206/0x2f0
__do_softirq+0x1b5/0x880
? tasklet_unlock+0x30/0x30
run_ksoftirqd+0x26/0x50
smpboot_thread_fn+0x34f/0x7d0
? smpboot_register_percpu_thread+0x370/0x370
kthread+0x3a1/0x480
? set_kthread_struct+0x120/0x120
ret_from_fork+0x1f/0x30
Modules linked in: 88XXau(O) 88x2bu(O)
---[ end trace 57f34f93b4da0f9b ]---
RIP: 0010:skb_add_rx_frag+0x143/0x370
Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
FS: 0000000000000000(0000) GS:ffff88811a800000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt7601u/dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "67e4519afba215199b6dfa39ce5d7ea673ee4138",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "47dc1f425af57b71111d7b01ebd24e04e8d967ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a1f43059afae5cc9409e0c3bc63bfc09bc8facb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "61d0163e2be7a439cf6f82e9ad7de563ecf41e7a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d0db59e2f718d1e2f1d2a2d8092168fdd2f3add0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "803f3176c5df3b5582c27ea690f204abb60b19b9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt7601u/dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt7601u: fix an integer underflow\n\nFix an integer underflow that leads to a null pointer dereference in\n\u0027mt7601u_rx_skb_from_seg()\u0027. The variable \u0027dma_len\u0027 in the URB packet\ncould be manipulated, which could trigger an integer underflow of\n\u0027seg_len\u0027 in \u0027mt7601u_rx_process_seg()\u0027. This underflow subsequently\ncauses the \u0027bad_frame\u0027 checks in \u0027mt7601u_rx_skb_from_seg()\u0027 to be\nbypassed, eventually leading to a dereference of the pointer \u0027p\u0027, which\nis a null pointer.\n\nEnsure that \u0027dma_len\u0027 is greater than \u0027min_seg_len\u0027.\n\nFound by a modified version of syzkaller.\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W O 5.14.0+\n#139\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nRIP: 0010:skb_add_rx_frag+0x143/0x370\nCode: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44\n89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02\n00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00\nRSP: 0018:ffffc900000cfc90 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8\nRBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010\nR10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000\nR13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008\nFS: 0000000000000000(0000) GS:ffff88811a800000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n mt7601u_rx_tasklet+0xc73/0x1270\n ? mt7601u_submit_rx_buf.isra.0+0x510/0x510\n ? tasklet_action_common.isra.0+0x79/0x2f0\n tasklet_action_common.isra.0+0x206/0x2f0\n __do_softirq+0x1b5/0x880\n ? tasklet_unlock+0x30/0x30\n run_ksoftirqd+0x26/0x50\n smpboot_thread_fn+0x34f/0x7d0\n ? smpboot_register_percpu_thread+0x370/0x370\n kthread+0x3a1/0x480\n ? set_kthread_struct+0x120/0x120\n ret_from_fork+0x1f/0x30\nModules linked in: 88XXau(O) 88x2bu(O)\n---[ end trace 57f34f93b4da0f9b ]---\nRIP: 0010:skb_add_rx_frag+0x143/0x370\nCode: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44\n89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02\n00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00\nRSP: 0018:ffffc900000cfc90 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8\nRBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010\nR10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000\nR13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008\nFS: 0000000000000000(0000) GS:ffff88811a800000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:33.926Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/67e4519afba215199b6dfa39ce5d7ea673ee4138"
},
{
"url": "https://git.kernel.org/stable/c/47dc1f425af57b71111d7b01ebd24e04e8d967ef"
},
{
"url": "https://git.kernel.org/stable/c/1a1f43059afae5cc9409e0c3bc63bfc09bc8facb"
},
{
"url": "https://git.kernel.org/stable/c/61d0163e2be7a439cf6f82e9ad7de563ecf41e7a"
},
{
"url": "https://git.kernel.org/stable/c/d0db59e2f718d1e2f1d2a2d8092168fdd2f3add0"
},
{
"url": "https://git.kernel.org/stable/c/803f3176c5df3b5582c27ea690f204abb60b19b9"
}
],
"title": "wifi: mt7601u: fix an integer underflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53679",
"datePublished": "2025-10-07T15:21:33.926Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:33.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21702 (GCVE-0-2025-21702)
Vulnerability from cvelistv5
Published
2025-02-18 14:37
Modified
2025-11-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pfifo_tail_enqueue: Drop new packet when sch->limit == 0
Expected behaviour:
In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a
packet in scheduler's queue and decrease scheduler's qlen by one.
Then, pfifo_tail_enqueue() enqueue new packet and increase
scheduler's qlen by one. Finally, pfifo_tail_enqueue() return
`NET_XMIT_CN` status code.
Weird behaviour:
In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a
scheduler that has no packet, the 'drop a packet' step will do nothing.
This means the scheduler's qlen still has value equal 0.
Then, we continue to enqueue new packet and increase scheduler's qlen by
one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by
one and return `NET_XMIT_CN` status code.
The problem is:
Let's say we have two qdiscs: Qdisc_A and Qdisc_B.
- Qdisc_A's type must have '->graft()' function to create parent/child relationship.
Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.
- Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.
- Qdisc_B is configured to have `sch->limit == 0`.
- Qdisc_A is configured to route the enqueued's packet to Qdisc_B.
Enqueue packet through Qdisc_A will lead to:
- hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)
- Qdisc_B->q.qlen += 1
- pfifo_tail_enqueue() return `NET_XMIT_CN`
- hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.
The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.
Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem.
This violate the design where parent's qlen should equal to the sum of its childrens'qlen.
Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 57dbb2d83d100ea601c54fe129bfde0678db5dee Version: 57dbb2d83d100ea601c54fe129bfde0678db5dee Version: 57dbb2d83d100ea601c54fe129bfde0678db5dee Version: 57dbb2d83d100ea601c54fe129bfde0678db5dee Version: 57dbb2d83d100ea601c54fe129bfde0678db5dee Version: 57dbb2d83d100ea601c54fe129bfde0678db5dee Version: 57dbb2d83d100ea601c54fe129bfde0678db5dee Version: 57dbb2d83d100ea601c54fe129bfde0678db5dee |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:50.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_fifo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78285b53266d6d51fa4ff504a23df03852eba84e",
"status": "affected",
"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee",
"versionType": "git"
},
{
"lessThan": "7a9723ec27aff5674f1fd4934608937f1d650980",
"status": "affected",
"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee",
"versionType": "git"
},
{
"lessThan": "a56a6e8589a9b98d8171611fbcc1e45a15fd2455",
"status": "affected",
"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee",
"versionType": "git"
},
{
"lessThan": "020ecb76812a0526f4130ab5aeb6dc7c773e7ab9",
"status": "affected",
"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee",
"versionType": "git"
},
{
"lessThan": "79a955ea4a2e5ddf4a36328959de0de496419888",
"status": "affected",
"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee",
"versionType": "git"
},
{
"lessThan": "e40cb34b7f247fe2e366fd192700d1b4f38196ca",
"status": "affected",
"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee",
"versionType": "git"
},
{
"lessThan": "b6a079c3b6f95378f26e2aeda520cb3176f7067b",
"status": "affected",
"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee",
"versionType": "git"
},
{
"lessThan": "647cef20e649c576dff271e018d5d15d998b629d",
"status": "affected",
"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_fifo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.83",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npfifo_tail_enqueue: Drop new packet when sch-\u003elimit == 0\n\nExpected behaviour:\nIn case we reach scheduler\u0027s limit, pfifo_tail_enqueue() will drop a\npacket in scheduler\u0027s queue and decrease scheduler\u0027s qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler\u0027s qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\n\nWeird behaviour:\nIn case we set `sch-\u003elimit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the \u0027drop a packet\u0027 step will do nothing.\nThis means the scheduler\u0027s qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler\u0027s qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\n\nThe problem is:\nLet\u0027s say we have two qdiscs: Qdisc_A and Qdisc_B.\n - Qdisc_A\u0027s type must have \u0027-\u003egraft()\u0027 function to create parent/child relationship.\n Let\u0027s say Qdisc_A\u0027s type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n - Qdisc_B\u0027s type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n - Qdisc_B is configured to have `sch-\u003elimit == 0`.\n - Qdisc_A is configured to route the enqueued\u0027s packet to Qdisc_B.\n\nEnqueue packet through Qdisc_A will lead to:\n - hfsc_enqueue(Qdisc_A) -\u003e pfifo_tail_enqueue(Qdisc_B)\n - Qdisc_B-\u003eq.qlen += 1\n - pfifo_tail_enqueue() return `NET_XMIT_CN`\n - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` =\u003e hfsc_enqueue() don\u0027t increase qlen of Qdisc_A.\n\nThe whole process lead to a situation where Qdisc_A-\u003eq.qlen == 0 and Qdisc_B-\u003eq.qlen == 1.\nReplace \u0027hfsc\u0027 with other type (for example: \u0027drr\u0027) still lead to the same problem.\nThis violate the design where parent\u0027s qlen should equal to the sum of its childrens\u0027qlen.\n\nBug impact: This issue can be used for user-\u003ekernel privilege escalation when it is reachable."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:19.050Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e"
},
{
"url": "https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980"
},
{
"url": "https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455"
},
{
"url": "https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9"
},
{
"url": "https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888"
},
{
"url": "https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca"
},
{
"url": "https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b"
},
{
"url": "https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d"
}
],
"title": "pfifo_tail_enqueue: Drop new packet when sch-\u003elimit == 0",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21702",
"datePublished": "2025-02-18T14:37:43.429Z",
"dateReserved": "2024-12-29T08:45:45.748Z",
"dateUpdated": "2025-11-03T19:35:50.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40104 (GCVE-0-2025-40104)
Vulnerability from cvelistv5
Published
2025-10-30 09:48
Modified
2025-10-30 09:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ixgbevf: fix mailbox API compatibility by negotiating supported features
There was backward compatibility in the terms of mailbox API. Various
drivers from various OSes supporting 10G adapters from Intel portfolio
could easily negotiate mailbox API.
This convention has been broken since introducing API 1.4.
Commit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added support
for IPSec which is specific only for the kernel ixgbe driver. None of the
rest of the Intel 10G PF/VF drivers supports it. And actually lack of
support was not included in the IPSec implementation - there were no such
code paths. No possibility to negotiate support for the feature was
introduced along with introduction of the feature itself.
Commit 339f28964147 ("ixgbevf: Add support for new mailbox communication
between PF and VF") increasing API version to 1.5 did the same - it
introduced code supported specifically by the PF ESX driver. It altered API
version for the VF driver in the same time not touching the version
defined for the PF ixgbe driver. It led to additional discrepancies,
as the code provided within API 1.6 cannot be supported for Linux ixgbe
driver as it causes crashes.
The issue was noticed some time ago and mitigated by Jake within the commit
d0725312adf5 ("ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5").
As a result we have regression for IPsec support and after increasing API
to version 1.6 ixgbevf driver stopped to support ESX MBX.
To fix this mess add new mailbox op asking PF driver about supported
features. Basing on a response determine whether to set support for IPSec
and ESX-specific enhanced mailbox.
New mailbox op, for compatibility purposes, must be added within new API
revision, as API version of OOT PF & VF drivers is already increased to
1.6 and doesn't incorporate features negotiate op.
Features negotiation mechanism gives possibility to be extended with new
features when needed in the future.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbevf/ipsec.c",
"drivers/net/ethernet/intel/ixgbevf/ixgbevf.h",
"drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c",
"drivers/net/ethernet/intel/ixgbevf/mbx.h",
"drivers/net/ethernet/intel/ixgbevf/vf.c",
"drivers/net/ethernet/intel/ixgbevf/vf.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "871ac1cd4ce4804defcb428cbb003fd84c415ff4",
"status": "affected",
"version": "0062e7cc955e0827a88570ed36ea511a7dcb391e",
"versionType": "git"
},
{
"lessThan": "2e0aab9ddaf1428602c78f12064cd1e6ffcc4d18",
"status": "affected",
"version": "0062e7cc955e0827a88570ed36ea511a7dcb391e",
"versionType": "git"
},
{
"lessThan": "bf580112ed61736c2645a893413a04732505d4b1",
"status": "affected",
"version": "0062e7cc955e0827a88570ed36ea511a7dcb391e",
"versionType": "git"
},
{
"lessThan": "a376e29b1b196dc90b50df7e5e3947e3026300c4",
"status": "affected",
"version": "0062e7cc955e0827a88570ed36ea511a7dcb391e",
"versionType": "git"
},
{
"lessThan": "a7075f501bd33c93570af759b6f4302ef0175168",
"status": "affected",
"version": "0062e7cc955e0827a88570ed36ea511a7dcb391e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbevf/ipsec.c",
"drivers/net/ethernet/intel/ixgbevf/ixgbevf.h",
"drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c",
"drivers/net/ethernet/intel/ixgbevf/mbx.h",
"drivers/net/ethernet/intel/ixgbevf/vf.c",
"drivers/net/ethernet/intel/ixgbevf/vf.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc2",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbevf: fix mailbox API compatibility by negotiating supported features\n\nThere was backward compatibility in the terms of mailbox API. Various\ndrivers from various OSes supporting 10G adapters from Intel portfolio\ncould easily negotiate mailbox API.\n\nThis convention has been broken since introducing API 1.4.\nCommit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support\nfor IPSec which is specific only for the kernel ixgbe driver. None of the\nrest of the Intel 10G PF/VF drivers supports it. And actually lack of\nsupport was not included in the IPSec implementation - there were no such\ncode paths. No possibility to negotiate support for the feature was\nintroduced along with introduction of the feature itself.\n\nCommit 339f28964147 (\"ixgbevf: Add support for new mailbox communication\nbetween PF and VF\") increasing API version to 1.5 did the same - it\nintroduced code supported specifically by the PF ESX driver. It altered API\nversion for the VF driver in the same time not touching the version\ndefined for the PF ixgbe driver. It led to additional discrepancies,\nas the code provided within API 1.6 cannot be supported for Linux ixgbe\ndriver as it causes crashes.\n\nThe issue was noticed some time ago and mitigated by Jake within the commit\nd0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\").\nAs a result we have regression for IPsec support and after increasing API\nto version 1.6 ixgbevf driver stopped to support ESX MBX.\n\nTo fix this mess add new mailbox op asking PF driver about supported\nfeatures. Basing on a response determine whether to set support for IPSec\nand ESX-specific enhanced mailbox.\n\nNew mailbox op, for compatibility purposes, must be added within new API\nrevision, as API version of OOT PF \u0026 VF drivers is already increased to\n1.6 and doesn\u0027t incorporate features negotiate op.\n\nFeatures negotiation mechanism gives possibility to be extended with new\nfeatures when needed in the future."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T09:48:09.051Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/871ac1cd4ce4804defcb428cbb003fd84c415ff4"
},
{
"url": "https://git.kernel.org/stable/c/2e0aab9ddaf1428602c78f12064cd1e6ffcc4d18"
},
{
"url": "https://git.kernel.org/stable/c/bf580112ed61736c2645a893413a04732505d4b1"
},
{
"url": "https://git.kernel.org/stable/c/a376e29b1b196dc90b50df7e5e3947e3026300c4"
},
{
"url": "https://git.kernel.org/stable/c/a7075f501bd33c93570af759b6f4302ef0175168"
}
],
"title": "ixgbevf: fix mailbox API compatibility by negotiating supported features",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40104",
"datePublished": "2025-10-30T09:48:09.051Z",
"dateReserved": "2025-04-16T07:20:57.165Z",
"dateUpdated": "2025-10-30T09:48:09.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53668 (GCVE-0-2023-53668)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Fix deadloop issue on reading trace_pipe
Soft lockup occurs when reading file 'trace_pipe':
watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488]
[...]
RIP: 0010:ring_buffer_empty_cpu+0xed/0x170
RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb
RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218
RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f
R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901
R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000
[...]
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__find_next_entry+0x1a8/0x4b0
? peek_next_entry+0x250/0x250
? down_write+0xa5/0x120
? down_write_killable+0x130/0x130
trace_find_next_entry_inc+0x3b/0x1d0
tracing_read_pipe+0x423/0xae0
? tracing_splice_read_pipe+0xcb0/0xcb0
vfs_read+0x16b/0x490
ksys_read+0x105/0x210
? __ia32_sys_pwrite64+0x200/0x200
? switch_fpu_return+0x108/0x220
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x61/0xc6
Through the vmcore, I found it's because in tracing_read_pipe(),
ring_buffer_empty_cpu() found some buffer is not empty but then it
cannot read anything due to "rb_num_of_entries() == 0" always true,
Then it infinitely loop the procedure due to user buffer not been
filled, see following code path:
tracing_read_pipe() {
... ...
waitagain:
tracing_wait_pipe() // 1. find non-empty buffer here
trace_find_next_entry_inc() // 2. loop here try to find an entry
__find_next_entry()
ring_buffer_empty_cpu(); // 3. find non-empty buffer
peek_next_entry() // 4. but peek always return NULL
ring_buffer_peek()
rb_buffer_peek()
rb_get_reader_page()
// 5. because rb_num_of_entries() == 0 always true here
// then return NULL
// 6. user buffer not been filled so goto 'waitgain'
// and eventually leads to an deadloop in kernel!!!
}
By some analyzing, I found that when resetting ringbuffer, the 'entries'
of its pages are not all cleared (see rb_reset_cpu()). Then when reducing
the ringbuffer, and if some reduced pages exist dirty 'entries' data, they
will be added into 'cpu_buffer->overrun' (see rb_remove_pages()), which
cause wrong 'overrun' count and eventually cause the deadloop issue.
To fix it, we need to clear every pages in rb_reset_cpu().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a Version: a5fb833172eca69136e9ee1ada778e404086ab8a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a29dae5786d263016a9aceb1e56bf3fd4cc6fa0",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "a55e8a3596048c2f7b574049aeb1885b5abba1cc",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "e84829522fc72bb43556b31575731de0440ac0dd",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "5e68f1f3a20fe9b6bde018e353269fbfa289609c",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "bb14a93bccc92766b1d9302c6bcbea17d4bce306",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "8b0b63fdac6b70a45614e7d4b30e5bbb93deb007",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "27bdd93e44cc28dd9b94893fae146b83d4f5b31e",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
},
{
"lessThan": "7e42907f3a7b4ce3a2d1757f6d78336984daf8f5",
"status": "affected",
"version": "a5fb833172eca69136e9ee1ada778e404086ab8a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix deadloop issue on reading trace_pipe\n\nSoft lockup occurs when reading file \u0027trace_pipe\u0027:\n\n watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488]\n [...]\n RIP: 0010:ring_buffer_empty_cpu+0xed/0x170\n RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246\n RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb\n RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218\n RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f\n R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901\n R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000\n [...]\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n __find_next_entry+0x1a8/0x4b0\n ? peek_next_entry+0x250/0x250\n ? down_write+0xa5/0x120\n ? down_write_killable+0x130/0x130\n trace_find_next_entry_inc+0x3b/0x1d0\n tracing_read_pipe+0x423/0xae0\n ? tracing_splice_read_pipe+0xcb0/0xcb0\n vfs_read+0x16b/0x490\n ksys_read+0x105/0x210\n ? __ia32_sys_pwrite64+0x200/0x200\n ? switch_fpu_return+0x108/0x220\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nThrough the vmcore, I found it\u0027s because in tracing_read_pipe(),\nring_buffer_empty_cpu() found some buffer is not empty but then it\ncannot read anything due to \"rb_num_of_entries() == 0\" always true,\nThen it infinitely loop the procedure due to user buffer not been\nfilled, see following code path:\n\n tracing_read_pipe() {\n ... ...\n waitagain:\n tracing_wait_pipe() // 1. find non-empty buffer here\n trace_find_next_entry_inc() // 2. loop here try to find an entry\n __find_next_entry()\n ring_buffer_empty_cpu(); // 3. find non-empty buffer\n peek_next_entry() // 4. but peek always return NULL\n ring_buffer_peek()\n rb_buffer_peek()\n rb_get_reader_page()\n // 5. because rb_num_of_entries() == 0 always true here\n // then return NULL\n // 6. user buffer not been filled so goto \u0027waitgain\u0027\n // and eventually leads to an deadloop in kernel!!!\n }\n\nBy some analyzing, I found that when resetting ringbuffer, the \u0027entries\u0027\nof its pages are not all cleared (see rb_reset_cpu()). Then when reducing\nthe ringbuffer, and if some reduced pages exist dirty \u0027entries\u0027 data, they\nwill be added into \u0027cpu_buffer-\u003eoverrun\u0027 (see rb_remove_pages()), which\ncause wrong \u0027overrun\u0027 count and eventually cause the deadloop issue.\n\nTo fix it, we need to clear every pages in rb_reset_cpu()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:26.164Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a29dae5786d263016a9aceb1e56bf3fd4cc6fa0"
},
{
"url": "https://git.kernel.org/stable/c/a55e8a3596048c2f7b574049aeb1885b5abba1cc"
},
{
"url": "https://git.kernel.org/stable/c/e84829522fc72bb43556b31575731de0440ac0dd"
},
{
"url": "https://git.kernel.org/stable/c/5e68f1f3a20fe9b6bde018e353269fbfa289609c"
},
{
"url": "https://git.kernel.org/stable/c/bb14a93bccc92766b1d9302c6bcbea17d4bce306"
},
{
"url": "https://git.kernel.org/stable/c/8b0b63fdac6b70a45614e7d4b30e5bbb93deb007"
},
{
"url": "https://git.kernel.org/stable/c/27bdd93e44cc28dd9b94893fae146b83d4f5b31e"
},
{
"url": "https://git.kernel.org/stable/c/7e42907f3a7b4ce3a2d1757f6d78336984daf8f5"
}
],
"title": "ring-buffer: Fix deadloop issue on reading trace_pipe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53668",
"datePublished": "2025-10-07T15:21:26.164Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:26.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39759 (GCVE-0-2025-39759)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: qgroup: fix race between quota disable and quota rescan ioctl
There's a race between a task disabling quotas and another running the
rescan ioctl that can result in a use-after-free of qgroup records from
the fs_info->qgroup_tree rbtree.
This happens as follows:
1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan();
2) Task B enters btrfs_quota_disable() and calls
btrfs_qgroup_wait_for_completion(), which does nothing because at that
point fs_info->qgroup_rescan_running is false (it wasn't set yet by
task A);
3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups
from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock;
4) Task A enters qgroup_rescan_zero_tracking() which starts iterating
the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock,
but task B is freeing qgroup records from that tree without holding
the lock, resulting in a use-after-free.
Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config().
Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas
were already disabled.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:07.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7cda0fdde5d9890976861421d207870500f9aace",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b172535ccba12f0cf7d23b3b840989de47fc104d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd0b28d877b293b1d7f8727a7de08ae36b6b9ef0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c38028ce0d0045ca600b6a8345a0ff92bfb47b66",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2fd0f5ceb997f90f4332ccbab6c7e907e6b2d0eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e1249667750399a48cafcf5945761d39fa584edf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix race between quota disable and quota rescan ioctl\n\nThere\u0027s a race between a task disabling quotas and another running the\nrescan ioctl that can result in a use-after-free of qgroup records from\nthe fs_info-\u003eqgroup_tree rbtree.\n\nThis happens as follows:\n\n1) Task A enters btrfs_ioctl_quota_rescan() -\u003e btrfs_qgroup_rescan();\n\n2) Task B enters btrfs_quota_disable() and calls\n btrfs_qgroup_wait_for_completion(), which does nothing because at that\n point fs_info-\u003eqgroup_rescan_running is false (it wasn\u0027t set yet by\n task A);\n\n3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups\n from fs_info-\u003eqgroup_tree without taking the lock fs_info-\u003eqgroup_lock;\n\n4) Task A enters qgroup_rescan_zero_tracking() which starts iterating\n the fs_info-\u003eqgroup_tree tree while holding fs_info-\u003eqgroup_lock,\n but task B is freeing qgroup records from that tree without holding\n the lock, resulting in a use-after-free.\n\nFix this by taking fs_info-\u003eqgroup_lock at btrfs_free_qgroup_config().\nAlso at btrfs_qgroup_rescan() don\u0027t start the rescan worker if quotas\nwere already disabled."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:50.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7cda0fdde5d9890976861421d207870500f9aace"
},
{
"url": "https://git.kernel.org/stable/c/b172535ccba12f0cf7d23b3b840989de47fc104d"
},
{
"url": "https://git.kernel.org/stable/c/dd0b28d877b293b1d7f8727a7de08ae36b6b9ef0"
},
{
"url": "https://git.kernel.org/stable/c/c38028ce0d0045ca600b6a8345a0ff92bfb47b66"
},
{
"url": "https://git.kernel.org/stable/c/2fd0f5ceb997f90f4332ccbab6c7e907e6b2d0eb"
},
{
"url": "https://git.kernel.org/stable/c/e1249667750399a48cafcf5945761d39fa584edf"
}
],
"title": "btrfs: qgroup: fix race between quota disable and quota rescan ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39759",
"datePublished": "2025-09-11T16:52:28.314Z",
"dateReserved": "2025-04-16T07:20:57.126Z",
"dateUpdated": "2025-11-03T17:43:07.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53698 (GCVE-0-2023-53698)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xsk: fix refcount underflow in error path
Fix a refcount underflow problem reported by syzbot that can happen
when a system is running out of memory. If xp_alloc_tx_descs() fails,
and it can only fail due to not having enough memory, then the error
path is triggered. In this error path, the refcount of the pool is
decremented as it has incremented before. However, the reference to
the pool in the socket was not nulled. This means that when the socket
is closed later, the socket teardown logic will think that there is a
pool attached to the socket and try to decrease the refcount again,
leading to a refcount underflow.
I chose this fix as it involved adding just a single line. Another
option would have been to move xp_get_pool() and the assignment of
xs->pool to after the if-statement and using xs_umem->pool instead of
xs->pool in the whole if-statement resulting in somewhat simpler code,
but this would have led to much more churn in the code base perhaps
making it harder to backport.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "789fcd94c9cac133dd4d96e193188661aca9f6c3",
"status": "affected",
"version": "f7019562f142bc041f9cde63af338d1886585923",
"versionType": "git"
},
{
"lessThan": "15b453cf7348973217558235b9ece2ee5fea6777",
"status": "affected",
"version": "ba3beec2ec1d3b4fd8672ca6e781dac4b3267f6e",
"versionType": "git"
},
{
"lessThan": "3e7722c31d4167eb7f3ffd35aba52cab69b79072",
"status": "affected",
"version": "ba3beec2ec1d3b4fd8672ca6e781dac4b3267f6e",
"versionType": "git"
},
{
"lessThan": "85c2c79a07302fe68a1ad5cc449458cc559e314d",
"status": "affected",
"version": "ba3beec2ec1d3b4fd8672ca6e781dac4b3267f6e",
"versionType": "git"
},
{
"status": "affected",
"version": "9f0c8a9d4ef1b9ebee0e4ac2495fe790727044aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix refcount underflow in error path\n\nFix a refcount underflow problem reported by syzbot that can happen\nwhen a system is running out of memory. If xp_alloc_tx_descs() fails,\nand it can only fail due to not having enough memory, then the error\npath is triggered. In this error path, the refcount of the pool is\ndecremented as it has incremented before. However, the reference to\nthe pool in the socket was not nulled. This means that when the socket\nis closed later, the socket teardown logic will think that there is a\npool attached to the socket and try to decrease the refcount again,\nleading to a refcount underflow.\n\nI chose this fix as it involved adding just a single line. Another\noption would have been to move xp_get_pool() and the assignment of\nxs-\u003epool to after the if-statement and using xs_umem-\u003epool instead of\nxs-\u003epool in the whole if-statement resulting in somewhat simpler code,\nbut this would have led to much more churn in the code base perhaps\nmaking it harder to backport."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:38.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/789fcd94c9cac133dd4d96e193188661aca9f6c3"
},
{
"url": "https://git.kernel.org/stable/c/15b453cf7348973217558235b9ece2ee5fea6777"
},
{
"url": "https://git.kernel.org/stable/c/3e7722c31d4167eb7f3ffd35aba52cab69b79072"
},
{
"url": "https://git.kernel.org/stable/c/85c2c79a07302fe68a1ad5cc449458cc559e314d"
}
],
"title": "xsk: fix refcount underflow in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53698",
"datePublished": "2025-10-22T13:23:38.384Z",
"dateReserved": "2025-10-22T13:21:37.345Z",
"dateUpdated": "2025-10-22T13:23:38.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50487 (GCVE-0-2022-50487)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-10T15:34:42.519Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50487",
"datePublished": "2025-10-04T15:16:44.462Z",
"dateRejected": "2025-10-10T15:34:42.519Z",
"dateReserved": "2025-10-04T15:13:33.468Z",
"dateUpdated": "2025-10-10T15:34:42.519Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53174 (GCVE-0-2023-53174)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-15 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: core: Fix possible memory leak if device_add() fails
If device_add() returns error, the name allocated by dev_set_name() needs
be freed. As the comment of device_add() says, put_device() should be used
to decrease the reference count in the error path. So fix this by calling
put_device(), then the name can be freed in kobject_cleanp().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ee959b00c335d7780136c5abda37809191fe52c3 Version: ee959b00c335d7780136c5abda37809191fe52c3 Version: ee959b00c335d7780136c5abda37809191fe52c3 Version: ee959b00c335d7780136c5abda37809191fe52c3 Version: ee959b00c335d7780136c5abda37809191fe52c3 Version: ee959b00c335d7780136c5abda37809191fe52c3 Version: ee959b00c335d7780136c5abda37809191fe52c3 Version: ee959b00c335d7780136c5abda37809191fe52c3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/raid_class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63956ad27a6882f01fea7c69e17823090f4c7b3f",
"status": "affected",
"version": "ee959b00c335d7780136c5abda37809191fe52c3",
"versionType": "git"
},
{
"lessThan": "06c5340858011aa1195aec43a776e3185fbf7f56",
"status": "affected",
"version": "ee959b00c335d7780136c5abda37809191fe52c3",
"versionType": "git"
},
{
"lessThan": "e12fac07f61caac9c5b186d827658b3470787619",
"status": "affected",
"version": "ee959b00c335d7780136c5abda37809191fe52c3",
"versionType": "git"
},
{
"lessThan": "aa9a76d5ffdecd3b52ac333eb89361b0c9fe04e8",
"status": "affected",
"version": "ee959b00c335d7780136c5abda37809191fe52c3",
"versionType": "git"
},
{
"lessThan": "6bc7f4c8c27d526f968788b8a985896755b1df35",
"status": "affected",
"version": "ee959b00c335d7780136c5abda37809191fe52c3",
"versionType": "git"
},
{
"lessThan": "b191ff1f075c4875f11271cbf0093e6e044a12aa",
"status": "affected",
"version": "ee959b00c335d7780136c5abda37809191fe52c3",
"versionType": "git"
},
{
"lessThan": "43c0e16d0c5ec59398b405f4c4aa5a076e656c3f",
"status": "affected",
"version": "ee959b00c335d7780136c5abda37809191fe52c3",
"versionType": "git"
},
{
"lessThan": "04b5b5cb0136ce970333a9c6cec7e46adba1ea3a",
"status": "affected",
"version": "ee959b00c335d7780136c5abda37809191fe52c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/raid_class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix possible memory leak if device_add() fails\n\nIf device_add() returns error, the name allocated by dev_set_name() needs\nbe freed. As the comment of device_add() says, put_device() should be used\nto decrease the reference count in the error path. So fix this by calling\nput_device(), then the name can be freed in kobject_cleanp()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:04:08.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63956ad27a6882f01fea7c69e17823090f4c7b3f"
},
{
"url": "https://git.kernel.org/stable/c/06c5340858011aa1195aec43a776e3185fbf7f56"
},
{
"url": "https://git.kernel.org/stable/c/e12fac07f61caac9c5b186d827658b3470787619"
},
{
"url": "https://git.kernel.org/stable/c/aa9a76d5ffdecd3b52ac333eb89361b0c9fe04e8"
},
{
"url": "https://git.kernel.org/stable/c/6bc7f4c8c27d526f968788b8a985896755b1df35"
},
{
"url": "https://git.kernel.org/stable/c/b191ff1f075c4875f11271cbf0093e6e044a12aa"
},
{
"url": "https://git.kernel.org/stable/c/43c0e16d0c5ec59398b405f4c4aa5a076e656c3f"
},
{
"url": "https://git.kernel.org/stable/c/04b5b5cb0136ce970333a9c6cec7e46adba1ea3a"
}
],
"title": "scsi: core: Fix possible memory leak if device_add() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53174",
"datePublished": "2025-09-15T14:04:08.357Z",
"dateReserved": "2025-09-15T13:59:19.064Z",
"dateUpdated": "2025-09-15T14:04:08.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53648 (GCVE-0-2023-53648)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
smatch error:
sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:
we previously assumed 'rac97' could be null (see line 2072)
remove redundant assignment, return error if rac97 is NULL.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 Version: da3cec35dd3c31d8706db4bf379372ce70d92118 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/ac97/ac97_codec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "809af7bb4219bdeef0dbb8b2ed700d6516d13fe9",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "e4cccff1e7ab6ea30995b6fbbb007d02647e025c",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "5f13d67027fa782096e6aee0db5dce61c4aeb613",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "f923a582217b198b557756809ffe42ac0fad6adb",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "300e26e3e64880de5013eac8831cf44387ef752c",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "d28b83252e150155b8b8c65b612c555e93c8b45f",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "09baf460dfba79ee6a0c72e68ccdbbba84d894df",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "228da1fa124470606ac19783e551f9d51a1e01b0",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
},
{
"lessThan": "79597c8bf64ca99eab385115743131d260339da5",
"status": "affected",
"version": "da3cec35dd3c31d8706db4bf379372ce70d92118",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/ac97/ac97_codec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer\n\nsmatch error:\nsound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:\nwe previously assumed \u0027rac97\u0027 could be null (see line 2072)\n\nremove redundant assignment, return error if rac97 is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:45.780Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/809af7bb4219bdeef0dbb8b2ed700d6516d13fe9"
},
{
"url": "https://git.kernel.org/stable/c/e4cccff1e7ab6ea30995b6fbbb007d02647e025c"
},
{
"url": "https://git.kernel.org/stable/c/5f13d67027fa782096e6aee0db5dce61c4aeb613"
},
{
"url": "https://git.kernel.org/stable/c/f923a582217b198b557756809ffe42ac0fad6adb"
},
{
"url": "https://git.kernel.org/stable/c/300e26e3e64880de5013eac8831cf44387ef752c"
},
{
"url": "https://git.kernel.org/stable/c/d28b83252e150155b8b8c65b612c555e93c8b45f"
},
{
"url": "https://git.kernel.org/stable/c/09baf460dfba79ee6a0c72e68ccdbbba84d894df"
},
{
"url": "https://git.kernel.org/stable/c/228da1fa124470606ac19783e551f9d51a1e01b0"
},
{
"url": "https://git.kernel.org/stable/c/79597c8bf64ca99eab385115743131d260339da5"
}
],
"title": "ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53648",
"datePublished": "2025-10-07T15:19:45.780Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:45.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50582 (GCVE-0-2022-50582)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: Prevent integer underflow
By using a ratio of delay to poll_enabled_time that is not integer
time_remaining underflows and does not exit the loop as expected.
As delay could be derived from DT and poll_enabled_time is defined
in the driver this can easily happen.
Use a signed iterator to make sure that the loop exits once
the remaining time is negative.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b051d9bf98bd9cea312b228e264eb6542a9beb67",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e33da263e9658bfe870ea7836fbbd72f246d7dbd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f2395316e4845466cb9b5b9b15a171a2c91913c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bfe602d9a349360e60e9051c9cafb9fef204524d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d8e16592022c9650df8aedfe6552ed478d7135b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Prevent integer underflow\n\nBy using a ratio of delay to poll_enabled_time that is not integer\ntime_remaining underflows and does not exit the loop as expected.\nAs delay could be derived from DT and poll_enabled_time is defined\nin the driver this can easily happen.\n\nUse a signed iterator to make sure that the loop exits once\nthe remaining time is negative."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:34.037Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b051d9bf98bd9cea312b228e264eb6542a9beb67"
},
{
"url": "https://git.kernel.org/stable/c/e33da263e9658bfe870ea7836fbbd72f246d7dbd"
},
{
"url": "https://git.kernel.org/stable/c/9f2395316e4845466cb9b5b9b15a171a2c91913c"
},
{
"url": "https://git.kernel.org/stable/c/bfe602d9a349360e60e9051c9cafb9fef204524d"
},
{
"url": "https://git.kernel.org/stable/c/8d8e16592022c9650df8aedfe6552ed478d7135b"
}
],
"title": "regulator: core: Prevent integer underflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50582",
"datePublished": "2025-10-22T13:23:34.037Z",
"dateReserved": "2025-10-22T13:20:23.762Z",
"dateUpdated": "2025-10-22T13:23:34.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53603 (GCVE-0-2023-53603)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Avoid fcport pointer dereference
Klocwork reported warning of NULL pointer may be dereferenced. The routine
exits when sa_ctl is NULL and fcport is allocated after the exit call thus
causing NULL fcport pointer to dereference at the time of exit.
To avoid fcport pointer dereference, exit the routine when sa_ctl is NULL.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7b2fbfa4b2cd3a24c1760b85d842e928070d4744 Version: e0fb8ce2bb9e52c846e54ad2c58b5b7beb13eb09 Version: e0fb8ce2bb9e52c846e54ad2c58b5b7beb13eb09 Version: e0fb8ce2bb9e52c846e54ad2c58b5b7beb13eb09 Version: 47b583ad1f7e459689eb1bdd222279a6986ccd69 Version: d2deafaef0330a863b5e046c1154b605588d19f7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_edif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4406fe8a96a946c7ea5724ee59625755a1d9c59d",
"status": "affected",
"version": "7b2fbfa4b2cd3a24c1760b85d842e928070d4744",
"versionType": "git"
},
{
"lessThan": "477bc74ad1add644b606bff6ba1284943c42818a",
"status": "affected",
"version": "e0fb8ce2bb9e52c846e54ad2c58b5b7beb13eb09",
"versionType": "git"
},
{
"lessThan": "7bbeff613ec0560fb2f6f8b405288f3f043adf64",
"status": "affected",
"version": "e0fb8ce2bb9e52c846e54ad2c58b5b7beb13eb09",
"versionType": "git"
},
{
"lessThan": "6b504d06976fe4a61cc05dedc68b84fadb397f77",
"status": "affected",
"version": "e0fb8ce2bb9e52c846e54ad2c58b5b7beb13eb09",
"versionType": "git"
},
{
"status": "affected",
"version": "47b583ad1f7e459689eb1bdd222279a6986ccd69",
"versionType": "git"
},
{
"status": "affected",
"version": "d2deafaef0330a863b5e046c1154b605588d19f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_edif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Avoid fcport pointer dereference\n\nKlocwork reported warning of NULL pointer may be dereferenced. The routine\nexits when sa_ctl is NULL and fcport is allocated after the exit call thus\ncausing NULL fcport pointer to dereference at the time of exit.\n\nTo avoid fcport pointer dereference, exit the routine when sa_ctl is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:33.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4406fe8a96a946c7ea5724ee59625755a1d9c59d"
},
{
"url": "https://git.kernel.org/stable/c/477bc74ad1add644b606bff6ba1284943c42818a"
},
{
"url": "https://git.kernel.org/stable/c/7bbeff613ec0560fb2f6f8b405288f3f043adf64"
},
{
"url": "https://git.kernel.org/stable/c/6b504d06976fe4a61cc05dedc68b84fadb397f77"
}
],
"title": "scsi: qla2xxx: Avoid fcport pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53603",
"datePublished": "2025-10-04T15:44:13.820Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-29T10:50:33.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50551 (GCVE-0-2022-50551)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
This patch fixes a shift-out-of-bounds in brcmfmac that occurs in
BIT(chiprev) when a 'chiprev' provided by the device is too large.
It should also not be equal to or greater than BITS_PER_TYPE(u32)
as we do bitwise AND with a u32 variable and BIT(chiprev). The patch
adds a check that makes the function return NULL if that is the case.
Note that the NULL case is later handled by the bus-specific caller,
brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.
Found by a modified version of syzkaller.
UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
shift exponent 151055786 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x57/0x7d
ubsan_epilogue+0x5/0x40
__ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb
? lock_chain_count+0x20/0x20
brcmf_fw_alloc_request.cold+0x19/0x3ea
? brcmf_fw_get_firmwares+0x250/0x250
? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0
brcmf_usb_get_fwname+0x114/0x1a0
? brcmf_usb_reset_resume+0x120/0x120
? number+0x6c4/0x9a0
brcmf_c_process_clm_blob+0x168/0x590
? put_dec+0x90/0x90
? enable_ptr_key_workfn+0x20/0x20
? brcmf_common_pd_remove+0x50/0x50
? rcu_read_lock_sched_held+0xa1/0xd0
brcmf_c_preinit_dcmds+0x673/0xc40
? brcmf_c_set_joinpref_default+0x100/0x100
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lock_acquire+0x19d/0x4e0
? find_held_lock+0x2d/0x110
? brcmf_usb_deq+0x1cc/0x260
? mark_held_locks+0x9f/0xe0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? _raw_spin_unlock_irqrestore+0x47/0x50
? trace_hardirqs_on+0x1c/0x120
? brcmf_usb_deq+0x1a7/0x260
? brcmf_usb_rx_fill_all+0x5a/0xf0
brcmf_attach+0x246/0xd40
? wiphy_new_nm+0x1476/0x1d50
? kmemdup+0x30/0x40
brcmf_usb_probe+0x12de/0x1690
? brcmf_usbdev_qinit.constprop.0+0x470/0x470
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
? usb_match_id.part.0+0x88/0xc0
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __mutex_unlock_slowpath+0xe7/0x660
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_set_configuration+0x984/0x1770
? kernfs_create_link+0x175/0x230
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_new_device.cold+0x463/0xf66
? hub_disconnect+0x400/0x400
? _raw_spin_unlock_irq+0x24/0x30
hub_event+0x10d5/0x3330
? hub_port_debounce+0x280/0x280
? __lock_acquire+0x1671/0x5790
? wq_calc_node_cpumask+0x170/0x2a0
? lock_release+0x640/0x640
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x873/0x13e0
? lock_release+0x640/0x640
? pwq_dec_nr_in_flight+0x320/0x320
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x8b/0xd10
? __kthread_parkme+0xd9/0x1d0
? pr
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1db036d13e10809943c2dce553e2fa7fc9c6cd80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bc45aa1911bf699b9905f12414e3c1879d6b784f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c8fc44c44b97854623c56363c359f711fc0b887",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d2f70fa2c7cc6c73a420ff15682454782d3d6f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b06a8a25eba07628313aa3c5496522eff97be53",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "87792567d9ed93fd336d2c3b8d7870f44e141e6d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b12d2aa264bac35bff9b5399bb162262b2b8949",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "579c9b9838e8a73f6e93ddece07972c241514dcc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ffb589963df103caaf062081a32db0b9e1798660",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "81d17f6f3331f03c8eafdacea68ab773426c1e3c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()\n\nThis patch fixes a shift-out-of-bounds in brcmfmac that occurs in\nBIT(chiprev) when a \u0027chiprev\u0027 provided by the device is too large.\nIt should also not be equal to or greater than BITS_PER_TYPE(u32)\nas we do bitwise AND with a u32 variable and BIT(chiprev). The patch\nadds a check that makes the function return NULL if that is the case.\nNote that the NULL case is later handled by the bus-specific caller,\nbrcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.\n\nFound by a modified version of syzkaller.\n\nUBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c\nshift exponent 151055786 is too large for 64-bit type \u0027long unsigned int\u0027\nCPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x57/0x7d\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb\n ? lock_chain_count+0x20/0x20\n brcmf_fw_alloc_request.cold+0x19/0x3ea\n ? brcmf_fw_get_firmwares+0x250/0x250\n ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0\n brcmf_usb_get_fwname+0x114/0x1a0\n ? brcmf_usb_reset_resume+0x120/0x120\n ? number+0x6c4/0x9a0\n brcmf_c_process_clm_blob+0x168/0x590\n ? put_dec+0x90/0x90\n ? enable_ptr_key_workfn+0x20/0x20\n ? brcmf_common_pd_remove+0x50/0x50\n ? rcu_read_lock_sched_held+0xa1/0xd0\n brcmf_c_preinit_dcmds+0x673/0xc40\n ? brcmf_c_set_joinpref_default+0x100/0x100\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lock_acquire+0x19d/0x4e0\n ? find_held_lock+0x2d/0x110\n ? brcmf_usb_deq+0x1cc/0x260\n ? mark_held_locks+0x9f/0xe0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? _raw_spin_unlock_irqrestore+0x47/0x50\n ? trace_hardirqs_on+0x1c/0x120\n ? brcmf_usb_deq+0x1a7/0x260\n ? brcmf_usb_rx_fill_all+0x5a/0xf0\n brcmf_attach+0x246/0xd40\n ? wiphy_new_nm+0x1476/0x1d50\n ? kmemdup+0x30/0x40\n brcmf_usb_probe+0x12de/0x1690\n ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n ? usb_match_id.part.0+0x88/0xc0\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n ? driver_allows_async_probing+0x120/0x120\n bus_for_each_drv+0x123/0x1a0\n ? bus_rescan_devices+0x20/0x20\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? trace_hardirqs_on+0x1c/0x120\n __device_attach+0x207/0x330\n ? device_bind_driver+0xb0/0xb0\n ? kobject_uevent_env+0x230/0x12c0\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n ? __mutex_unlock_slowpath+0xe7/0x660\n ? __fw_devlink_link_to_suppliers+0x550/0x550\n usb_set_configuration+0x984/0x1770\n ? kernfs_create_link+0x175/0x230\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n ? driver_allows_async_probing+0x120/0x120\n bus_for_each_drv+0x123/0x1a0\n ? bus_rescan_devices+0x20/0x20\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? trace_hardirqs_on+0x1c/0x120\n __device_attach+0x207/0x330\n ? device_bind_driver+0xb0/0xb0\n ? kobject_uevent_env+0x230/0x12c0\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n ? __fw_devlink_link_to_suppliers+0x550/0x550\n usb_new_device.cold+0x463/0xf66\n ? hub_disconnect+0x400/0x400\n ? _raw_spin_unlock_irq+0x24/0x30\n hub_event+0x10d5/0x3330\n ? hub_port_debounce+0x280/0x280\n ? __lock_acquire+0x1671/0x5790\n ? wq_calc_node_cpumask+0x170/0x2a0\n ? lock_release+0x640/0x640\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n process_one_work+0x873/0x13e0\n ? lock_release+0x640/0x640\n ? pwq_dec_nr_in_flight+0x320/0x320\n ? rwlock_bug.part.0+0x90/0x90\n worker_thread+0x8b/0xd10\n ? __kthread_parkme+0xd9/0x1d0\n ? pr\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:13.391Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1db036d13e10809943c2dce553e2fa7fc9c6cd80"
},
{
"url": "https://git.kernel.org/stable/c/bc45aa1911bf699b9905f12414e3c1879d6b784f"
},
{
"url": "https://git.kernel.org/stable/c/4c8fc44c44b97854623c56363c359f711fc0b887"
},
{
"url": "https://git.kernel.org/stable/c/9d2f70fa2c7cc6c73a420ff15682454782d3d6f6"
},
{
"url": "https://git.kernel.org/stable/c/5b06a8a25eba07628313aa3c5496522eff97be53"
},
{
"url": "https://git.kernel.org/stable/c/87792567d9ed93fd336d2c3b8d7870f44e141e6d"
},
{
"url": "https://git.kernel.org/stable/c/0b12d2aa264bac35bff9b5399bb162262b2b8949"
},
{
"url": "https://git.kernel.org/stable/c/579c9b9838e8a73f6e93ddece07972c241514dcc"
},
{
"url": "https://git.kernel.org/stable/c/ffb589963df103caaf062081a32db0b9e1798660"
},
{
"url": "https://git.kernel.org/stable/c/81d17f6f3331f03c8eafdacea68ab773426c1e3c"
}
],
"title": "wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50551",
"datePublished": "2025-10-07T15:21:13.391Z",
"dateReserved": "2025-10-07T15:15:38.669Z",
"dateUpdated": "2025-10-07T15:21:13.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53722 (GCVE-0-2023-53722)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: raid1: fix potential OOB in raid1_remove_disk()
If rddev->raid_disk is greater than mddev->raid_disks, there will be
an out-of-bounds in raid1_remove_disk(). We have already found
similar reports as follows:
1) commit d17f744e883b ("md-raid10: fix KASAN warning")
2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk")
Fix this bug by checking whether the "number" variable is
valid.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "beedf40f73939f248c81802eda08a2a8148ea13e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "91fbd4e75cb573f44d2619a9dc2f9ba927040760",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "25a68f2286be56fb3a6f9fa0e269c04b5e6c6e24",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7993cfc041481a3a9cd4a3858088fc846b8ccaf7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f96c0665f9f4cf70130c9757750dc43dc679c82",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f7d853b4590fc20e90dd50e346c02811a8c5b08",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4bdb92eaf645e312975357adc3c4e9523b6e67f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8b0472b50bcf0f19a5119b00a53b63579c8e1e4d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: raid1: fix potential OOB in raid1_remove_disk()\n\nIf rddev-\u003eraid_disk is greater than mddev-\u003eraid_disks, there will be\nan out-of-bounds in raid1_remove_disk(). We have already found\nsimilar reports as follows:\n\n1) commit d17f744e883b (\"md-raid10: fix KASAN warning\")\n2) commit 1ebc2cec0b7d (\"dm raid: fix KASAN warning in raid5_remove_disk\")\n\nFix this bug by checking whether the \"number\" variable is\nvalid."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:53.329Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/beedf40f73939f248c81802eda08a2a8148ea13e"
},
{
"url": "https://git.kernel.org/stable/c/91fbd4e75cb573f44d2619a9dc2f9ba927040760"
},
{
"url": "https://git.kernel.org/stable/c/25a68f2286be56fb3a6f9fa0e269c04b5e6c6e24"
},
{
"url": "https://git.kernel.org/stable/c/7993cfc041481a3a9cd4a3858088fc846b8ccaf7"
},
{
"url": "https://git.kernel.org/stable/c/4f96c0665f9f4cf70130c9757750dc43dc679c82"
},
{
"url": "https://git.kernel.org/stable/c/4f7d853b4590fc20e90dd50e346c02811a8c5b08"
},
{
"url": "https://git.kernel.org/stable/c/4bdb92eaf645e312975357adc3c4e9523b6e67f1"
},
{
"url": "https://git.kernel.org/stable/c/8b0472b50bcf0f19a5119b00a53b63579c8e1e4d"
}
],
"title": "md: raid1: fix potential OOB in raid1_remove_disk()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53722",
"datePublished": "2025-10-22T13:23:53.329Z",
"dateReserved": "2025-10-22T13:21:37.348Z",
"dateUpdated": "2025-10-22T13:23:53.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50423 (GCVE-0-2022-50423)
Vulnerability from cvelistv5
Published
2025-10-01 11:41
Modified
2025-10-01 11:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
There is an use-after-free reported by KASAN:
BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82
Read of size 1 at addr ffff888112afc460 by task modprobe/2111
CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
Call Trace:
<TASK>
kasan_report+0xae/0xe0
acpi_ut_remove_reference+0x3b/0x82
acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5
acpi_ds_store_object_to_local+0x15d/0x3a0
acpi_ex_store+0x78d/0x7fd
acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b
acpi_ps_parse_aml+0x217/0x8d5
...
</TASK>
The root cause of the problem is that the acpi_operand_object
is freed when acpi_ut_walk_package_tree() fails in
acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in
acpi_ut_copy_iobject_to_iobject(). The problem was introduced
by "8aa5e56eeb61" commit, this commit is to fix memory leak in
acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove
operation, lead to "acpi_operand_object" used after free.
Fix it by removing acpi_ut_remove_reference() in
acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()
is called to copy an internal package object into another internal
package object, when it fails, the memory of acpi_operand_object
should be freed by the caller.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce Version: b3e98f0c4f996cd53b80bad71f0d7e4a2cf3a4e8 Version: 7af5504c102a378376101dbd160246b10a814dd0 Version: e29a15484d7ea949e49ae7fb7e576a575da824a6 Version: e2ab6731a36966d042a2d4dabd980496cd680f75 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/utcopy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "133462d35dae95edb944af86b986d4c9dec59bd1",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "02f237423c9c6a18e062de2d474f85d5659e4eb9",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "c9125b643fc51b8e662f2f614096ceb45a0adbc3",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "dfdde4d5138bc023897033a5ac653a84e94805be",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "02617006b5a46f2ea55ac61f5693c7afd7bf9276",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "6fde666278f91b85d71545a0ebbf41d8d7af8074",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "f51b2235e4f320edc839c3e5cb0d1f8a6e8657c6",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "01f2c2052ea50fb9a8ce12e4e83aed0267934ef0",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "470188b09e92d83c5a997f25f0e8fb8cd2bc3469",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"status": "affected",
"version": "b3e98f0c4f996cd53b80bad71f0d7e4a2cf3a4e8",
"versionType": "git"
},
{
"status": "affected",
"version": "7af5504c102a378376101dbd160246b10a814dd0",
"versionType": "git"
},
{
"status": "affected",
"version": "e29a15484d7ea949e49ae7fb7e576a575da824a6",
"versionType": "git"
},
{
"status": "affected",
"version": "e2ab6731a36966d042a2d4dabd980496cd680f75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/utcopy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()\n\nThere is an use-after-free reported by KASAN:\n\n BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82\n Read of size 1 at addr ffff888112afc460 by task modprobe/2111\n CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n Call Trace:\n \u003cTASK\u003e\n kasan_report+0xae/0xe0\n acpi_ut_remove_reference+0x3b/0x82\n acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5\n acpi_ds_store_object_to_local+0x15d/0x3a0\n acpi_ex_store+0x78d/0x7fd\n acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b\n acpi_ps_parse_aml+0x217/0x8d5\n ...\n \u003c/TASK\u003e\n\nThe root cause of the problem is that the acpi_operand_object\nis freed when acpi_ut_walk_package_tree() fails in\nacpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in\nacpi_ut_copy_iobject_to_iobject(). The problem was introduced\nby \"8aa5e56eeb61\" commit, this commit is to fix memory leak in\nacpi_ut_copy_iobject_to_iobject(), repeatedly adding remove\noperation, lead to \"acpi_operand_object\" used after free.\n\nFix it by removing acpi_ut_remove_reference() in\nacpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()\nis called to copy an internal package object into another internal\npackage object, when it fails, the memory of acpi_operand_object\nshould be freed by the caller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:41:56.083Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/133462d35dae95edb944af86b986d4c9dec59bd1"
},
{
"url": "https://git.kernel.org/stable/c/02f237423c9c6a18e062de2d474f85d5659e4eb9"
},
{
"url": "https://git.kernel.org/stable/c/c9125b643fc51b8e662f2f614096ceb45a0adbc3"
},
{
"url": "https://git.kernel.org/stable/c/dfdde4d5138bc023897033a5ac653a84e94805be"
},
{
"url": "https://git.kernel.org/stable/c/02617006b5a46f2ea55ac61f5693c7afd7bf9276"
},
{
"url": "https://git.kernel.org/stable/c/6fde666278f91b85d71545a0ebbf41d8d7af8074"
},
{
"url": "https://git.kernel.org/stable/c/f51b2235e4f320edc839c3e5cb0d1f8a6e8657c6"
},
{
"url": "https://git.kernel.org/stable/c/01f2c2052ea50fb9a8ce12e4e83aed0267934ef0"
},
{
"url": "https://git.kernel.org/stable/c/470188b09e92d83c5a997f25f0e8fb8cd2bc3469"
}
],
"title": "ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50423",
"datePublished": "2025-10-01T11:41:56.083Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:41:56.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53367 (GCVE-0-2023-53367)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-19 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/habanalabs: fix mem leak in capture user mappings
This commit fixes a memory leak caused when clearing the user_mappings
info when a new context is opened immediately after user_mapping is
captured and a hard reset is performed.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/habanalabs/common/habanalabs_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "973e0890e5264cb075ef668661cad06b67777121",
"status": "affected",
"version": "0feaf86d4e69507ab9b2af7dcc63a6886352d5db",
"versionType": "git"
},
{
"lessThan": "314a7ffd7c196b27eedd50cb7553029e17789b55",
"status": "affected",
"version": "0feaf86d4e69507ab9b2af7dcc63a6886352d5db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/habanalabs/common/habanalabs_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/habanalabs: fix mem leak in capture user mappings\n\nThis commit fixes a memory leak caused when clearing the user_mappings\ninfo when a new context is opened immediately after user_mapping is\ncaptured and a hard reset is performed."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T15:21:37.588Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/973e0890e5264cb075ef668661cad06b67777121"
},
{
"url": "https://git.kernel.org/stable/c/314a7ffd7c196b27eedd50cb7553029e17789b55"
}
],
"title": "accel/habanalabs: fix mem leak in capture user mappings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53367",
"datePublished": "2025-09-17T14:56:55.471Z",
"dateReserved": "2025-09-17T14:54:09.734Z",
"dateUpdated": "2025-09-19T15:21:37.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53441 (GCVE-0-2023-53441)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: cpumap: Fix memory leak in cpu_map_update_elem
Syzkaller reported a memory leak as follows:
BUG: memory leak
unreferenced object 0xff110001198ef748 (size 192):
comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s)
hex dump (first 32 bytes):
00 00 00 00 4a 19 00 00 80 ad e3 e4 fe ff c0 00 ....J...........
00 b2 d3 0c 01 00 11 ff 28 f5 8e 19 01 00 11 ff ........(.......
backtrace:
[<ffffffffadd28087>] __cpu_map_entry_alloc+0xf7/0xb00
[<ffffffffadd28d8e>] cpu_map_update_elem+0x2fe/0x3d0
[<ffffffffadc6d0fd>] bpf_map_update_value.isra.0+0x2bd/0x520
[<ffffffffadc7349b>] map_update_elem+0x4cb/0x720
[<ffffffffadc7d983>] __se_sys_bpf+0x8c3/0xb90
[<ffffffffb029cc80>] do_syscall_64+0x30/0x40
[<ffffffffb0400099>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
BUG: memory leak
unreferenced object 0xff110001198ef528 (size 192):
comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffffadd281f0>] __cpu_map_entry_alloc+0x260/0xb00
[<ffffffffadd28d8e>] cpu_map_update_elem+0x2fe/0x3d0
[<ffffffffadc6d0fd>] bpf_map_update_value.isra.0+0x2bd/0x520
[<ffffffffadc7349b>] map_update_elem+0x4cb/0x720
[<ffffffffadc7d983>] __se_sys_bpf+0x8c3/0xb90
[<ffffffffb029cc80>] do_syscall_64+0x30/0x40
[<ffffffffb0400099>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
BUG: memory leak
unreferenced object 0xff1100010fd93d68 (size 8):
comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s)
hex dump (first 8 bytes):
00 00 00 00 00 00 00 00 ........
backtrace:
[<ffffffffade5db3e>] kvmalloc_node+0x11e/0x170
[<ffffffffadd28280>] __cpu_map_entry_alloc+0x2f0/0xb00
[<ffffffffadd28d8e>] cpu_map_update_elem+0x2fe/0x3d0
[<ffffffffadc6d0fd>] bpf_map_update_value.isra.0+0x2bd/0x520
[<ffffffffadc7349b>] map_update_elem+0x4cb/0x720
[<ffffffffadc7d983>] __se_sys_bpf+0x8c3/0xb90
[<ffffffffb029cc80>] do_syscall_64+0x30/0x40
[<ffffffffb0400099>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
In the cpu_map_update_elem flow, when kthread_stop is called before
calling the threadfn of rcpu->kthread, since the KTHREAD_SHOULD_STOP bit
of kthread has been set by kthread_stop, the threadfn of rcpu->kthread
will never be executed, and rcpu->refcnt will never be 0, which will
lead to the allocated rcpu, rcpu->queue and rcpu->queue->queue cannot be
released.
Calling kthread_stop before executing kthread's threadfn will return
-EINTR. We can complete the release of memory resources in this state.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cpumap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d26299f50f5ea8f0aeb5d49e659c31f64233c816",
"status": "affected",
"version": "6710e1126934d8b4372b4d2f9ae1646cd3f151bf",
"versionType": "git"
},
{
"lessThan": "b11a9b4f28cb6ff69ef7e69809e5f7fffeac9030",
"status": "affected",
"version": "6710e1126934d8b4372b4d2f9ae1646cd3f151bf",
"versionType": "git"
},
{
"lessThan": "a957ac8e0b5ffb5797382a6adbafd005a5f72851",
"status": "affected",
"version": "6710e1126934d8b4372b4d2f9ae1646cd3f151bf",
"versionType": "git"
},
{
"lessThan": "4369016497319a9635702da010d02af1ebb1849d",
"status": "affected",
"version": "6710e1126934d8b4372b4d2f9ae1646cd3f151bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cpumap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: cpumap: Fix memory leak in cpu_map_update_elem\n\nSyzkaller reported a memory leak as follows:\n\nBUG: memory leak\nunreferenced object 0xff110001198ef748 (size 192):\n comm \"syz-executor.3\", pid 17672, jiffies 4298118891 (age 9.906s)\n hex dump (first 32 bytes):\n 00 00 00 00 4a 19 00 00 80 ad e3 e4 fe ff c0 00 ....J...........\n 00 b2 d3 0c 01 00 11 ff 28 f5 8e 19 01 00 11 ff ........(.......\n backtrace:\n [\u003cffffffffadd28087\u003e] __cpu_map_entry_alloc+0xf7/0xb00\n [\u003cffffffffadd28d8e\u003e] cpu_map_update_elem+0x2fe/0x3d0\n [\u003cffffffffadc6d0fd\u003e] bpf_map_update_value.isra.0+0x2bd/0x520\n [\u003cffffffffadc7349b\u003e] map_update_elem+0x4cb/0x720\n [\u003cffffffffadc7d983\u003e] __se_sys_bpf+0x8c3/0xb90\n [\u003cffffffffb029cc80\u003e] do_syscall_64+0x30/0x40\n [\u003cffffffffb0400099\u003e] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nBUG: memory leak\nunreferenced object 0xff110001198ef528 (size 192):\n comm \"syz-executor.3\", pid 17672, jiffies 4298118891 (age 9.906s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffffadd281f0\u003e] __cpu_map_entry_alloc+0x260/0xb00\n [\u003cffffffffadd28d8e\u003e] cpu_map_update_elem+0x2fe/0x3d0\n [\u003cffffffffadc6d0fd\u003e] bpf_map_update_value.isra.0+0x2bd/0x520\n [\u003cffffffffadc7349b\u003e] map_update_elem+0x4cb/0x720\n [\u003cffffffffadc7d983\u003e] __se_sys_bpf+0x8c3/0xb90\n [\u003cffffffffb029cc80\u003e] do_syscall_64+0x30/0x40\n [\u003cffffffffb0400099\u003e] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nBUG: memory leak\nunreferenced object 0xff1100010fd93d68 (size 8):\n comm \"syz-executor.3\", pid 17672, jiffies 4298118891 (age 9.906s)\n hex dump (first 8 bytes):\n 00 00 00 00 00 00 00 00 ........\n backtrace:\n [\u003cffffffffade5db3e\u003e] kvmalloc_node+0x11e/0x170\n [\u003cffffffffadd28280\u003e] __cpu_map_entry_alloc+0x2f0/0xb00\n [\u003cffffffffadd28d8e\u003e] cpu_map_update_elem+0x2fe/0x3d0\n [\u003cffffffffadc6d0fd\u003e] bpf_map_update_value.isra.0+0x2bd/0x520\n [\u003cffffffffadc7349b\u003e] map_update_elem+0x4cb/0x720\n [\u003cffffffffadc7d983\u003e] __se_sys_bpf+0x8c3/0xb90\n [\u003cffffffffb029cc80\u003e] do_syscall_64+0x30/0x40\n [\u003cffffffffb0400099\u003e] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nIn the cpu_map_update_elem flow, when kthread_stop is called before\ncalling the threadfn of rcpu-\u003ekthread, since the KTHREAD_SHOULD_STOP bit\nof kthread has been set by kthread_stop, the threadfn of rcpu-\u003ekthread\nwill never be executed, and rcpu-\u003erefcnt will never be 0, which will\nlead to the allocated rcpu, rcpu-\u003equeue and rcpu-\u003equeue-\u003equeue cannot be\nreleased.\n\nCalling kthread_stop before executing kthread\u0027s threadfn will return\n-EINTR. We can complete the release of memory resources in this state."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:18.519Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d26299f50f5ea8f0aeb5d49e659c31f64233c816"
},
{
"url": "https://git.kernel.org/stable/c/b11a9b4f28cb6ff69ef7e69809e5f7fffeac9030"
},
{
"url": "https://git.kernel.org/stable/c/a957ac8e0b5ffb5797382a6adbafd005a5f72851"
},
{
"url": "https://git.kernel.org/stable/c/4369016497319a9635702da010d02af1ebb1849d"
}
],
"title": "bpf: cpumap: Fix memory leak in cpu_map_update_elem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53441",
"datePublished": "2025-09-18T16:04:18.519Z",
"dateReserved": "2025-09-17T14:54:09.752Z",
"dateUpdated": "2025-09-18T16:04:18.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50498 (GCVE-0-2022-50498)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
eth: alx: take rtnl_lock on resume
Zbynek reports that alx trips an rtnl assertion on resume:
RTNL: assertion failed at net/core/dev.c (2891)
RIP: 0010:netif_set_real_num_tx_queues+0x1ac/0x1c0
Call Trace:
<TASK>
__alx_open+0x230/0x570 [alx]
alx_resume+0x54/0x80 [alx]
? pci_legacy_resume+0x80/0x80
dpm_run_callback+0x4a/0x150
device_resume+0x8b/0x190
async_resume+0x19/0x30
async_run_entry_fn+0x30/0x130
process_one_work+0x1e5/0x3b0
indeed the driver does not hold rtnl_lock during its internal close
and re-open functions during suspend/resume. Note that this is not
a huge bug as the driver implements its own locking, and does not
implement changing the number of queues, but we need to silence
the splat.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/atheros/alx/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f1991a940b90753b34570f093a21dba366e8cc0",
"status": "affected",
"version": "4a5fe57e775188be96359a1934501be45fe5f705",
"versionType": "git"
},
{
"lessThan": "a845a0c4bdece2c0073ecea2fca7c4d5f0550f78",
"status": "affected",
"version": "4a5fe57e775188be96359a1934501be45fe5f705",
"versionType": "git"
},
{
"lessThan": "c0323c0fd07804d5874699e93f935cda0d989c67",
"status": "affected",
"version": "4a5fe57e775188be96359a1934501be45fe5f705",
"versionType": "git"
},
{
"lessThan": "6ad1c94e1e7e374d88f0cfd77936dddb8339aaba",
"status": "affected",
"version": "4a5fe57e775188be96359a1934501be45fe5f705",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/atheros/alx/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: alx: take rtnl_lock on resume\n\nZbynek reports that alx trips an rtnl assertion on resume:\n\n RTNL: assertion failed at net/core/dev.c (2891)\n RIP: 0010:netif_set_real_num_tx_queues+0x1ac/0x1c0\n Call Trace:\n \u003cTASK\u003e\n __alx_open+0x230/0x570 [alx]\n alx_resume+0x54/0x80 [alx]\n ? pci_legacy_resume+0x80/0x80\n dpm_run_callback+0x4a/0x150\n device_resume+0x8b/0x190\n async_resume+0x19/0x30\n async_run_entry_fn+0x30/0x130\n process_one_work+0x1e5/0x3b0\n\nindeed the driver does not hold rtnl_lock during its internal close\nand re-open functions during suspend/resume. Note that this is not\na huge bug as the driver implements its own locking, and does not\nimplement changing the number of queues, but we need to silence\nthe splat."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:49.383Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f1991a940b90753b34570f093a21dba366e8cc0"
},
{
"url": "https://git.kernel.org/stable/c/a845a0c4bdece2c0073ecea2fca7c4d5f0550f78"
},
{
"url": "https://git.kernel.org/stable/c/c0323c0fd07804d5874699e93f935cda0d989c67"
},
{
"url": "https://git.kernel.org/stable/c/6ad1c94e1e7e374d88f0cfd77936dddb8339aaba"
}
],
"title": "eth: alx: take rtnl_lock on resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50498",
"datePublished": "2025-10-04T15:43:49.383Z",
"dateReserved": "2025-10-04T15:39:19.464Z",
"dateUpdated": "2025-10-04T15:43:49.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50549 (GCVE-0-2022-50549)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata
Following concurrent processes:
P1(drop cache) P2(kworker)
drop_caches_sysctl_handler
drop_slab
shrink_slab
down_read(&shrinker_rwsem) - LOCK A
do_shrink_slab
super_cache_scan
prune_icache_sb
dispose_list
evict
ext4_evict_inode
ext4_clear_inode
ext4_discard_preallocations
ext4_mb_load_buddy_gfp
ext4_mb_init_cache
ext4_read_block_bitmap_nowait
ext4_read_bh_nowait
submit_bh
dm_submit_bio
do_worker
process_deferred_bios
commit
metadata_operation_failed
dm_pool_abort_metadata
down_write(&pmd->root_lock) - LOCK B
__destroy_persistent_data_objects
dm_block_manager_destroy
dm_bufio_client_destroy
unregister_shrinker
down_write(&shrinker_rwsem)
thin_map |
dm_thin_find_block ↓
down_read(&pmd->root_lock) --> ABBA deadlock
, which triggers hung task:
[ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds.
[ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910
[ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2
[ 76.978534] Workqueue: dm-thin do_worker
[ 76.978552] Call Trace:
[ 76.978564] __schedule+0x6ba/0x10f0
[ 76.978582] schedule+0x9d/0x1e0
[ 76.978588] rwsem_down_write_slowpath+0x587/0xdf0
[ 76.978600] down_write+0xec/0x110
[ 76.978607] unregister_shrinker+0x2c/0xf0
[ 76.978616] dm_bufio_client_destroy+0x116/0x3d0
[ 76.978625] dm_block_manager_destroy+0x19/0x40
[ 76.978629] __destroy_persistent_data_objects+0x5e/0x70
[ 76.978636] dm_pool_abort_metadata+0x8e/0x100
[ 76.978643] metadata_operation_failed+0x86/0x110
[ 76.978649] commit+0x6a/0x230
[ 76.978655] do_worker+0xc6e/0xd90
[ 76.978702] process_one_work+0x269/0x630
[ 76.978714] worker_thread+0x266/0x630
[ 76.978730] kthread+0x151/0x1b0
[ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds.
[ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910
[ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459
[ 76.982128] Call Trace:
[ 76.982139] __schedule+0x6ba/0x10f0
[ 76.982155] schedule+0x9d/0x1e0
[ 76.982159] rwsem_down_read_slowpath+0x4f4/0x910
[ 76.982173] down_read+0x84/0x170
[ 76.982177] dm_thin_find_block+0x4c/0xd0
[ 76.982183] thin_map+0x201/0x3d0
[ 76.982188] __map_bio+0x5b/0x350
[ 76.982195] dm_submit_bio+0x2b6/0x930
[ 76.982202] __submit_bio+0x123/0x2d0
[ 76.982209] submit_bio_noacct_nocheck+0x101/0x3e0
[ 76.982222] submit_bio_noacct+0x389/0x770
[ 76.982227] submit_bio+0x50/0xc0
[ 76.982232] submit_bh_wbc+0x15e/0x230
[ 76.982238] submit_bh+0x14/0x20
[ 76.982241] ext4_read_bh_nowait+0xc5/0x130
[ 76.982247] ext4_read_block_bitmap_nowait+0x340/0xc60
[ 76.982254] ext4_mb_init_cache+0x1ce/0xdc0
[ 76.982259] ext4_mb_load_buddy_gfp+0x987/0xfa0
[ 76.982263] ext4_discard_preallocations+0x45d/0x830
[ 76.982274] ext4_clear_inode+0x48/0xf0
[ 76.982280] ext4_evict_inode+0xcf/0xc70
[ 76.982285] evict+0x119/0x2b0
[ 76.982290] dispose_list+0x43/0xa0
[ 76.982294] prune_icache_sb+0x64/0x90
[ 76.982298] super_cache_scan+0x155/0x210
[ 76.982303] do_shrink_slab+0x19e/0x4e0
[ 76.982310] shrink_slab+0x2bd/0x450
[ 76.982317] drop_slab+0xcc/0x1a0
[ 76.982323] drop_caches_sysctl_handler+0xb7/0xe0
[ 76.982327] proc_sys_call_handler+0x1bc/0x300
[ 76.982331] proc_sys_write+0x17/0x20
[ 76.982334] vfs_write+0x3d3/0x570
[ 76.982342] ksys_write+0x73/0x160
[ 76.982347] __x64_sys_write+0x1e/0x30
[ 76.982352] do_syscall_64+0x35/0x80
[ 76.982357] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Funct
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e49e582965b3694f07a106adc83ddb44aa4f0890 Version: e49e582965b3694f07a106adc83ddb44aa4f0890 Version: e49e582965b3694f07a106adc83ddb44aa4f0890 Version: e49e582965b3694f07a106adc83ddb44aa4f0890 Version: e49e582965b3694f07a106adc83ddb44aa4f0890 Version: e49e582965b3694f07a106adc83ddb44aa4f0890 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-thin-metadata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "200aa33b5d781e7c0fa6c0c7db9dbcc3f574ce8f",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
},
{
"lessThan": "7e37578069737b04955c71dd85db8a3bc2709eff",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
},
{
"lessThan": "f8c26c33fef588ee54852cffa7cbb9f9d9869405",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
},
{
"lessThan": "2d891cc5a1706b6908bceb56af7176a463ee6d62",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
},
{
"lessThan": "cdf7a39bcc427febbfe3c3b9fe829825ead96c27",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
},
{
"lessThan": "8111964f1b8524c4bb56b02cd9c7a37725ea21fd",
"status": "affected",
"version": "e49e582965b3694f07a106adc83ddb44aa4f0890",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-thin-metadata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata\n\nFollowing concurrent processes:\n\n P1(drop cache) P2(kworker)\ndrop_caches_sysctl_handler\n drop_slab\n shrink_slab\n down_read(\u0026shrinker_rwsem) - LOCK A\n do_shrink_slab\n super_cache_scan\n prune_icache_sb\n dispose_list\n evict\n ext4_evict_inode\n\t ext4_clear_inode\n\t ext4_discard_preallocations\n\t ext4_mb_load_buddy_gfp\n\t ext4_mb_init_cache\n\t ext4_read_block_bitmap_nowait\n\t ext4_read_bh_nowait\n\t submit_bh\n\t dm_submit_bio\n\t\t do_worker\n\t\t\t\t process_deferred_bios\n\t\t\t\t commit\n\t\t\t\t metadata_operation_failed\n\t\t\t\t dm_pool_abort_metadata\n\t\t\t\t down_write(\u0026pmd-\u003eroot_lock) - LOCK B\n\t\t __destroy_persistent_data_objects\n\t\t\t\t dm_block_manager_destroy\n\t\t\t\t dm_bufio_client_destroy\n\t\t\t\t unregister_shrinker\n\t\t\t\t\t down_write(\u0026shrinker_rwsem)\n\t\t thin_map |\n\t\t dm_thin_find_block \u2193\n\t\t down_read(\u0026pmd-\u003eroot_lock) --\u003e ABBA deadlock\n\n, which triggers hung task:\n\n[ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds.\n[ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910\n[ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2\n[ 76.978534] Workqueue: dm-thin do_worker\n[ 76.978552] Call Trace:\n[ 76.978564] __schedule+0x6ba/0x10f0\n[ 76.978582] schedule+0x9d/0x1e0\n[ 76.978588] rwsem_down_write_slowpath+0x587/0xdf0\n[ 76.978600] down_write+0xec/0x110\n[ 76.978607] unregister_shrinker+0x2c/0xf0\n[ 76.978616] dm_bufio_client_destroy+0x116/0x3d0\n[ 76.978625] dm_block_manager_destroy+0x19/0x40\n[ 76.978629] __destroy_persistent_data_objects+0x5e/0x70\n[ 76.978636] dm_pool_abort_metadata+0x8e/0x100\n[ 76.978643] metadata_operation_failed+0x86/0x110\n[ 76.978649] commit+0x6a/0x230\n[ 76.978655] do_worker+0xc6e/0xd90\n[ 76.978702] process_one_work+0x269/0x630\n[ 76.978714] worker_thread+0x266/0x630\n[ 76.978730] kthread+0x151/0x1b0\n[ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds.\n[ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910\n[ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459\n[ 76.982128] Call Trace:\n[ 76.982139] __schedule+0x6ba/0x10f0\n[ 76.982155] schedule+0x9d/0x1e0\n[ 76.982159] rwsem_down_read_slowpath+0x4f4/0x910\n[ 76.982173] down_read+0x84/0x170\n[ 76.982177] dm_thin_find_block+0x4c/0xd0\n[ 76.982183] thin_map+0x201/0x3d0\n[ 76.982188] __map_bio+0x5b/0x350\n[ 76.982195] dm_submit_bio+0x2b6/0x930\n[ 76.982202] __submit_bio+0x123/0x2d0\n[ 76.982209] submit_bio_noacct_nocheck+0x101/0x3e0\n[ 76.982222] submit_bio_noacct+0x389/0x770\n[ 76.982227] submit_bio+0x50/0xc0\n[ 76.982232] submit_bh_wbc+0x15e/0x230\n[ 76.982238] submit_bh+0x14/0x20\n[ 76.982241] ext4_read_bh_nowait+0xc5/0x130\n[ 76.982247] ext4_read_block_bitmap_nowait+0x340/0xc60\n[ 76.982254] ext4_mb_init_cache+0x1ce/0xdc0\n[ 76.982259] ext4_mb_load_buddy_gfp+0x987/0xfa0\n[ 76.982263] ext4_discard_preallocations+0x45d/0x830\n[ 76.982274] ext4_clear_inode+0x48/0xf0\n[ 76.982280] ext4_evict_inode+0xcf/0xc70\n[ 76.982285] evict+0x119/0x2b0\n[ 76.982290] dispose_list+0x43/0xa0\n[ 76.982294] prune_icache_sb+0x64/0x90\n[ 76.982298] super_cache_scan+0x155/0x210\n[ 76.982303] do_shrink_slab+0x19e/0x4e0\n[ 76.982310] shrink_slab+0x2bd/0x450\n[ 76.982317] drop_slab+0xcc/0x1a0\n[ 76.982323] drop_caches_sysctl_handler+0xb7/0xe0\n[ 76.982327] proc_sys_call_handler+0x1bc/0x300\n[ 76.982331] proc_sys_write+0x17/0x20\n[ 76.982334] vfs_write+0x3d3/0x570\n[ 76.982342] ksys_write+0x73/0x160\n[ 76.982347] __x64_sys_write+0x1e/0x30\n[ 76.982352] do_syscall_64+0x35/0x80\n[ 76.982357] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFunct\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:12.006Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/200aa33b5d781e7c0fa6c0c7db9dbcc3f574ce8f"
},
{
"url": "https://git.kernel.org/stable/c/7e37578069737b04955c71dd85db8a3bc2709eff"
},
{
"url": "https://git.kernel.org/stable/c/f8c26c33fef588ee54852cffa7cbb9f9d9869405"
},
{
"url": "https://git.kernel.org/stable/c/2d891cc5a1706b6908bceb56af7176a463ee6d62"
},
{
"url": "https://git.kernel.org/stable/c/cdf7a39bcc427febbfe3c3b9fe829825ead96c27"
},
{
"url": "https://git.kernel.org/stable/c/8111964f1b8524c4bb56b02cd9c7a37725ea21fd"
}
],
"title": "dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50549",
"datePublished": "2025-10-07T15:21:12.006Z",
"dateReserved": "2025-10-07T15:15:38.668Z",
"dateUpdated": "2025-10-07T15:21:12.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50470 (GCVE-0-2022-50470)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xhci: Remove device endpoints from bandwidth list when freeing the device
Endpoints are normally deleted from the bandwidth list when they are
dropped, before the virt device is freed.
If xHC host is dying or being removed then the endpoints aren't dropped
cleanly due to functions returning early to avoid interacting with a
non-accessible host controller.
So check and delete endpoints that are still on the bandwidth list when
freeing the virt device.
Solves a list_del corruption kernel crash when unbinding xhci-pci,
caused by xhci_mem_cleanup() when it later tried to delete already freed
endpoints from the bandwidth list.
This only affects hosts that use software bandwidth checking, which
currenty is only the xHC in intel Panther Point PCH (Ivy Bridge)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-mem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e4ce28ad907aa54f13b21d5f1dc490525957b0c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f0de39474078adef6ece7a183e34c15ce2c1d8d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cebbc8d335d6bcc1316584f779c08f80287c6af8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8f1cd9633d1f21efc13e8fc75be8f2b6bb85e38c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "678d2cc2041cc6ce05030852dce9ad42719abcfc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c892a81c7424b4f6a660cb9c249d354ccf3afeca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3bf860a41e0f2fcea0ac3aae8f7ef887a7994b70",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5aed5b7c2430ce318a8e62f752f181e66f0d1053",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-mem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Remove device endpoints from bandwidth list when freeing the device\n\nEndpoints are normally deleted from the bandwidth list when they are\ndropped, before the virt device is freed.\n\nIf xHC host is dying or being removed then the endpoints aren\u0027t dropped\ncleanly due to functions returning early to avoid interacting with a\nnon-accessible host controller.\n\nSo check and delete endpoints that are still on the bandwidth list when\nfreeing the virt device.\n\nSolves a list_del corruption kernel crash when unbinding xhci-pci,\ncaused by xhci_mem_cleanup() when it later tried to delete already freed\nendpoints from the bandwidth list.\n\nThis only affects hosts that use software bandwidth checking, which\ncurrenty is only the xHC in intel Panther Point PCH (Ivy Bridge)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:32.764Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e4ce28ad907aa54f13b21d5f1dc490525957b0c"
},
{
"url": "https://git.kernel.org/stable/c/f0de39474078adef6ece7a183e34c15ce2c1d8d1"
},
{
"url": "https://git.kernel.org/stable/c/cebbc8d335d6bcc1316584f779c08f80287c6af8"
},
{
"url": "https://git.kernel.org/stable/c/8f1cd9633d1f21efc13e8fc75be8f2b6bb85e38c"
},
{
"url": "https://git.kernel.org/stable/c/678d2cc2041cc6ce05030852dce9ad42719abcfc"
},
{
"url": "https://git.kernel.org/stable/c/c892a81c7424b4f6a660cb9c249d354ccf3afeca"
},
{
"url": "https://git.kernel.org/stable/c/3bf860a41e0f2fcea0ac3aae8f7ef887a7994b70"
},
{
"url": "https://git.kernel.org/stable/c/5aed5b7c2430ce318a8e62f752f181e66f0d1053"
}
],
"title": "xhci: Remove device endpoints from bandwidth list when freeing the device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50470",
"datePublished": "2025-10-04T15:16:32.764Z",
"dateReserved": "2025-10-04T15:13:33.466Z",
"dateUpdated": "2025-10-04T15:16:32.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40085 (GCVE-0-2025-40085)
Vulnerability from cvelistv5
Published
2025-10-29 13:37
Modified
2025-10-29 13:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card
In try_to_register_card(), the return value of usb_ifnum_to_if() is
passed directly to usb_interface_claimed() without a NULL check, which
will lead to a NULL pointer dereference when creating an invalid
USB audio device. Fix this by adding a check to ensure the interface
pointer is valid before passing it to usb_interface_claimed().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 28787ff9fbeaf57684eb64cc33e2ec8ceedf21b5 Version: 39efc9c8a973ddff5918191525d1679d0fb368ea Version: 39efc9c8a973ddff5918191525d1679d0fb368ea Version: 39efc9c8a973ddff5918191525d1679d0fb368ea Version: 39efc9c8a973ddff5918191525d1679d0fb368ea Version: 39efc9c8a973ddff5918191525d1679d0fb368ea Version: 9d4f4dc3cd38e412c29a7626489fe48b79ebbf6c Version: 52076a41c128146c9df4a157e972cb17019313b1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/card.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "736159f7b296d7a95f7208eb4799639b1f8b16a0",
"status": "affected",
"version": "28787ff9fbeaf57684eb64cc33e2ec8ceedf21b5",
"versionType": "git"
},
{
"lessThan": "8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "576312eb436326b44b7010f4d9ae2b698df075ea",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "bba7208765d26e5e36b87f21dacc2780b064f41f",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "8503ac1a62075a085402e42a386b5c627c821a51",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "28412b489b088fb88dff488305fd4e56bd47f6e4",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"status": "affected",
"version": "9d4f4dc3cd38e412c29a7626489fe48b79ebbf6c",
"versionType": "git"
},
{
"status": "affected",
"version": "52076a41c128146c9df4a157e972cb17019313b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/card.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer deference in try_to_register_card\n\nIn try_to_register_card(), the return value of usb_ifnum_to_if() is\npassed directly to usb_interface_claimed() without a NULL check, which\nwill lead to a NULL pointer dereference when creating an invalid\nUSB audio device. Fix this by adding a check to ensure the interface\npointer is valid before passing it to usb_interface_claimed()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:37:04.707Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/736159f7b296d7a95f7208eb4799639b1f8b16a0"
},
{
"url": "https://git.kernel.org/stable/c/8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb"
},
{
"url": "https://git.kernel.org/stable/c/576312eb436326b44b7010f4d9ae2b698df075ea"
},
{
"url": "https://git.kernel.org/stable/c/bba7208765d26e5e36b87f21dacc2780b064f41f"
},
{
"url": "https://git.kernel.org/stable/c/8503ac1a62075a085402e42a386b5c627c821a51"
},
{
"url": "https://git.kernel.org/stable/c/28412b489b088fb88dff488305fd4e56bd47f6e4"
}
],
"title": "ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40085",
"datePublished": "2025-10-29T13:37:04.707Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2025-10-29T13:37:04.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53231 (GCVE-0-2023-53231)
Vulnerability from cvelistv5
Published
2025-09-15 14:22
Modified
2025-09-16 08:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: Fix detection of atomic context
Current check for atomic context is not sufficient as
z_erofs_decompressqueue_endio can be called under rcu lock
from blk_mq_flush_plug_list(). See the stacktrace [1]
In such case we should hand off the decompression work for async
processing rather than trying to do sync decompression in current
context. Patch fixes the detection by checking for
rcu_read_lock_any_held() and while at it use more appropriate
!in_task() check than in_atomic().
Background: Historically erofs would always schedule a kworker for
decompression which would incur the scheduling cost regardless of
the context. But z_erofs_decompressqueue_endio() may not always
be in atomic context and we could actually benefit from doing the
decompression in z_erofs_decompressqueue_endio() if we are in
thread context, for example when running with dm-verity.
This optimization was later added in patch [2] which has shown
improvement in performance benchmarks.
==============================================
[1] Problem stacktrace
[name:core&]BUG: sleeping function called from invalid context at kernel/locking/mutex.c:291
[name:core&]in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1615, name: CpuMonitorServi
[name:core&]preempt_count: 0, expected: 0
[name:core&]RCU nest depth: 1, expected: 0
CPU: 7 PID: 1615 Comm: CpuMonitorServi Tainted: G S W OE 6.1.25-android14-5-maybe-dirty-mainline #1
Hardware name: MT6897 (DT)
Call trace:
dump_backtrace+0x108/0x15c
show_stack+0x20/0x30
dump_stack_lvl+0x6c/0x8c
dump_stack+0x20/0x48
__might_resched+0x1fc/0x308
__might_sleep+0x50/0x88
mutex_lock+0x2c/0x110
z_erofs_decompress_queue+0x11c/0xc10
z_erofs_decompress_kickoff+0x110/0x1a4
z_erofs_decompressqueue_endio+0x154/0x180
bio_endio+0x1b0/0x1d8
__dm_io_complete+0x22c/0x280
clone_endio+0xe4/0x280
bio_endio+0x1b0/0x1d8
blk_update_request+0x138/0x3a4
blk_mq_plug_issue_direct+0xd4/0x19c
blk_mq_flush_plug_list+0x2b0/0x354
__blk_flush_plug+0x110/0x160
blk_finish_plug+0x30/0x4c
read_pages+0x2fc/0x370
page_cache_ra_unbounded+0xa4/0x23c
page_cache_ra_order+0x290/0x320
do_sync_mmap_readahead+0x108/0x2c0
filemap_fault+0x19c/0x52c
__do_fault+0xc4/0x114
handle_mm_fault+0x5b4/0x1168
do_page_fault+0x338/0x4b4
do_translation_fault+0x40/0x60
do_mem_abort+0x60/0xc8
el0_da+0x4c/0xe0
el0t_64_sync_handler+0xd4/0xfc
el0t_64_sync+0x1a0/0x1a4
[2] Link: https://lore.kernel.org/all/20210317035448.13921-1-huangjianan@oppo.com/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "597fb60c75132719687e173b75cab8f6eb1ca657",
"status": "affected",
"version": "aea1286dcbbb87cf33595c2ac8b153c29a4611cb",
"versionType": "git"
},
{
"lessThan": "12d0a24afd9ea58e581ea64d64e066f2027b28d9",
"status": "affected",
"version": "aea1286dcbbb87cf33595c2ac8b153c29a4611cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: Fix detection of atomic context\n\nCurrent check for atomic context is not sufficient as\nz_erofs_decompressqueue_endio can be called under rcu lock\nfrom blk_mq_flush_plug_list(). See the stacktrace [1]\n\nIn such case we should hand off the decompression work for async\nprocessing rather than trying to do sync decompression in current\ncontext. Patch fixes the detection by checking for\nrcu_read_lock_any_held() and while at it use more appropriate\n!in_task() check than in_atomic().\n\nBackground: Historically erofs would always schedule a kworker for\ndecompression which would incur the scheduling cost regardless of\nthe context. But z_erofs_decompressqueue_endio() may not always\nbe in atomic context and we could actually benefit from doing the\ndecompression in z_erofs_decompressqueue_endio() if we are in\nthread context, for example when running with dm-verity.\nThis optimization was later added in patch [2] which has shown\nimprovement in performance benchmarks.\n\n==============================================\n[1] Problem stacktrace\n[name:core\u0026]BUG: sleeping function called from invalid context at kernel/locking/mutex.c:291\n[name:core\u0026]in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1615, name: CpuMonitorServi\n[name:core\u0026]preempt_count: 0, expected: 0\n[name:core\u0026]RCU nest depth: 1, expected: 0\nCPU: 7 PID: 1615 Comm: CpuMonitorServi Tainted: G S W OE 6.1.25-android14-5-maybe-dirty-mainline #1\nHardware name: MT6897 (DT)\nCall trace:\n dump_backtrace+0x108/0x15c\n show_stack+0x20/0x30\n dump_stack_lvl+0x6c/0x8c\n dump_stack+0x20/0x48\n __might_resched+0x1fc/0x308\n __might_sleep+0x50/0x88\n mutex_lock+0x2c/0x110\n z_erofs_decompress_queue+0x11c/0xc10\n z_erofs_decompress_kickoff+0x110/0x1a4\n z_erofs_decompressqueue_endio+0x154/0x180\n bio_endio+0x1b0/0x1d8\n __dm_io_complete+0x22c/0x280\n clone_endio+0xe4/0x280\n bio_endio+0x1b0/0x1d8\n blk_update_request+0x138/0x3a4\n blk_mq_plug_issue_direct+0xd4/0x19c\n blk_mq_flush_plug_list+0x2b0/0x354\n __blk_flush_plug+0x110/0x160\n blk_finish_plug+0x30/0x4c\n read_pages+0x2fc/0x370\n page_cache_ra_unbounded+0xa4/0x23c\n page_cache_ra_order+0x290/0x320\n do_sync_mmap_readahead+0x108/0x2c0\n filemap_fault+0x19c/0x52c\n __do_fault+0xc4/0x114\n handle_mm_fault+0x5b4/0x1168\n do_page_fault+0x338/0x4b4\n do_translation_fault+0x40/0x60\n do_mem_abort+0x60/0xc8\n el0_da+0x4c/0xe0\n el0t_64_sync_handler+0xd4/0xfc\n el0t_64_sync+0x1a0/0x1a4\n\n[2] Link: https://lore.kernel.org/all/20210317035448.13921-1-huangjianan@oppo.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:24.954Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/597fb60c75132719687e173b75cab8f6eb1ca657"
},
{
"url": "https://git.kernel.org/stable/c/12d0a24afd9ea58e581ea64d64e066f2027b28d9"
}
],
"title": "erofs: Fix detection of atomic context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53231",
"datePublished": "2025-09-15T14:22:03.599Z",
"dateReserved": "2025-09-15T14:19:21.847Z",
"dateUpdated": "2025-09-16T08:02:24.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50482 (GCVE-0-2022-50482)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Clean up si_domain in the init_dmars() error path
A splat from kmem_cache_destroy() was seen with a kernel prior to
commit ee2653bbe89d ("iommu/vt-d: Remove domain and devinfo mempool")
when there was a failure in init_dmars(), because the iommu_domain
cache still had objects. While the mempool code is now gone, there
still is a leak of the si_domain memory if init_dmars() fails. So
clean up si_domain in the init_dmars() error path.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 86080ccc223aabf8d0b85a504f4f06aa88e82fb3 Version: 86080ccc223aabf8d0b85a504f4f06aa88e82fb3 Version: 86080ccc223aabf8d0b85a504f4f06aa88e82fb3 Version: 86080ccc223aabf8d0b85a504f4f06aa88e82fb3 Version: 86080ccc223aabf8d0b85a504f4f06aa88e82fb3 Version: 86080ccc223aabf8d0b85a504f4f06aa88e82fb3 Version: 86080ccc223aabf8d0b85a504f4f06aa88e82fb3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "749bea542b67513e99240dc58bbfc099e842d508",
"status": "affected",
"version": "86080ccc223aabf8d0b85a504f4f06aa88e82fb3",
"versionType": "git"
},
{
"lessThan": "5cecfe151874b835331efe086bbdcaeaf64f6b90",
"status": "affected",
"version": "86080ccc223aabf8d0b85a504f4f06aa88e82fb3",
"versionType": "git"
},
{
"lessThan": "724483b585a1b1e063d42ac5aa835707ff2ec165",
"status": "affected",
"version": "86080ccc223aabf8d0b85a504f4f06aa88e82fb3",
"versionType": "git"
},
{
"lessThan": "d74196bb278b8f8af88e16bd595997dfa3d6fdb0",
"status": "affected",
"version": "86080ccc223aabf8d0b85a504f4f06aa88e82fb3",
"versionType": "git"
},
{
"lessThan": "0365d6af75f9f2696e94a0fef24a2c8464c037c8",
"status": "affected",
"version": "86080ccc223aabf8d0b85a504f4f06aa88e82fb3",
"versionType": "git"
},
{
"lessThan": "c4ad3ae4c6be9d8b0701761c839771116bca6ea3",
"status": "affected",
"version": "86080ccc223aabf8d0b85a504f4f06aa88e82fb3",
"versionType": "git"
},
{
"lessThan": "620bf9f981365c18cc2766c53d92bf8131c63f32",
"status": "affected",
"version": "86080ccc223aabf8d0b85a504f4f06aa88e82fb3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.221",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Clean up si_domain in the init_dmars() error path\n\nA splat from kmem_cache_destroy() was seen with a kernel prior to\ncommit ee2653bbe89d (\"iommu/vt-d: Remove domain and devinfo mempool\")\nwhen there was a failure in init_dmars(), because the iommu_domain\ncache still had objects. While the mempool code is now gone, there\nstill is a leak of the si_domain memory if init_dmars() fails. So\nclean up si_domain in the init_dmars() error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:41.033Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/749bea542b67513e99240dc58bbfc099e842d508"
},
{
"url": "https://git.kernel.org/stable/c/5cecfe151874b835331efe086bbdcaeaf64f6b90"
},
{
"url": "https://git.kernel.org/stable/c/724483b585a1b1e063d42ac5aa835707ff2ec165"
},
{
"url": "https://git.kernel.org/stable/c/d74196bb278b8f8af88e16bd595997dfa3d6fdb0"
},
{
"url": "https://git.kernel.org/stable/c/0365d6af75f9f2696e94a0fef24a2c8464c037c8"
},
{
"url": "https://git.kernel.org/stable/c/c4ad3ae4c6be9d8b0701761c839771116bca6ea3"
},
{
"url": "https://git.kernel.org/stable/c/620bf9f981365c18cc2766c53d92bf8131c63f32"
}
],
"title": "iommu/vt-d: Clean up si_domain in the init_dmars() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50482",
"datePublished": "2025-10-04T15:16:41.033Z",
"dateReserved": "2025-10-04T15:13:33.468Z",
"dateUpdated": "2025-10-04T15:16:41.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50535 (GCVE-0-2022-50535)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix potential null-deref in dm_resume
[Why]
Fixing smatch error:
dm_resume() error: we previously assumed 'aconnector->dc_link' could be null
[How]
Check if dc_link null at the beginning of the loop,
so further checks can be dropped.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd79b61af2782f8875c78f50cdb8630ec43e2990",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d236103782de25736996a45bd36ac2a89bdc93c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f73793b81637c60ccc83cc508645310b8ab7d80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bb9a5562beb982aa5ebb73c521c49596ff8b8030",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8e365f1bd672cc9320a936f6ae6f8087aa40e9bc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "00b655fa96b4e941351cc4bf5ca755a65ae94a8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a7175a2cd84b7874bebbf8e59f134557a34161b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential null-deref in dm_resume\n\n[Why]\nFixing smatch error:\ndm_resume() error: we previously assumed \u0027aconnector-\u003edc_link\u0027 could be null\n\n[How]\nCheck if dc_link null at the beginning of the loop,\nso further checks can be dropped."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:02.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd79b61af2782f8875c78f50cdb8630ec43e2990"
},
{
"url": "https://git.kernel.org/stable/c/d236103782de25736996a45bd36ac2a89bdc93c6"
},
{
"url": "https://git.kernel.org/stable/c/9f73793b81637c60ccc83cc508645310b8ab7d80"
},
{
"url": "https://git.kernel.org/stable/c/bb9a5562beb982aa5ebb73c521c49596ff8b8030"
},
{
"url": "https://git.kernel.org/stable/c/8e365f1bd672cc9320a936f6ae6f8087aa40e9bc"
},
{
"url": "https://git.kernel.org/stable/c/00b655fa96b4e941351cc4bf5ca755a65ae94a8e"
},
{
"url": "https://git.kernel.org/stable/c/7a7175a2cd84b7874bebbf8e59f134557a34161b"
}
],
"title": "drm/amd/display: Fix potential null-deref in dm_resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50535",
"datePublished": "2025-10-07T15:21:02.347Z",
"dateReserved": "2025-10-07T15:15:38.666Z",
"dateUpdated": "2025-10-07T15:21:02.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53687 (GCVE-0-2023-53687)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk
When the best clk is searched, we iterate over all possible clk.
If we find a better match, the previous one, if any, needs to be freed.
If a better match has already been found, we still need to free the new
one, otherwise it leaks.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 Version: 5f5a7a5578c5885201cf9c85856f023fe8b81765 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/samsung_tty.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "933e5b2998bc3a527d15efbf1e97c9e63297aa3c",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "01dd8a43a84616c830782166ba3cceb01ad95363",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "46574e5a0a2aee41e6ebb979cfe1dbaea8693e16",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "1962717c4649e026a4252fe6625175affd28a593",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "9dd8091959bc41fee51d0827276a2b982e84adf0",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "f0bf102ef9b05d7294bd8d506755465f6867d944",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "1f426293fef1c13742b2a685bf7e363f51f6ee03",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "832e231cff476102e8204a9e7bddfe5c6154a375",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/samsung_tty.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk\n\nWhen the best clk is searched, we iterate over all possible clk.\n\nIf we find a better match, the previous one, if any, needs to be freed.\nIf a better match has already been found, we still need to free the new\none, otherwise it leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:39.542Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/933e5b2998bc3a527d15efbf1e97c9e63297aa3c"
},
{
"url": "https://git.kernel.org/stable/c/01dd8a43a84616c830782166ba3cceb01ad95363"
},
{
"url": "https://git.kernel.org/stable/c/46574e5a0a2aee41e6ebb979cfe1dbaea8693e16"
},
{
"url": "https://git.kernel.org/stable/c/1962717c4649e026a4252fe6625175affd28a593"
},
{
"url": "https://git.kernel.org/stable/c/9dd8091959bc41fee51d0827276a2b982e84adf0"
},
{
"url": "https://git.kernel.org/stable/c/f0bf102ef9b05d7294bd8d506755465f6867d944"
},
{
"url": "https://git.kernel.org/stable/c/1f426293fef1c13742b2a685bf7e363f51f6ee03"
},
{
"url": "https://git.kernel.org/stable/c/832e231cff476102e8204a9e7bddfe5c6154a375"
}
],
"title": "tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53687",
"datePublished": "2025-10-07T15:21:39.542Z",
"dateReserved": "2025-10-07T15:16:59.665Z",
"dateUpdated": "2025-10-07T15:21:39.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50505 (GCVE-0-2022-50505)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd: Fix pci device refcount leak in ppr_notifier()
As comment of pci_get_domain_bus_and_slot() says, it returns
a pci device with refcount increment, when finish using it,
the caller must decrement the reference count by calling
pci_dev_put(). So call it before returning from ppr_notifier()
to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: daae2d25a4779b272a66ddd01f5810bcee822b9e Version: daae2d25a4779b272a66ddd01f5810bcee822b9e Version: daae2d25a4779b272a66ddd01f5810bcee822b9e Version: daae2d25a4779b272a66ddd01f5810bcee822b9e Version: daae2d25a4779b272a66ddd01f5810bcee822b9e Version: daae2d25a4779b272a66ddd01f5810bcee822b9e Version: daae2d25a4779b272a66ddd01f5810bcee822b9e Version: daae2d25a4779b272a66ddd01f5810bcee822b9e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/iommu_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdb2113dd8f17a3cc84a2b4be4968a849f69ec72",
"status": "affected",
"version": "daae2d25a4779b272a66ddd01f5810bcee822b9e",
"versionType": "git"
},
{
"lessThan": "efd50c65fd1cdef63eb58825f3fe72496443764c",
"status": "affected",
"version": "daae2d25a4779b272a66ddd01f5810bcee822b9e",
"versionType": "git"
},
{
"lessThan": "8581ec1feb895ff596fe3d326d9ba320083290aa",
"status": "affected",
"version": "daae2d25a4779b272a66ddd01f5810bcee822b9e",
"versionType": "git"
},
{
"lessThan": "03f51c72997559e73b327608f0cccfded715c9a0",
"status": "affected",
"version": "daae2d25a4779b272a66ddd01f5810bcee822b9e",
"versionType": "git"
},
{
"lessThan": "6e501b3fd7a2e1c4372d72bc70717aaca2beb8a5",
"status": "affected",
"version": "daae2d25a4779b272a66ddd01f5810bcee822b9e",
"versionType": "git"
},
{
"lessThan": "902cc2507091a81643502d8ceb0e2f105e902518",
"status": "affected",
"version": "daae2d25a4779b272a66ddd01f5810bcee822b9e",
"versionType": "git"
},
{
"lessThan": "b0637f4bd426925f5c3a15e8f8e36190fe06bac5",
"status": "affected",
"version": "daae2d25a4779b272a66ddd01f5810bcee822b9e",
"versionType": "git"
},
{
"lessThan": "6cf0981c2233f97d56938d9d61845383d6eb227c",
"status": "affected",
"version": "daae2d25a4779b272a66ddd01f5810bcee822b9e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/iommu_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix pci device refcount leak in ppr_notifier()\n\nAs comment of pci_get_domain_bus_and_slot() says, it returns\na pci device with refcount increment, when finish using it,\nthe caller must decrement the reference count by calling\npci_dev_put(). So call it before returning from ppr_notifier()\nto avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:54.265Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdb2113dd8f17a3cc84a2b4be4968a849f69ec72"
},
{
"url": "https://git.kernel.org/stable/c/efd50c65fd1cdef63eb58825f3fe72496443764c"
},
{
"url": "https://git.kernel.org/stable/c/8581ec1feb895ff596fe3d326d9ba320083290aa"
},
{
"url": "https://git.kernel.org/stable/c/03f51c72997559e73b327608f0cccfded715c9a0"
},
{
"url": "https://git.kernel.org/stable/c/6e501b3fd7a2e1c4372d72bc70717aaca2beb8a5"
},
{
"url": "https://git.kernel.org/stable/c/902cc2507091a81643502d8ceb0e2f105e902518"
},
{
"url": "https://git.kernel.org/stable/c/b0637f4bd426925f5c3a15e8f8e36190fe06bac5"
},
{
"url": "https://git.kernel.org/stable/c/6cf0981c2233f97d56938d9d61845383d6eb227c"
}
],
"title": "iommu/amd: Fix pci device refcount leak in ppr_notifier()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50505",
"datePublished": "2025-10-04T15:43:54.265Z",
"dateReserved": "2025-10-04T15:39:19.465Z",
"dateUpdated": "2025-10-04T15:43:54.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53167 (GCVE-0-2023-53167)
Vulnerability from cvelistv5
Published
2025-09-15 14:03
Modified
2025-09-15 14:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix null pointer dereference in tracing_err_log_open()
Fix an issue in function 'tracing_err_log_open'.
The function doesn't call 'seq_open' if the file is opened only with
write permissions, which results in 'file->private_data' being left as null.
If we then use 'lseek' on that opened file, 'seq_lseek' dereferences
'file->private_data' in 'mutex_lock(&m->lock)', resulting in a kernel panic.
Writing to this node requires root privileges, therefore this bug
has very little security impact.
Tracefs node: /sys/kernel/tracing/error_log
Example Kernel panic:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038
Call trace:
mutex_lock+0x30/0x110
seq_lseek+0x34/0xb8
__arm64_sys_lseek+0x6c/0xb8
invoke_syscall+0x58/0x13c
el0_svc_common+0xc4/0x10c
do_el0_svc+0x24/0x98
el0_svc+0x24/0x88
el0t_64_sync_handler+0x84/0xe4
el0t_64_sync+0x1b4/0x1b8
Code: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02)
---[ end trace 561d1b49c12cf8a5 ]---
Kernel panic - not syncing: Oops: Fatal exception
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8a062902be725f647dc8da532b04d836546a369a Version: 8a062902be725f647dc8da532b04d836546a369a Version: 8a062902be725f647dc8da532b04d836546a369a Version: 8a062902be725f647dc8da532b04d836546a369a Version: 8a062902be725f647dc8da532b04d836546a369a Version: 8a062902be725f647dc8da532b04d836546a369a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93114cbc7cb169f6f26eeaed5286b91bb86b463b",
"status": "affected",
"version": "8a062902be725f647dc8da532b04d836546a369a",
"versionType": "git"
},
{
"lessThan": "7060e5aac6dc195124c106f49106d653a416323a",
"status": "affected",
"version": "8a062902be725f647dc8da532b04d836546a369a",
"versionType": "git"
},
{
"lessThan": "3b5d9b7b875968a8a8c99dac45cb85b705c44802",
"status": "affected",
"version": "8a062902be725f647dc8da532b04d836546a369a",
"versionType": "git"
},
{
"lessThan": "938d5b7a75e18264887387ddf9169db6d8aeef98",
"status": "affected",
"version": "8a062902be725f647dc8da532b04d836546a369a",
"versionType": "git"
},
{
"lessThan": "1e1c9aa9288a46c342f0f2c5c0b1c0876b9b0276",
"status": "affected",
"version": "8a062902be725f647dc8da532b04d836546a369a",
"versionType": "git"
},
{
"lessThan": "02b0095e2fbbc060560c1065f86a211d91e27b26",
"status": "affected",
"version": "8a062902be725f647dc8da532b04d836546a369a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix null pointer dereference in tracing_err_log_open()\n\nFix an issue in function \u0027tracing_err_log_open\u0027.\nThe function doesn\u0027t call \u0027seq_open\u0027 if the file is opened only with\nwrite permissions, which results in \u0027file-\u003eprivate_data\u0027 being left as null.\nIf we then use \u0027lseek\u0027 on that opened file, \u0027seq_lseek\u0027 dereferences\n\u0027file-\u003eprivate_data\u0027 in \u0027mutex_lock(\u0026m-\u003elock)\u0027, resulting in a kernel panic.\nWriting to this node requires root privileges, therefore this bug\nhas very little security impact.\n\nTracefs node: /sys/kernel/tracing/error_log\n\nExample Kernel panic:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000038\nCall trace:\n mutex_lock+0x30/0x110\n seq_lseek+0x34/0xb8\n __arm64_sys_lseek+0x6c/0xb8\n invoke_syscall+0x58/0x13c\n el0_svc_common+0xc4/0x10c\n do_el0_svc+0x24/0x98\n el0_svc+0x24/0x88\n el0t_64_sync_handler+0x84/0xe4\n el0t_64_sync+0x1b4/0x1b8\nCode: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02)\n---[ end trace 561d1b49c12cf8a5 ]---\nKernel panic - not syncing: Oops: Fatal exception"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:03:56.025Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93114cbc7cb169f6f26eeaed5286b91bb86b463b"
},
{
"url": "https://git.kernel.org/stable/c/7060e5aac6dc195124c106f49106d653a416323a"
},
{
"url": "https://git.kernel.org/stable/c/3b5d9b7b875968a8a8c99dac45cb85b705c44802"
},
{
"url": "https://git.kernel.org/stable/c/938d5b7a75e18264887387ddf9169db6d8aeef98"
},
{
"url": "https://git.kernel.org/stable/c/1e1c9aa9288a46c342f0f2c5c0b1c0876b9b0276"
},
{
"url": "https://git.kernel.org/stable/c/02b0095e2fbbc060560c1065f86a211d91e27b26"
}
],
"title": "tracing: Fix null pointer dereference in tracing_err_log_open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53167",
"datePublished": "2025-09-15T14:03:56.025Z",
"dateReserved": "2025-09-15T13:59:19.063Z",
"dateUpdated": "2025-09-15T14:03:56.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50526 (GCVE-0-2022-50526)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: fix memory corruption with too many bridges
Add the missing sanity check on the bridge counter to avoid corrupting
data beyond the fixed-sized bridge array in case there are ever more
than eight bridges.
Patchwork: https://patchwork.freedesktop.org/patch/502664/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b312fcab461bd9484c61409007a6fe059f9c2074",
"status": "affected",
"version": "8a3b4c17f863cde8e8743edd8faffe916c49b960",
"versionType": "git"
},
{
"lessThan": "74466e46e7543c7f74f1502181e9ba93f7521374",
"status": "affected",
"version": "8a3b4c17f863cde8e8743edd8faffe916c49b960",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: fix memory corruption with too many bridges\n\nAdd the missing sanity check on the bridge counter to avoid corrupting\ndata beyond the fixed-sized bridge array in case there are ever more\nthan eight bridges.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502664/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:18.586Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b312fcab461bd9484c61409007a6fe059f9c2074"
},
{
"url": "https://git.kernel.org/stable/c/74466e46e7543c7f74f1502181e9ba93f7521374"
}
],
"title": "drm/msm/dp: fix memory corruption with too many bridges",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50526",
"datePublished": "2025-10-07T15:19:18.586Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:18.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50572 (GCVE-0-2022-50572)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link()
The of_get_next_child() returns a node with refcount incremented, and
decrements the refcount of prev. So in the error path of the while loop,
of_node_put() needs be called for cpu_ep.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fce9b90c1ab7e915553c57353355700c79b39c86 Version: fce9b90c1ab7e915553c57353355700c79b39c86 Version: fce9b90c1ab7e915553c57353355700c79b39c86 Version: fce9b90c1ab7e915553c57353355700c79b39c86 Version: fce9b90c1ab7e915553c57353355700c79b39c86 Version: fce9b90c1ab7e915553c57353355700c79b39c86 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/generic/audio-graph-card.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed1376f771404917c2ec3ebc617431ec01146134",
"status": "affected",
"version": "fce9b90c1ab7e915553c57353355700c79b39c86",
"versionType": "git"
},
{
"lessThan": "06c9d468c06806dab752eb8e72addbf3792c1023",
"status": "affected",
"version": "fce9b90c1ab7e915553c57353355700c79b39c86",
"versionType": "git"
},
{
"lessThan": "85eb5c952b7fe2d2059beaa4a4dd26688b25547b",
"status": "affected",
"version": "fce9b90c1ab7e915553c57353355700c79b39c86",
"versionType": "git"
},
{
"lessThan": "49dad92af6892f46851af989ef3aa7cd7316c389",
"status": "affected",
"version": "fce9b90c1ab7e915553c57353355700c79b39c86",
"versionType": "git"
},
{
"lessThan": "4cc8431ec77a43ea106d8bde0860c61cfdda1cd0",
"status": "affected",
"version": "fce9b90c1ab7e915553c57353355700c79b39c86",
"versionType": "git"
},
{
"lessThan": "8ab2d12c726f0fde0692fa5d81d8019b3dcd62d0",
"status": "affected",
"version": "fce9b90c1ab7e915553c57353355700c79b39c86",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/generic/audio-graph-card.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link()\n\nThe of_get_next_child() returns a node with refcount incremented, and\ndecrements the refcount of prev. So in the error path of the while loop,\nof_node_put() needs be called for cpu_ep."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:27.813Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed1376f771404917c2ec3ebc617431ec01146134"
},
{
"url": "https://git.kernel.org/stable/c/06c9d468c06806dab752eb8e72addbf3792c1023"
},
{
"url": "https://git.kernel.org/stable/c/85eb5c952b7fe2d2059beaa4a4dd26688b25547b"
},
{
"url": "https://git.kernel.org/stable/c/49dad92af6892f46851af989ef3aa7cd7316c389"
},
{
"url": "https://git.kernel.org/stable/c/4cc8431ec77a43ea106d8bde0860c61cfdda1cd0"
},
{
"url": "https://git.kernel.org/stable/c/8ab2d12c726f0fde0692fa5d81d8019b3dcd62d0"
}
],
"title": "ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50572",
"datePublished": "2025-10-22T13:23:27.813Z",
"dateReserved": "2025-10-22T13:20:23.761Z",
"dateUpdated": "2025-10-22T13:23:27.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53574 (GCVE-0-2023-53574)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-06 09:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: delete timer and free skb queue when unloading
Fix possible crash and memory leak on driver unload by deleting
TX purge timer and freeing C2H queue in 'rtw_core_deinit()',
shrink critical section in the latter by freeing COEX queue
out of TX report lock scope.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw88/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4128b00a6006870e117ab1841e58f369e9284ecb",
"status": "affected",
"version": "e3037485c68ec1a299ff41160d8fedbd4abc29b9",
"versionType": "git"
},
{
"lessThan": "634fcbcaa4062db39aeb5ac6ed1bc1feb8dd5216",
"status": "affected",
"version": "e3037485c68ec1a299ff41160d8fedbd4abc29b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw88/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: delete timer and free skb queue when unloading\n\nFix possible crash and memory leak on driver unload by deleting\nTX purge timer and freeing C2H queue in \u0027rtw_core_deinit()\u0027,\nshrink critical section in the latter by freeing COEX queue\nout of TX report lock scope."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T09:07:18.330Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4128b00a6006870e117ab1841e58f369e9284ecb"
},
{
"url": "https://git.kernel.org/stable/c/634fcbcaa4062db39aeb5ac6ed1bc1feb8dd5216"
}
],
"title": "wifi: rtw88: delete timer and free skb queue when unloading",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53574",
"datePublished": "2025-10-04T15:17:14.532Z",
"dateReserved": "2025-10-04T15:14:15.925Z",
"dateUpdated": "2025-10-06T09:07:18.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53221 (GCVE-0-2023-53221)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix memleak due to fentry attach failure
If it fails to attach fentry, the allocated bpf trampoline image will be
left in the system. That can be verified by checking /proc/kallsyms.
This meamleak can be verified by a simple bpf program as follows:
SEC("fentry/trap_init")
int fentry_run()
{
return 0;
}
It will fail to attach trap_init because this function is freed after
kernel init, and then we can find the trampoline image is left in the
system by checking /proc/kallsyms.
$ tail /proc/kallsyms
ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf]
ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf]
$ bpftool btf dump file /sys/kernel/btf/vmlinux | grep "FUNC 'trap_init'"
[2522] FUNC 'trap_init' type_id=119 linkage=static
$ echo $((6442453466 & 0x7fffffff))
2522
Note that there are two left bpf trampoline images, that is because the
libbpf will fallback to raw tracepoint if -EINVAL is returned.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e21aa341785c679dd409c8cb71f864c00fe6c463 Version: e21aa341785c679dd409c8cb71f864c00fe6c463 Version: e21aa341785c679dd409c8cb71f864c00fe6c463 Version: e21aa341785c679dd409c8cb71f864c00fe6c463 Version: e21d2b92354b3cd25dd774ebb0f0e52ff04a7861 Version: 85d177f56e5256e14b74a65940f981f6e3e8bb32 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20109ddd5bea2c24d790debf5d02584ef24c3f5e",
"status": "affected",
"version": "e21aa341785c679dd409c8cb71f864c00fe6c463",
"versionType": "git"
},
{
"lessThan": "f72c67d1a82dada7d6d504c806e111e913721a30",
"status": "affected",
"version": "e21aa341785c679dd409c8cb71f864c00fe6c463",
"versionType": "git"
},
{
"lessThan": "6aa27775db63ba8c7c73891c7dfb71ddc230c48d",
"status": "affected",
"version": "e21aa341785c679dd409c8cb71f864c00fe6c463",
"versionType": "git"
},
{
"lessThan": "108598c39eefbedc9882273ac0df96127a629220",
"status": "affected",
"version": "e21aa341785c679dd409c8cb71f864c00fe6c463",
"versionType": "git"
},
{
"status": "affected",
"version": "e21d2b92354b3cd25dd774ebb0f0e52ff04a7861",
"versionType": "git"
},
{
"status": "affected",
"version": "85d177f56e5256e14b74a65940f981f6e3e8bb32",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memleak due to fentry attach failure\n\nIf it fails to attach fentry, the allocated bpf trampoline image will be\nleft in the system. That can be verified by checking /proc/kallsyms.\n\nThis meamleak can be verified by a simple bpf program as follows:\n\n SEC(\"fentry/trap_init\")\n int fentry_run()\n {\n return 0;\n }\n\nIt will fail to attach trap_init because this function is freed after\nkernel init, and then we can find the trampoline image is left in the\nsystem by checking /proc/kallsyms.\n\n $ tail /proc/kallsyms\n ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf]\n ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf]\n\n $ bpftool btf dump file /sys/kernel/btf/vmlinux | grep \"FUNC \u0027trap_init\u0027\"\n [2522] FUNC \u0027trap_init\u0027 type_id=119 linkage=static\n\n $ echo $((6442453466 \u0026 0x7fffffff))\n 2522\n\nNote that there are two left bpf trampoline images, that is because the\nlibbpf will fallback to raw tracepoint if -EINVAL is returned."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:50.053Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20109ddd5bea2c24d790debf5d02584ef24c3f5e"
},
{
"url": "https://git.kernel.org/stable/c/f72c67d1a82dada7d6d504c806e111e913721a30"
},
{
"url": "https://git.kernel.org/stable/c/6aa27775db63ba8c7c73891c7dfb71ddc230c48d"
},
{
"url": "https://git.kernel.org/stable/c/108598c39eefbedc9882273ac0df96127a629220"
}
],
"title": "bpf: Fix memleak due to fentry attach failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53221",
"datePublished": "2025-09-15T14:21:50.053Z",
"dateReserved": "2025-09-15T14:19:21.845Z",
"dateUpdated": "2025-09-15T14:21:50.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39719 (GCVE-0-2025-39719)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: imu: bno055: fix OOB access of hw_xlate array
Fix a potential out-of-bounds array access of the hw_xlate array in
bno055.c.
In bno055_get_regmask(), hw_xlate was iterated over the length of the
vals array instead of the length of the hw_xlate array. In the case of
bno055_gyr_scale, the vals array is larger than the hw_xlate array,
so this could result in an out-of-bounds access. In practice, this
shouldn't happen though because a match should always be found which
breaks out of the for loop before it iterates beyond the end of the
hw_xlate array.
By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be
sure we are iterating over the correct length.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:44.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/imu/bno055/bno055.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a0691ab6334f1769acc64ea9e319414a682ff45d",
"status": "affected",
"version": "4aefe1c2bd0cb0223130671d459cd16efa3d3462",
"versionType": "git"
},
{
"lessThan": "50e823a23816b792daf6e8405f8d6045952bb90e",
"status": "affected",
"version": "4aefe1c2bd0cb0223130671d459cd16efa3d3462",
"versionType": "git"
},
{
"lessThan": "4808ca3aa30ae857454d0b41d2d0bf161a312b45",
"status": "affected",
"version": "4aefe1c2bd0cb0223130671d459cd16efa3d3462",
"versionType": "git"
},
{
"lessThan": "5c2b601922c064f7be70ae8621277f18d1ffec59",
"status": "affected",
"version": "4aefe1c2bd0cb0223130671d459cd16efa3d3462",
"versionType": "git"
},
{
"lessThan": "399b883ec828e436f1a721bf8551b4da8727e65b",
"status": "affected",
"version": "4aefe1c2bd0cb0223130671d459cd16efa3d3462",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/imu/bno055/bno055.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: bno055: fix OOB access of hw_xlate array\n\nFix a potential out-of-bounds array access of the hw_xlate array in\nbno055.c.\n\nIn bno055_get_regmask(), hw_xlate was iterated over the length of the\nvals array instead of the length of the hw_xlate array. In the case of\nbno055_gyr_scale, the vals array is larger than the hw_xlate array,\nso this could result in an out-of-bounds access. In practice, this\nshouldn\u0027t happen though because a match should always be found which\nbreaks out of the for loop before it iterates beyond the end of the\nhw_xlate array.\n\nBy adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be\nsure we are iterating over the correct length."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:05.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a0691ab6334f1769acc64ea9e319414a682ff45d"
},
{
"url": "https://git.kernel.org/stable/c/50e823a23816b792daf6e8405f8d6045952bb90e"
},
{
"url": "https://git.kernel.org/stable/c/4808ca3aa30ae857454d0b41d2d0bf161a312b45"
},
{
"url": "https://git.kernel.org/stable/c/5c2b601922c064f7be70ae8621277f18d1ffec59"
},
{
"url": "https://git.kernel.org/stable/c/399b883ec828e436f1a721bf8551b4da8727e65b"
}
],
"title": "iio: imu: bno055: fix OOB access of hw_xlate array",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39719",
"datePublished": "2025-09-05T17:21:26.952Z",
"dateReserved": "2025-04-16T07:20:57.117Z",
"dateUpdated": "2025-11-03T17:42:44.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39949 (GCVE-0-2025-39949)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
qed: Don't collect too many protection override GRC elements
In the protection override dump path, the firmware can return far too
many GRC elements, resulting in attempting to write past the end of the
previously-kmalloc'ed dump buffer.
This will result in a kernel panic with reason:
BUG: unable to handle kernel paging request at ADDRESS
where "ADDRESS" is just past the end of the protection override dump
buffer. The start address of the buffer is:
p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf
and the size of the buffer is buf_size in the same data structure.
The panic can be arrived at from either the qede Ethernet driver path:
[exception RIP: qed_grc_dump_addr_range+0x108]
qed_protection_override_dump at ffffffffc02662ed [qed]
qed_dbg_protection_override_dump at ffffffffc0267792 [qed]
qed_dbg_feature at ffffffffc026aa8f [qed]
qed_dbg_all_data at ffffffffc026b211 [qed]
qed_fw_fatal_reporter_dump at ffffffffc027298a [qed]
devlink_health_do_dump at ffffffff82497f61
devlink_health_report at ffffffff8249cf29
qed_report_fatal_error at ffffffffc0272baf [qed]
qede_sp_task at ffffffffc045ed32 [qede]
process_one_work at ffffffff81d19783
or the qedf storage driver path:
[exception RIP: qed_grc_dump_addr_range+0x108]
qed_protection_override_dump at ffffffffc068b2ed [qed]
qed_dbg_protection_override_dump at ffffffffc068c792 [qed]
qed_dbg_feature at ffffffffc068fa8f [qed]
qed_dbg_all_data at ffffffffc0690211 [qed]
qed_fw_fatal_reporter_dump at ffffffffc069798a [qed]
devlink_health_do_dump at ffffffff8aa95e51
devlink_health_report at ffffffff8aa9ae19
qed_report_fatal_error at ffffffffc0697baf [qed]
qed_hw_err_notify at ffffffffc06d32d7 [qed]
qed_spq_post at ffffffffc06b1011 [qed]
qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed]
qedf_cleanup_fcport at ffffffffc05e7597 [qedf]
qedf_rport_event_handler at ffffffffc05e7bf7 [qedf]
fc_rport_work at ffffffffc02da715 [libfc]
process_one_work at ffffffff8a319663
Resolve this by clamping the firmware's return value to the maximum
number of legal elements the firmware should return.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qed/qed_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25672c620421fa2105703a94a29a03487245e6d6",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "e0e24571a7b2f8c8f06e25d3417253ebbdbc8d5c",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "8141910869596b7a3a5d9b46107da2191d523f82",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "ea53e6a47e148b490b1c652fc65d2de5a086df76",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "660b2a8f5a306a28c7efc1b4990ecc4912a68f87",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "70affe82e38fd3dc76b9c68b5a1989f11e7fa0f3",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qed/qed_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nqed: Don\u0027t collect too many protection override GRC elements\n\nIn the protection override dump path, the firmware can return far too\nmany GRC elements, resulting in attempting to write past the end of the\npreviously-kmalloc\u0027ed dump buffer.\n\nThis will result in a kernel panic with reason:\n\n BUG: unable to handle kernel paging request at ADDRESS\n\nwhere \"ADDRESS\" is just past the end of the protection override dump\nbuffer. The start address of the buffer is:\n p_hwfn-\u003ecdev-\u003edbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf\nand the size of the buffer is buf_size in the same data structure.\n\nThe panic can be arrived at from either the qede Ethernet driver path:\n\n [exception RIP: qed_grc_dump_addr_range+0x108]\n qed_protection_override_dump at ffffffffc02662ed [qed]\n qed_dbg_protection_override_dump at ffffffffc0267792 [qed]\n qed_dbg_feature at ffffffffc026aa8f [qed]\n qed_dbg_all_data at ffffffffc026b211 [qed]\n qed_fw_fatal_reporter_dump at ffffffffc027298a [qed]\n devlink_health_do_dump at ffffffff82497f61\n devlink_health_report at ffffffff8249cf29\n qed_report_fatal_error at ffffffffc0272baf [qed]\n qede_sp_task at ffffffffc045ed32 [qede]\n process_one_work at ffffffff81d19783\n\nor the qedf storage driver path:\n\n [exception RIP: qed_grc_dump_addr_range+0x108]\n qed_protection_override_dump at ffffffffc068b2ed [qed]\n qed_dbg_protection_override_dump at ffffffffc068c792 [qed]\n qed_dbg_feature at ffffffffc068fa8f [qed]\n qed_dbg_all_data at ffffffffc0690211 [qed]\n qed_fw_fatal_reporter_dump at ffffffffc069798a [qed]\n devlink_health_do_dump at ffffffff8aa95e51\n devlink_health_report at ffffffff8aa9ae19\n qed_report_fatal_error at ffffffffc0697baf [qed]\n qed_hw_err_notify at ffffffffc06d32d7 [qed]\n qed_spq_post at ffffffffc06b1011 [qed]\n qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed]\n qedf_cleanup_fcport at ffffffffc05e7597 [qedf]\n qedf_rport_event_handler at ffffffffc05e7bf7 [qedf]\n fc_rport_work at ffffffffc02da715 [libfc]\n process_one_work at ffffffff8a319663\n\nResolve this by clamping the firmware\u0027s return value to the maximum\nnumber of legal elements the firmware should return."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:05.967Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25672c620421fa2105703a94a29a03487245e6d6"
},
{
"url": "https://git.kernel.org/stable/c/e0e24571a7b2f8c8f06e25d3417253ebbdbc8d5c"
},
{
"url": "https://git.kernel.org/stable/c/8141910869596b7a3a5d9b46107da2191d523f82"
},
{
"url": "https://git.kernel.org/stable/c/ea53e6a47e148b490b1c652fc65d2de5a086df76"
},
{
"url": "https://git.kernel.org/stable/c/660b2a8f5a306a28c7efc1b4990ecc4912a68f87"
},
{
"url": "https://git.kernel.org/stable/c/70affe82e38fd3dc76b9c68b5a1989f11e7fa0f3"
},
{
"url": "https://git.kernel.org/stable/c/56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37"
}
],
"title": "qed: Don\u0027t collect too many protection override GRC elements",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39949",
"datePublished": "2025-10-04T07:31:10.164Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:05.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50334 (GCVE-0-2022-50334)
Vulnerability from cvelistv5
Published
2025-09-15 14:49
Modified
2025-09-15 14:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
Syzkaller reports a null-ptr-deref bug as follows:
======================================================
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380
[...]
Call Trace:
<TASK>
vfs_parse_fs_param fs/fs_context.c:148 [inline]
vfs_parse_fs_param+0x1f9/0x3c0 fs/fs_context.c:129
vfs_parse_fs_string+0xdb/0x170 fs/fs_context.c:191
generic_parse_monolithic+0x16f/0x1f0 fs/fs_context.c:231
do_new_mount fs/namespace.c:3036 [inline]
path_mount+0x12de/0x1e20 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
</TASK>
======================================================
According to commit "vfs: parse: deal with zero length string value",
kernel will set the param->string to null pointer in vfs_parse_fs_string()
if fs string has zero length.
Yet the problem is that, hugetlbfs_parse_param() will dereference the
param->string, without checking whether it is a null pointer. To be more
specific, if hugetlbfs_parse_param() parses an illegal mount parameter,
such as "size=,", kernel will constructs struct fs_parameter with null
pointer in vfs_parse_fs_string(), then passes this struct fs_parameter to
hugetlbfs_parse_param(), which triggers the above null-ptr-deref bug.
This patch solves it by adding sanity check on param->string
in hugetlbfs_parse_param().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa71639873518e3587632ae58e25e4a96b57fa90",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dcd28191be9bbf307ba51a5b485773a55b0037c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9a8862820cbf1f18dca4f3b4c289d88561b3a384",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "965e8f8ae0f642b5528f5a82b7bcaf15a659d5bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2207145693ae5697a7b59e2add4b92f9e5b0e3c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "26215b7ee923b9251f7bb12c4e5f09dc465d35f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()\n\nSyzkaller reports a null-ptr-deref bug as follows:\n======================================================\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380\n[...]\nCall Trace:\n \u003cTASK\u003e\n vfs_parse_fs_param fs/fs_context.c:148 [inline]\n vfs_parse_fs_param+0x1f9/0x3c0 fs/fs_context.c:129\n vfs_parse_fs_string+0xdb/0x170 fs/fs_context.c:191\n generic_parse_monolithic+0x16f/0x1f0 fs/fs_context.c:231\n do_new_mount fs/namespace.c:3036 [inline]\n path_mount+0x12de/0x1e20 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n \u003c/TASK\u003e\n======================================================\n\nAccording to commit \"vfs: parse: deal with zero length string value\",\nkernel will set the param-\u003estring to null pointer in vfs_parse_fs_string()\nif fs string has zero length.\n\nYet the problem is that, hugetlbfs_parse_param() will dereference the\nparam-\u003estring, without checking whether it is a null pointer. To be more\nspecific, if hugetlbfs_parse_param() parses an illegal mount parameter,\nsuch as \"size=,\", kernel will constructs struct fs_parameter with null\npointer in vfs_parse_fs_string(), then passes this struct fs_parameter to\nhugetlbfs_parse_param(), which triggers the above null-ptr-deref bug.\n\nThis patch solves it by adding sanity check on param-\u003estring\nin hugetlbfs_parse_param()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:49:48.608Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa71639873518e3587632ae58e25e4a96b57fa90"
},
{
"url": "https://git.kernel.org/stable/c/dcd28191be9bbf307ba51a5b485773a55b0037c4"
},
{
"url": "https://git.kernel.org/stable/c/9a8862820cbf1f18dca4f3b4c289d88561b3a384"
},
{
"url": "https://git.kernel.org/stable/c/965e8f8ae0f642b5528f5a82b7bcaf15a659d5bd"
},
{
"url": "https://git.kernel.org/stable/c/f2207145693ae5697a7b59e2add4b92f9e5b0e3c"
},
{
"url": "https://git.kernel.org/stable/c/26215b7ee923b9251f7bb12c4e5f09dc465d35f2"
}
],
"title": "hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50334",
"datePublished": "2025-09-15T14:49:48.608Z",
"dateReserved": "2025-09-15T14:18:36.816Z",
"dateUpdated": "2025-09-15T14:49:48.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53530 (GCVE-0-2023-53530)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2025-10-01 11:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()
The following call trace was observed:
localhost kernel: nvme nvme0: NVME-FC{0}: controller connect complete
localhost kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u129:4/75092
localhost kernel: nvme nvme0: NVME-FC{0}: new ctrl: NQN "nqn.1992-08.com.netapp:sn.b42d198afb4d11ecad6d00a098d6abfa:subsystem.PR_Channel2022_RH84_subsystem_291"
localhost kernel: caller is qla_nvme_post_cmd+0x216/0x1380 [qla2xxx]
localhost kernel: CPU: 6 PID: 75092 Comm: kworker/u129:4 Kdump: loaded Tainted: G B W OE --------- --- 5.14.0-70.22.1.el9_0.x86_64+debug #1
localhost kernel: Hardware name: HPE ProLiant XL420 Gen10/ProLiant XL420 Gen10, BIOS U39 01/13/2022
localhost kernel: Workqueue: nvme-wq nvme_async_event_work [nvme_core]
localhost kernel: Call Trace:
localhost kernel: dump_stack_lvl+0x57/0x7d
localhost kernel: check_preemption_disabled+0xc8/0xd0
localhost kernel: qla_nvme_post_cmd+0x216/0x1380 [qla2xxx]
Use raw_smp_processor_id() instead of smp_processor_id().
Also use queue_work() across the driver instead of queue_work_on() thus
avoiding usage of smp_processor_id() when CONFIG_DEBUG_PREEMPT is enabled.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_inline.h",
"drivers/scsi/qla2xxx/qla_isr.c",
"drivers/scsi/qla2xxx/qla_target.c",
"drivers/scsi/qla2xxx/tcm_qla2xxx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a541999f31fcb10ea50eba2a563e6c451fd5c7d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "52c7b41ad6ee53222f4ee2f0c099a6ed8291a168",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "25bd0c7def04a272f8e89b36971712fe29c6e438",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "59f10a05b5c7b675256a66e3161741239889ff80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_inline.h",
"drivers/scsi/qla2xxx/qla_isr.c",
"drivers/scsi/qla2xxx/qla_target.c",
"drivers/scsi/qla2xxx/tcm_qla2xxx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.134",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()\n\nThe following call trace was observed:\n\nlocalhost kernel: nvme nvme0: NVME-FC{0}: controller connect complete\nlocalhost kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u129:4/75092\nlocalhost kernel: nvme nvme0: NVME-FC{0}: new ctrl: NQN \"nqn.1992-08.com.netapp:sn.b42d198afb4d11ecad6d00a098d6abfa:subsystem.PR_Channel2022_RH84_subsystem_291\"\nlocalhost kernel: caller is qla_nvme_post_cmd+0x216/0x1380 [qla2xxx]\nlocalhost kernel: CPU: 6 PID: 75092 Comm: kworker/u129:4 Kdump: loaded Tainted: G B W OE --------- --- 5.14.0-70.22.1.el9_0.x86_64+debug #1\nlocalhost kernel: Hardware name: HPE ProLiant XL420 Gen10/ProLiant XL420 Gen10, BIOS U39 01/13/2022\nlocalhost kernel: Workqueue: nvme-wq nvme_async_event_work [nvme_core]\nlocalhost kernel: Call Trace:\nlocalhost kernel: dump_stack_lvl+0x57/0x7d\nlocalhost kernel: check_preemption_disabled+0xc8/0xd0\nlocalhost kernel: qla_nvme_post_cmd+0x216/0x1380 [qla2xxx]\n\nUse raw_smp_processor_id() instead of smp_processor_id().\n\nAlso use queue_work() across the driver instead of queue_work_on() thus\navoiding usage of smp_processor_id() when CONFIG_DEBUG_PREEMPT is enabled."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:46:15.075Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a541999f31fcb10ea50eba2a563e6c451fd5c7d"
},
{
"url": "https://git.kernel.org/stable/c/52c7b41ad6ee53222f4ee2f0c099a6ed8291a168"
},
{
"url": "https://git.kernel.org/stable/c/25bd0c7def04a272f8e89b36971712fe29c6e438"
},
{
"url": "https://git.kernel.org/stable/c/59f10a05b5c7b675256a66e3161741239889ff80"
}
],
"title": "scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53530",
"datePublished": "2025-10-01T11:46:15.075Z",
"dateReserved": "2025-10-01T11:39:39.408Z",
"dateUpdated": "2025-10-01T11:46:15.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38702 (GCVE-0-2025-38702)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: fix potential buffer overflow in do_register_framebuffer()
The current implementation may lead to buffer overflow when:
1. Unregistration creates NULL gaps in registered_fb[]
2. All array slots become occupied despite num_registered_fb < FB_MAX
3. The registration loop exceeds array bounds
Add boundary check to prevent registered_fb[FB_MAX] access.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:34.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c3f5a25c62230b7965804ce7a2e9305c3ca3961",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cbe740de32bb0fb7a5213731ff5f26ea6718fca3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "806f85bdd3a60187c21437fc51baace11f659f35",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2828a433c7d7a05b6f27c8148502095101dd0b09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "248b2aab9b2af5ecf89d9d7955a2ff20c4b4a399",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "523b84dc7ccea9c4d79126d6ed1cf9033cf83b05",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: fix potential buffer overflow in do_register_framebuffer()\n\nThe current implementation may lead to buffer overflow when:\n1. Unregistration creates NULL gaps in registered_fb[]\n2. All array slots become occupied despite num_registered_fb \u003c FB_MAX\n3. The registration loop exceeds array bounds\n\nAdd boundary check to prevent registered_fb[FB_MAX] access."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:21.028Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c3f5a25c62230b7965804ce7a2e9305c3ca3961"
},
{
"url": "https://git.kernel.org/stable/c/cbe740de32bb0fb7a5213731ff5f26ea6718fca3"
},
{
"url": "https://git.kernel.org/stable/c/806f85bdd3a60187c21437fc51baace11f659f35"
},
{
"url": "https://git.kernel.org/stable/c/2828a433c7d7a05b6f27c8148502095101dd0b09"
},
{
"url": "https://git.kernel.org/stable/c/248b2aab9b2af5ecf89d9d7955a2ff20c4b4a399"
},
{
"url": "https://git.kernel.org/stable/c/523b84dc7ccea9c4d79126d6ed1cf9033cf83b05"
}
],
"title": "fbdev: fix potential buffer overflow in do_register_framebuffer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38702",
"datePublished": "2025-09-04T15:32:53.990Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:34.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53556 (GCVE-0-2023-53556)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: Fix use-after-free in free_netdev
We do netif_napi_add() for all allocated q_vectors[], but potentially
do netif_napi_del() for part of them, then kfree q_vectors and leave
invalid pointers at dev->napi_list.
Reproducer:
[root@host ~]# cat repro.sh
#!/bin/bash
pf_dbsf="0000:41:00.0"
vf0_dbsf="0000:41:02.0"
g_pids=()
function do_set_numvf()
{
echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs
sleep $((RANDOM%3+1))
echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs
sleep $((RANDOM%3+1))
}
function do_set_channel()
{
local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)
[ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; }
ifconfig $nic 192.168.18.5 netmask 255.255.255.0
ifconfig $nic up
ethtool -L $nic combined 1
ethtool -L $nic combined 4
sleep $((RANDOM%3))
}
function on_exit()
{
local pid
for pid in "${g_pids[@]}"; do
kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null
done
g_pids=()
}
trap "on_exit; exit" EXIT
while :; do do_set_numvf ; done &
g_pids+=($!)
while :; do do_set_channel ; done &
g_pids+=($!)
wait
Result:
[ 4093.900222] ==================================================================
[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390
[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699
[ 4093.900233]
[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1
[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021
[ 4093.900239] Call Trace:
[ 4093.900244] dump_stack+0x71/0xab
[ 4093.900249] print_address_description+0x6b/0x290
[ 4093.900251] ? free_netdev+0x308/0x390
[ 4093.900252] kasan_report+0x14a/0x2b0
[ 4093.900254] free_netdev+0x308/0x390
[ 4093.900261] iavf_remove+0x825/0xd20 [iavf]
[ 4093.900265] pci_device_remove+0xa8/0x1f0
[ 4093.900268] device_release_driver_internal+0x1c6/0x460
[ 4093.900271] pci_stop_bus_device+0x101/0x150
[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20
[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420
[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10
[ 4093.900278] ? pci_get_subsys+0x90/0x90
[ 4093.900280] sriov_disable+0xed/0x3e0
[ 4093.900282] ? bus_find_device+0x12d/0x1a0
[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e]
[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e]
[ 4093.900299] ? pci_get_device+0x7c/0x90
[ 4093.900300] ? pci_get_subsys+0x90/0x90
[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210
[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10
[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]
[ 4093.900318] sriov_numvfs_store+0x214/0x290
[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30
[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10
[ 4093.900323] ? __check_object_size+0x15a/0x350
[ 4093.900326] kernfs_fop_write+0x280/0x3f0
[ 4093.900329] vfs_write+0x145/0x440
[ 4093.900330] ksys_write+0xab/0x160
[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0
[ 4093.900334] ? fput_many+0x1a/0x120
[ 4093.900335] ? filp_close+0xf0/0x130
[ 4093.900338] do_syscall_64+0xa0/0x370
[ 4093.900339] ? page_fault+0x8/0x30
[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca
[ 4093.900357] RIP: 0033:0x7f16ad4d22c0
[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24
[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0
[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001
[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700
[ 4093.9003
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5eae00c57f5e42bf201023471917da213c4946d6 Version: 5eae00c57f5e42bf201023471917da213c4946d6 Version: 5eae00c57f5e42bf201023471917da213c4946d6 Version: 5eae00c57f5e42bf201023471917da213c4946d6 Version: 5eae00c57f5e42bf201023471917da213c4946d6 Version: 5eae00c57f5e42bf201023471917da213c4946d6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17046107ca15d7571551539d94e76aba2bf71fd3",
"status": "affected",
"version": "5eae00c57f5e42bf201023471917da213c4946d6",
"versionType": "git"
},
{
"lessThan": "a4635f190f332304db4a49e827ece790b804b5db",
"status": "affected",
"version": "5eae00c57f5e42bf201023471917da213c4946d6",
"versionType": "git"
},
{
"lessThan": "345c44e18cc10cded85cb9134830e1684495c866",
"status": "affected",
"version": "5eae00c57f5e42bf201023471917da213c4946d6",
"versionType": "git"
},
{
"lessThan": "ca12b98e04b5d1902ac08fe826d3500cb4b6e891",
"status": "affected",
"version": "5eae00c57f5e42bf201023471917da213c4946d6",
"versionType": "git"
},
{
"lessThan": "8d781a9c53034813c3194b7d94409c7d24ac73eb",
"status": "affected",
"version": "5eae00c57f5e42bf201023471917da213c4946d6",
"versionType": "git"
},
{
"lessThan": "5f4fa1672d98fe99d2297b03add35346f1685d6b",
"status": "affected",
"version": "5eae00c57f5e42bf201023471917da213c4946d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix use-after-free in free_netdev\n\nWe do netif_napi_add() for all allocated q_vectors[], but potentially\ndo netif_napi_del() for part of them, then kfree q_vectors and leave\ninvalid pointers at dev-\u003enapi_list.\n\nReproducer:\n\n [root@host ~]# cat repro.sh\n #!/bin/bash\n\n pf_dbsf=\"0000:41:00.0\"\n vf0_dbsf=\"0000:41:02.0\"\n g_pids=()\n\n function do_set_numvf()\n {\n echo 2 \u003e/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n sleep $((RANDOM%3+1))\n echo 0 \u003e/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n sleep $((RANDOM%3+1))\n }\n\n function do_set_channel()\n {\n local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)\n [ -z \"$nic\" ] \u0026\u0026 { sleep $((RANDOM%3)) ; return 1; }\n ifconfig $nic 192.168.18.5 netmask 255.255.255.0\n ifconfig $nic up\n ethtool -L $nic combined 1\n ethtool -L $nic combined 4\n sleep $((RANDOM%3))\n }\n\n function on_exit()\n {\n local pid\n for pid in \"${g_pids[@]}\"; do\n kill -0 \"$pid\" \u0026\u003e/dev/null \u0026\u0026 kill \"$pid\" \u0026\u003e/dev/null\n done\n g_pids=()\n }\n\n trap \"on_exit; exit\" EXIT\n\n while :; do do_set_numvf ; done \u0026\n g_pids+=($!)\n while :; do do_set_channel ; done \u0026\n g_pids+=($!)\n\n wait\n\nResult:\n\n[ 4093.900222] ==================================================================\n[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390\n[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699\n[ 4093.900233]\n[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1\n[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021\n[ 4093.900239] Call Trace:\n[ 4093.900244] dump_stack+0x71/0xab\n[ 4093.900249] print_address_description+0x6b/0x290\n[ 4093.900251] ? free_netdev+0x308/0x390\n[ 4093.900252] kasan_report+0x14a/0x2b0\n[ 4093.900254] free_netdev+0x308/0x390\n[ 4093.900261] iavf_remove+0x825/0xd20 [iavf]\n[ 4093.900265] pci_device_remove+0xa8/0x1f0\n[ 4093.900268] device_release_driver_internal+0x1c6/0x460\n[ 4093.900271] pci_stop_bus_device+0x101/0x150\n[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20\n[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420\n[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10\n[ 4093.900278] ? pci_get_subsys+0x90/0x90\n[ 4093.900280] sriov_disable+0xed/0x3e0\n[ 4093.900282] ? bus_find_device+0x12d/0x1a0\n[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e]\n[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e]\n[ 4093.900299] ? pci_get_device+0x7c/0x90\n[ 4093.900300] ? pci_get_subsys+0x90/0x90\n[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210\n[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10\n[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]\n[ 4093.900318] sriov_numvfs_store+0x214/0x290\n[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30\n[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10\n[ 4093.900323] ? __check_object_size+0x15a/0x350\n[ 4093.900326] kernfs_fop_write+0x280/0x3f0\n[ 4093.900329] vfs_write+0x145/0x440\n[ 4093.900330] ksys_write+0xab/0x160\n[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0\n[ 4093.900334] ? fput_many+0x1a/0x120\n[ 4093.900335] ? filp_close+0xf0/0x130\n[ 4093.900338] do_syscall_64+0xa0/0x370\n[ 4093.900339] ? page_fault+0x8/0x30\n[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 4093.900357] RIP: 0033:0x7f16ad4d22c0\n[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24\n[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0\n[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001\n[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700\n[ 4093.9003\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:01.238Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17046107ca15d7571551539d94e76aba2bf71fd3"
},
{
"url": "https://git.kernel.org/stable/c/a4635f190f332304db4a49e827ece790b804b5db"
},
{
"url": "https://git.kernel.org/stable/c/345c44e18cc10cded85cb9134830e1684495c866"
},
{
"url": "https://git.kernel.org/stable/c/ca12b98e04b5d1902ac08fe826d3500cb4b6e891"
},
{
"url": "https://git.kernel.org/stable/c/8d781a9c53034813c3194b7d94409c7d24ac73eb"
},
{
"url": "https://git.kernel.org/stable/c/5f4fa1672d98fe99d2297b03add35346f1685d6b"
}
],
"title": "iavf: Fix use-after-free in free_netdev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53556",
"datePublished": "2025-10-04T15:17:01.238Z",
"dateReserved": "2025-10-04T15:14:15.922Z",
"dateUpdated": "2025-10-04T15:17:01.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38714 (GCVE-0-2025-38714)
Vulnerability from cvelistv5
Published
2025-09-04 15:33
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
The hfsplus_bnode_read() method can trigger the issue:
[ 174.852007][ T9784] ==================================================================
[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360
[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784
[ 174.854059][ T9784]
[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full)
[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 174.854286][ T9784] Call Trace:
[ 174.854289][ T9784] <TASK>
[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0
[ 174.854305][ T9784] print_report+0xd0/0x660
[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610
[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180
[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360
[ 174.854337][ T9784] kasan_report+0xc6/0x100
[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360
[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360
[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380
[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10
[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0
[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310
[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40
[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0
[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0
[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10
[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10
[ 174.854436][ T9784] ? __asan_memset+0x23/0x50
[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320
[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10
[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0
[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40
[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0
[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10
[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0
[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10
[ 174.854525][ T9784] ? down_write+0x148/0x200
[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10
[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0
[ 174.854549][ T9784] do_unlinkat+0x490/0x670
[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10
[ 174.854565][ T9784] ? __might_fault+0xbc/0x130
[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550
[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110
[ 174.854592][ T9784] do_syscall_64+0xc9/0x480
[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167
[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08
[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167
[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50
[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40
[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0
[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 174.854658][ T9784] </TASK>
[ 174.854661][ T9784]
[ 174.879281][ T9784] Allocated by task 9784:
[ 174.879664][ T9784] kasan_save_stack+0x20/0x40
[ 174.880082][ T9784] kasan_save_track+0x14/0x30
[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0
[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550
[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890
[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10
[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520
[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x3
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:45.902Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "032f7ed6717a4cd3714f9801be39fdfc7f1c7644",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ffee8a7bed0fbfe29da239a922b59c5db897c613",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5ab59229bef6063edf3a6fc2e3e3fd7cd2181b29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a2abd574d2fe22b8464cf6df5abb6f24d809eac0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8583d067ae22b7f32ce5277ca5543ac8bf86a3e5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "475d770c19929082aab43337e6c077d0e2043df3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "291b7f2538920aa229500dbdd6c5f0927a51bc8b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7fa4cef8ea13b37811287ef60674c5fd1dd02ee6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()\n\nThe hfsplus_bnode_read() method can trigger the issue:\n\n[ 174.852007][ T9784] ==================================================================\n[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360\n[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784\n[ 174.854059][ T9784]\n[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full)\n[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 174.854286][ T9784] Call Trace:\n[ 174.854289][ T9784] \u003cTASK\u003e\n[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0\n[ 174.854305][ T9784] print_report+0xd0/0x660\n[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610\n[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180\n[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360\n[ 174.854337][ T9784] kasan_report+0xc6/0x100\n[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360\n[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360\n[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380\n[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10\n[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0\n[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310\n[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40\n[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0\n[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0\n[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10\n[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10\n[ 174.854436][ T9784] ? __asan_memset+0x23/0x50\n[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320\n[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10\n[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0\n[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40\n[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0\n[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10\n[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0\n[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10\n[ 174.854525][ T9784] ? down_write+0x148/0x200\n[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10\n[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0\n[ 174.854549][ T9784] do_unlinkat+0x490/0x670\n[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10\n[ 174.854565][ T9784] ? __might_fault+0xbc/0x130\n[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550\n[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110\n[ 174.854592][ T9784] do_syscall_64+0xc9/0x480\n[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167\n[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08\n[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057\n[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167\n[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50\n[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40\n[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0\n[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 174.854658][ T9784] \u003c/TASK\u003e\n[ 174.854661][ T9784]\n[ 174.879281][ T9784] Allocated by task 9784:\n[ 174.879664][ T9784] kasan_save_stack+0x20/0x40\n[ 174.880082][ T9784] kasan_save_track+0x14/0x30\n[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0\n[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550\n[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890\n[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10\n[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520\n[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x3\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:36.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/032f7ed6717a4cd3714f9801be39fdfc7f1c7644"
},
{
"url": "https://git.kernel.org/stable/c/ffee8a7bed0fbfe29da239a922b59c5db897c613"
},
{
"url": "https://git.kernel.org/stable/c/5ab59229bef6063edf3a6fc2e3e3fd7cd2181b29"
},
{
"url": "https://git.kernel.org/stable/c/a2abd574d2fe22b8464cf6df5abb6f24d809eac0"
},
{
"url": "https://git.kernel.org/stable/c/8583d067ae22b7f32ce5277ca5543ac8bf86a3e5"
},
{
"url": "https://git.kernel.org/stable/c/475d770c19929082aab43337e6c077d0e2043df3"
},
{
"url": "https://git.kernel.org/stable/c/291b7f2538920aa229500dbdd6c5f0927a51bc8b"
},
{
"url": "https://git.kernel.org/stable/c/7fa4cef8ea13b37811287ef60674c5fd1dd02ee6"
},
{
"url": "https://git.kernel.org/stable/c/c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2"
}
],
"title": "hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38714",
"datePublished": "2025-09-04T15:33:09.206Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:45.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53487 (GCVE-0-2023-53487)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/rtas_flash: allow user copy to flash block cache objects
With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the
/proc/powerpc/rtas/firmware_update interface to prepare a system
firmware update yields a BUG():
kernel BUG at mm/usercopy.c:102!
Oops: Exception in kernel mode, sig: 5 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
Modules linked in:
CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2
Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries
NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000
REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+)
MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002242 XER: 0000000c
CFAR: c0000000001fbd34 IRQMASK: 0
[ ... GPRs omitted ... ]
NIP usercopy_abort+0xa0/0xb0
LR usercopy_abort+0x9c/0xb0
Call Trace:
usercopy_abort+0x9c/0xb0 (unreliable)
__check_heap_object+0x1b4/0x1d0
__check_object_size+0x2d0/0x380
rtas_flash_write+0xe4/0x250
proc_reg_write+0xfc/0x160
vfs_write+0xfc/0x4e0
ksys_write+0x90/0x160
system_call_exception+0x178/0x320
system_call_common+0x160/0x2c4
The blocks of the firmware image are copied directly from user memory
to objects allocated from flash_block_cache, so flash_block_cache must
be created using kmem_cache_create_usercopy() to mark it safe for user
access.
[mpe: Trim and indent oops]
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/rtas_flash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f09cc15dcd91d16562400c51d24c7be0d5796fa",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "1d29e21ed09fa668416fa7721e08d451b9903485",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "0ba7f969be599e21d4b1f1e947593de6515f4996",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "8ef25fb13494e35c6dbe15445c7875fa92bc3e8b",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "b8fee83aa4ed3846c7f50a0b364bc699f48d96e5",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "6acb8a453388374fafb3c3b37534b675b2aa0ae1",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "4f3175979e62de3b929bfa54a0db4b87d36257a7",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/rtas_flash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas_flash: allow user copy to flash block cache objects\n\nWith hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the\n/proc/powerpc/rtas/firmware_update interface to prepare a system\nfirmware update yields a BUG():\n\n kernel BUG at mm/usercopy.c:102!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in:\n CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2\n Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries\n NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000\n REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+)\n MSR: 8000000000029033 \u003cSF,EE,ME,IR,DR,RI,LE\u003e CR: 24002242 XER: 0000000c\n CFAR: c0000000001fbd34 IRQMASK: 0\n [ ... GPRs omitted ... ]\n NIP usercopy_abort+0xa0/0xb0\n LR usercopy_abort+0x9c/0xb0\n Call Trace:\n usercopy_abort+0x9c/0xb0 (unreliable)\n __check_heap_object+0x1b4/0x1d0\n __check_object_size+0x2d0/0x380\n rtas_flash_write+0xe4/0x250\n proc_reg_write+0xfc/0x160\n vfs_write+0xfc/0x4e0\n ksys_write+0x90/0x160\n system_call_exception+0x178/0x320\n system_call_common+0x160/0x2c4\n\nThe blocks of the firmware image are copied directly from user memory\nto objects allocated from flash_block_cache, so flash_block_cache must\nbe created using kmem_cache_create_usercopy() to mark it safe for user\naccess.\n\n[mpe: Trim and indent oops]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:54.747Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f09cc15dcd91d16562400c51d24c7be0d5796fa"
},
{
"url": "https://git.kernel.org/stable/c/1d29e21ed09fa668416fa7721e08d451b9903485"
},
{
"url": "https://git.kernel.org/stable/c/0ba7f969be599e21d4b1f1e947593de6515f4996"
},
{
"url": "https://git.kernel.org/stable/c/8ef25fb13494e35c6dbe15445c7875fa92bc3e8b"
},
{
"url": "https://git.kernel.org/stable/c/b8fee83aa4ed3846c7f50a0b364bc699f48d96e5"
},
{
"url": "https://git.kernel.org/stable/c/6acb8a453388374fafb3c3b37534b675b2aa0ae1"
},
{
"url": "https://git.kernel.org/stable/c/4f3175979e62de3b929bfa54a0db4b87d36257a7"
}
],
"title": "powerpc/rtas_flash: allow user copy to flash block cache objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53487",
"datePublished": "2025-10-01T11:42:54.747Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:42:54.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40096 (GCVE-0-2025-40096)
Vulnerability from cvelistv5
Published
2025-10-30 09:48
Modified
2025-10-30 09:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies
When adding dependencies with drm_sched_job_add_dependency(), that
function consumes the fence reference both on success and failure, so in
the latter case the dma_fence_put() on the error path (xarray failed to
expand) is a double free.
Interestingly this bug appears to have been present ever since
commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code
back then looked like this:
drm_sched_job_add_implicit_dependencies():
...
for (i = 0; i < fence_count; i++) {
ret = drm_sched_job_add_dependency(job, fences[i]);
if (ret)
break;
}
for (; i < fence_count; i++)
dma_fence_put(fences[i]);
Which means for the failing 'i' the dma_fence_put was already a double
free. Possibly there were no users at that time, or the test cases were
insufficient to hit it.
The bug was then only noticed and fixed after
commit 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2")
landed, with its fixup of
commit 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies").
At that point it was a slightly different flavour of a double free, which
commit 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder")
noticed and attempted to fix.
But it only moved the double free from happening inside the
drm_sched_job_add_dependency(), when releasing the reference not yet
obtained, to the caller, when releasing the reference already released by
the former in the failure case.
As such it is not easy to identify the right target for the fixes tag so
lets keep it simple and just continue the chain.
While fixing we also improve the comment and explain the reason for taking
the reference and not dropping it.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c38a63ae12ecc9370a7678077bde2d61aa80e9c",
"status": "affected",
"version": "963d0b3569354230f6e2c36a286ef270a8901878",
"versionType": "git"
},
{
"lessThan": "57239762aa90ad768dac055021f27705dae73344",
"status": "affected",
"version": "963d0b3569354230f6e2c36a286ef270a8901878",
"versionType": "git"
},
{
"lessThan": "e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11",
"status": "affected",
"version": "963d0b3569354230f6e2c36a286ef270a8901878",
"versionType": "git"
},
{
"lessThan": "fdfb47e85af1e11ec822c82739dde2dd8dff5115",
"status": "affected",
"version": "963d0b3569354230f6e2c36a286ef270a8901878",
"versionType": "git"
},
{
"lessThan": "5801e65206b065b0b2af032f7f1eef222aa2fd83",
"status": "affected",
"version": "963d0b3569354230f6e2c36a286ef270a8901878",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc2",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies\n\nWhen adding dependencies with drm_sched_job_add_dependency(), that\nfunction consumes the fence reference both on success and failure, so in\nthe latter case the dma_fence_put() on the error path (xarray failed to\nexpand) is a double free.\n\nInterestingly this bug appears to have been present ever since\ncommit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code\nback then looked like this:\n\ndrm_sched_job_add_implicit_dependencies():\n...\n for (i = 0; i \u003c fence_count; i++) {\n ret = drm_sched_job_add_dependency(job, fences[i]);\n if (ret)\n break;\n }\n\n for (; i \u003c fence_count; i++)\n dma_fence_put(fences[i]);\n\nWhich means for the failing \u0027i\u0027 the dma_fence_put was already a double\nfree. Possibly there were no users at that time, or the test cases were\ninsufficient to hit it.\n\nThe bug was then only noticed and fixed after\ncommit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\")\nlanded, with its fixup of\ncommit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\").\n\nAt that point it was a slightly different flavour of a double free, which\ncommit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\")\nnoticed and attempted to fix.\n\nBut it only moved the double free from happening inside the\ndrm_sched_job_add_dependency(), when releasing the reference not yet\nobtained, to the caller, when releasing the reference already released by\nthe former in the failure case.\n\nAs such it is not easy to identify the right target for the fixes tag so\nlets keep it simple and just continue the chain.\n\nWhile fixing we also improve the comment and explain the reason for taking\nthe reference and not dropping it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T09:48:03.954Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c38a63ae12ecc9370a7678077bde2d61aa80e9c"
},
{
"url": "https://git.kernel.org/stable/c/57239762aa90ad768dac055021f27705dae73344"
},
{
"url": "https://git.kernel.org/stable/c/e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11"
},
{
"url": "https://git.kernel.org/stable/c/fdfb47e85af1e11ec822c82739dde2dd8dff5115"
},
{
"url": "https://git.kernel.org/stable/c/5801e65206b065b0b2af032f7f1eef222aa2fd83"
}
],
"title": "drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40096",
"datePublished": "2025-10-30T09:48:03.954Z",
"dateReserved": "2025-04-16T07:20:57.163Z",
"dateUpdated": "2025-10-30T09:48:03.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39845 (GCVE-0-2025-39845)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()
Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure
page tables are properly synchronized when calling p*d_populate_kernel().
For 5-level paging, synchronization is performed via
pgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so
synchronization is instead performed at the P4D level via
p4d_populate_kernel().
This fixes intermittent boot failures on systems using 4-level paging and
a large amount of persistent memory:
BUG: unable to handle page fault for address: ffffe70000000034
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] SMP NOPTI
RIP: 0010:__init_single_page+0x9/0x6d
Call Trace:
<TASK>
__init_zone_device_page+0x17/0x5d
memmap_init_zone_device+0x154/0x1bb
pagemap_range+0x2e0/0x40f
memremap_pages+0x10b/0x2f0
devm_memremap_pages+0x1e/0x60
dev_dax_probe+0xce/0x2ec [device_dax]
dax_bus_probe+0x6d/0xc9
[... snip ...]
</TASK>
It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap
before sync_global_pgds() [1]:
BUG: unable to handle page fault for address: ffffeb3ff1200000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI
Tainted: [W]=WARN
RIP: 0010:vmemmap_set_pmd+0xff/0x230
<TASK>
vmemmap_populate_hugepages+0x176/0x180
vmemmap_populate+0x34/0x80
__populate_section_memmap+0x41/0x90
sparse_add_section+0x121/0x3e0
__add_pages+0xba/0x150
add_pages+0x1d/0x70
memremap_pages+0x3dc/0x810
devm_memremap_pages+0x1c/0x60
xe_devm_add+0x8b/0x100 [xe]
xe_tile_init_noalloc+0x6a/0x70 [xe]
xe_device_probe+0x48c/0x740 [xe]
[... snip ...]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8d400913c231bd1da74067255816453f96cd35b0 Version: 8d400913c231bd1da74067255816453f96cd35b0 Version: 8d400913c231bd1da74067255816453f96cd35b0 Version: 8d400913c231bd1da74067255816453f96cd35b0 Version: 8d400913c231bd1da74067255816453f96cd35b0 Version: 8d400913c231bd1da74067255816453f96cd35b0 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:00.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/pgtable_64_types.h",
"arch/x86/mm/init_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "744ff519c72de31344a627eaf9b24e9595aae554",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "5f761d40ee95d2624f839c90ebeef2d5c55007f5",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "26ff568f390a531d1bd792e49f1a401849921960",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "b7f4051dd3388edd30e9a6077c05c486aa31e0d4",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "6bf9473727569e8283c1e2445c7ac42cf4fc9fa9",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
},
{
"lessThan": "6659d027998083fbb6d42a165b0c90dc2e8ba989",
"status": "affected",
"version": "8d400913c231bd1da74067255816453f96cd35b0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/pgtable_64_types.h",
"arch/x86/mm/init_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()\n\nDefine ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure\npage tables are properly synchronized when calling p*d_populate_kernel().\n\nFor 5-level paging, synchronization is performed via\npgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so\nsynchronization is instead performed at the P4D level via\np4d_populate_kernel().\n\nThis fixes intermittent boot failures on systems using 4-level paging and\na large amount of persistent memory:\n\n BUG: unable to handle page fault for address: ffffe70000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] SMP NOPTI\n RIP: 0010:__init_single_page+0x9/0x6d\n Call Trace:\n \u003cTASK\u003e\n __init_zone_device_page+0x17/0x5d\n memmap_init_zone_device+0x154/0x1bb\n pagemap_range+0x2e0/0x40f\n memremap_pages+0x10b/0x2f0\n devm_memremap_pages+0x1e/0x60\n dev_dax_probe+0xce/0x2ec [device_dax]\n dax_bus_probe+0x6d/0xc9\n [... snip ...]\n \u003c/TASK\u003e\n\nIt also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap\nbefore sync_global_pgds() [1]:\n\n BUG: unable to handle page fault for address: ffffeb3ff1200000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI\n Tainted: [W]=WARN\n RIP: 0010:vmemmap_set_pmd+0xff/0x230\n \u003cTASK\u003e\n vmemmap_populate_hugepages+0x176/0x180\n vmemmap_populate+0x34/0x80\n __populate_section_memmap+0x41/0x90\n sparse_add_section+0x121/0x3e0\n __add_pages+0xba/0x150\n add_pages+0x1d/0x70\n memremap_pages+0x3dc/0x810\n devm_memremap_pages+0x1c/0x60\n xe_devm_add+0x8b/0x100 [xe]\n xe_tile_init_noalloc+0x6a/0x70 [xe]\n xe_device_probe+0x48c/0x740 [xe]\n [... snip ...]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:54.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/744ff519c72de31344a627eaf9b24e9595aae554"
},
{
"url": "https://git.kernel.org/stable/c/5f761d40ee95d2624f839c90ebeef2d5c55007f5"
},
{
"url": "https://git.kernel.org/stable/c/26ff568f390a531d1bd792e49f1a401849921960"
},
{
"url": "https://git.kernel.org/stable/c/b7f4051dd3388edd30e9a6077c05c486aa31e0d4"
},
{
"url": "https://git.kernel.org/stable/c/6bf9473727569e8283c1e2445c7ac42cf4fc9fa9"
},
{
"url": "https://git.kernel.org/stable/c/6659d027998083fbb6d42a165b0c90dc2e8ba989"
}
],
"title": "x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39845",
"datePublished": "2025-09-19T15:26:19.225Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:44:00.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50567 (GCVE-0-2022-50567)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: jfs: fix shift-out-of-bounds in dbAllocAG
Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The
underlying bug is the missing check of bmp->db_agl2size. The field can
be greater than 64 and trigger the shift-out-of-bounds.
Fix this bug by adding a check of bmp->db_agl2size in dbMount since this
field is used in many following functions. The upper bound for this
field is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp.
Note that, for maintenance, I reorganized error handling code of dbMount.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3b486946a4e62c7ef6023f7d9c1d049051384ba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3115313cf03113e87c87adee18ee49a20bbdb9ba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eea87acb6027be3dd4d3c57186bb22800d57fdda",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "359616ce587e524107730504891afa4b1a8be58c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e997e4ce8ae7ab89d72334120f6aee49c5bbdbd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0536f76a2bca83d1a3740517ba22cc93a44b3099",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2c575c8905f7a8b32d5611b91856b69bac2a5bf1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "67973caae78e21ee46a7281aaa8ca364eb9c444f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "898f706695682b9954f280d95e49fa86ffa55d08",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: jfs: fix shift-out-of-bounds in dbAllocAG\n\nSyzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The\nunderlying bug is the missing check of bmp-\u003edb_agl2size. The field can\nbe greater than 64 and trigger the shift-out-of-bounds.\n\nFix this bug by adding a check of bmp-\u003edb_agl2size in dbMount since this\nfield is used in many following functions. The upper bound for this\nfield is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp.\nNote that, for maintenance, I reorganized error handling code of dbMount."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:24.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3b486946a4e62c7ef6023f7d9c1d049051384ba"
},
{
"url": "https://git.kernel.org/stable/c/3115313cf03113e87c87adee18ee49a20bbdb9ba"
},
{
"url": "https://git.kernel.org/stable/c/eea87acb6027be3dd4d3c57186bb22800d57fdda"
},
{
"url": "https://git.kernel.org/stable/c/359616ce587e524107730504891afa4b1a8be58c"
},
{
"url": "https://git.kernel.org/stable/c/3e997e4ce8ae7ab89d72334120f6aee49c5bbdbd"
},
{
"url": "https://git.kernel.org/stable/c/0536f76a2bca83d1a3740517ba22cc93a44b3099"
},
{
"url": "https://git.kernel.org/stable/c/2c575c8905f7a8b32d5611b91856b69bac2a5bf1"
},
{
"url": "https://git.kernel.org/stable/c/67973caae78e21ee46a7281aaa8ca364eb9c444f"
},
{
"url": "https://git.kernel.org/stable/c/898f706695682b9954f280d95e49fa86ffa55d08"
}
],
"title": "fs: jfs: fix shift-out-of-bounds in dbAllocAG",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50567",
"datePublished": "2025-10-22T13:23:24.508Z",
"dateReserved": "2025-10-22T13:20:23.760Z",
"dateUpdated": "2025-10-22T13:23:24.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53656 (GCVE-0-2023-53656)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers/perf: hisi: Don't migrate perf to the CPU going to teardown
The driver needs to migrate the perf context if the current using CPU going
to teardown. By the time calling the cpuhp::teardown() callback the
cpu_online_mask() hasn't updated yet and still includes the CPU going to
teardown. In current driver's implementation we may migrate the context
to the teardown CPU and leads to the below calltrace:
...
[ 368.104662][ T932] task:cpuhp/0 state:D stack: 0 pid: 15 ppid: 2 flags:0x00000008
[ 368.113699][ T932] Call trace:
[ 368.116834][ T932] __switch_to+0x7c/0xbc
[ 368.120924][ T932] __schedule+0x338/0x6f0
[ 368.125098][ T932] schedule+0x50/0xe0
[ 368.128926][ T932] schedule_preempt_disabled+0x18/0x24
[ 368.134229][ T932] __mutex_lock.constprop.0+0x1d4/0x5dc
[ 368.139617][ T932] __mutex_lock_slowpath+0x1c/0x30
[ 368.144573][ T932] mutex_lock+0x50/0x60
[ 368.148579][ T932] perf_pmu_migrate_context+0x84/0x2b0
[ 368.153884][ T932] hisi_pcie_pmu_offline_cpu+0x90/0xe0 [hisi_pcie_pmu]
[ 368.160579][ T932] cpuhp_invoke_callback+0x2a0/0x650
[ 368.165707][ T932] cpuhp_thread_fun+0xe4/0x190
[ 368.170316][ T932] smpboot_thread_fn+0x15c/0x1a0
[ 368.175099][ T932] kthread+0x108/0x13c
[ 368.179012][ T932] ret_from_fork+0x10/0x18
...
Use function cpumask_any_but() to find one correct active cpu to fixes
this issue.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/perf/hisilicon/hisi_pcie_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be9c8c9c84b6d25a7b7d39954030aba6f759feb6",
"status": "affected",
"version": "8404b0fbc7fbd42e5c5d28cdedd450e70829c77a",
"versionType": "git"
},
{
"lessThan": "f564e543a43d0f1cabac791672c8a6fc78ce12d0",
"status": "affected",
"version": "8404b0fbc7fbd42e5c5d28cdedd450e70829c77a",
"versionType": "git"
},
{
"lessThan": "b64569897d86b611befbb895d815280fea94e1ed",
"status": "affected",
"version": "8404b0fbc7fbd42e5c5d28cdedd450e70829c77a",
"versionType": "git"
},
{
"lessThan": "7a6a9f1c5a0a875a421db798d4b2ee022dc1ee1a",
"status": "affected",
"version": "8404b0fbc7fbd42e5c5d28cdedd450e70829c77a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/perf/hisilicon/hisi_pcie_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: Don\u0027t migrate perf to the CPU going to teardown\n\nThe driver needs to migrate the perf context if the current using CPU going\nto teardown. By the time calling the cpuhp::teardown() callback the\ncpu_online_mask() hasn\u0027t updated yet and still includes the CPU going to\nteardown. In current driver\u0027s implementation we may migrate the context\nto the teardown CPU and leads to the below calltrace:\n\n...\n[ 368.104662][ T932] task:cpuhp/0 state:D stack: 0 pid: 15 ppid: 2 flags:0x00000008\n[ 368.113699][ T932] Call trace:\n[ 368.116834][ T932] __switch_to+0x7c/0xbc\n[ 368.120924][ T932] __schedule+0x338/0x6f0\n[ 368.125098][ T932] schedule+0x50/0xe0\n[ 368.128926][ T932] schedule_preempt_disabled+0x18/0x24\n[ 368.134229][ T932] __mutex_lock.constprop.0+0x1d4/0x5dc\n[ 368.139617][ T932] __mutex_lock_slowpath+0x1c/0x30\n[ 368.144573][ T932] mutex_lock+0x50/0x60\n[ 368.148579][ T932] perf_pmu_migrate_context+0x84/0x2b0\n[ 368.153884][ T932] hisi_pcie_pmu_offline_cpu+0x90/0xe0 [hisi_pcie_pmu]\n[ 368.160579][ T932] cpuhp_invoke_callback+0x2a0/0x650\n[ 368.165707][ T932] cpuhp_thread_fun+0xe4/0x190\n[ 368.170316][ T932] smpboot_thread_fn+0x15c/0x1a0\n[ 368.175099][ T932] kthread+0x108/0x13c\n[ 368.179012][ T932] ret_from_fork+0x10/0x18\n...\n\nUse function cpumask_any_but() to find one correct active cpu to fixes\nthis issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:17.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be9c8c9c84b6d25a7b7d39954030aba6f759feb6"
},
{
"url": "https://git.kernel.org/stable/c/f564e543a43d0f1cabac791672c8a6fc78ce12d0"
},
{
"url": "https://git.kernel.org/stable/c/b64569897d86b611befbb895d815280fea94e1ed"
},
{
"url": "https://git.kernel.org/stable/c/7a6a9f1c5a0a875a421db798d4b2ee022dc1ee1a"
}
],
"title": "drivers/perf: hisi: Don\u0027t migrate perf to the CPU going to teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53656",
"datePublished": "2025-10-07T15:21:17.572Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:21:17.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53379 (GCVE-0-2023-53379)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()
Smatch reports:
drivers/usb/phy/phy-tahvo.c: tahvo_usb_probe()
warn: missing unwind goto?
After geting irq, if ret < 0, it will return without error handling to
free memory.
Just add error handling to fix this problem.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3f06415418f37ac602e71a61ee83ea43553e6bbd Version: 5e2d2f05204f7ab9c645a1fb9f10a3f6393dd2fa Version: 606668e24a0d7fd262e2326d76bb60b965fe713f Version: 494629ba62a961de1f2dd0b7125878acb27b8043 Version: 0d45a1373e669880b8beaecc8765f44cb0241e47 Version: 0d45a1373e669880b8beaecc8765f44cb0241e47 Version: 0d45a1373e669880b8beaecc8765f44cb0241e47 Version: 0d45a1373e669880b8beaecc8765f44cb0241e47 Version: 62e663c172115b9e26a0856508db6277871a7c32 Version: 4eab21911d5d6a3377b8965b9fb06463b248fe6b Version: dcf379ea4e93b8ea23d628db68ae953b26d63af1 Version: b45f0d0105a0f50e681dc8fac4b32e1192de34f2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/phy/phy-tahvo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e5a7bebf832b1482efe27bcc15a88c5b28a30d0",
"status": "affected",
"version": "3f06415418f37ac602e71a61ee83ea43553e6bbd",
"versionType": "git"
},
{
"lessThan": "4da9edeccf77d7b4c6dbcb34d5908acdaa5bd7e3",
"status": "affected",
"version": "5e2d2f05204f7ab9c645a1fb9f10a3f6393dd2fa",
"versionType": "git"
},
{
"lessThan": "fe9cdc19861950582f077f254a12026e169eaee5",
"status": "affected",
"version": "606668e24a0d7fd262e2326d76bb60b965fe713f",
"versionType": "git"
},
{
"lessThan": "56901de563359de20513e16a9ae008ae2c22e9a9",
"status": "affected",
"version": "494629ba62a961de1f2dd0b7125878acb27b8043",
"versionType": "git"
},
{
"lessThan": "ecf26d6e1b5450620c214feea537bb6ce05c6741",
"status": "affected",
"version": "0d45a1373e669880b8beaecc8765f44cb0241e47",
"versionType": "git"
},
{
"lessThan": "dd9b7c89a80428cc5f4ae0d2e1311fdedb2a1aac",
"status": "affected",
"version": "0d45a1373e669880b8beaecc8765f44cb0241e47",
"versionType": "git"
},
{
"lessThan": "38dbd6f72bfbeba009efe0e9ec1f3ff09f9e23fa",
"status": "affected",
"version": "0d45a1373e669880b8beaecc8765f44cb0241e47",
"versionType": "git"
},
{
"lessThan": "342161c11403ea00e9febc16baab1d883d589d04",
"status": "affected",
"version": "0d45a1373e669880b8beaecc8765f44cb0241e47",
"versionType": "git"
},
{
"status": "affected",
"version": "62e663c172115b9e26a0856508db6277871a7c32",
"versionType": "git"
},
{
"status": "affected",
"version": "4eab21911d5d6a3377b8965b9fb06463b248fe6b",
"versionType": "git"
},
{
"status": "affected",
"version": "dcf379ea4e93b8ea23d628db68ae953b26d63af1",
"versionType": "git"
},
{
"status": "affected",
"version": "b45f0d0105a0f50e681dc8fac4b32e1192de34f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/phy/phy-tahvo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.14.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.10.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()\n\nSmatch reports:\ndrivers/usb/phy/phy-tahvo.c: tahvo_usb_probe()\nwarn: missing unwind goto?\n\nAfter geting irq, if ret \u003c 0, it will return without error handling to\nfree memory.\nJust add error handling to fix this problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:24.625Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e5a7bebf832b1482efe27bcc15a88c5b28a30d0"
},
{
"url": "https://git.kernel.org/stable/c/4da9edeccf77d7b4c6dbcb34d5908acdaa5bd7e3"
},
{
"url": "https://git.kernel.org/stable/c/fe9cdc19861950582f077f254a12026e169eaee5"
},
{
"url": "https://git.kernel.org/stable/c/56901de563359de20513e16a9ae008ae2c22e9a9"
},
{
"url": "https://git.kernel.org/stable/c/ecf26d6e1b5450620c214feea537bb6ce05c6741"
},
{
"url": "https://git.kernel.org/stable/c/dd9b7c89a80428cc5f4ae0d2e1311fdedb2a1aac"
},
{
"url": "https://git.kernel.org/stable/c/38dbd6f72bfbeba009efe0e9ec1f3ff09f9e23fa"
},
{
"url": "https://git.kernel.org/stable/c/342161c11403ea00e9febc16baab1d883d589d04"
}
],
"title": "usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53379",
"datePublished": "2025-09-18T13:33:24.625Z",
"dateReserved": "2025-09-17T14:54:09.736Z",
"dateUpdated": "2025-09-18T13:33:24.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50570 (GCVE-0-2022-50570)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/chrome: fix memory corruption in ioctl
If "s_mem.bytes" is larger than the buffer size it leads to memory
corruption.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: eda2e30c6684d67288edb841c6125d48c608a242 Version: eda2e30c6684d67288edb841c6125d48c608a242 Version: eda2e30c6684d67288edb841c6125d48c608a242 Version: eda2e30c6684d67288edb841c6125d48c608a242 Version: eda2e30c6684d67288edb841c6125d48c608a242 Version: eda2e30c6684d67288edb841c6125d48c608a242 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_chardev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e548f9503c4b3292a60a63fe77dccea62999a35a",
"status": "affected",
"version": "eda2e30c6684d67288edb841c6125d48c608a242",
"versionType": "git"
},
{
"lessThan": "868fc93b615b9f6c2b0b1894536618fa6cd66acc",
"status": "affected",
"version": "eda2e30c6684d67288edb841c6125d48c608a242",
"versionType": "git"
},
{
"lessThan": "fd1d3b265784a2243fcaef06aebfb2f8ee733cec",
"status": "affected",
"version": "eda2e30c6684d67288edb841c6125d48c608a242",
"versionType": "git"
},
{
"lessThan": "f143f1d9a8e5c6c9db3de81ca270191226fcce36",
"status": "affected",
"version": "eda2e30c6684d67288edb841c6125d48c608a242",
"versionType": "git"
},
{
"lessThan": "0c2e18924504208644d18415667895a4ac54cf2a",
"status": "affected",
"version": "eda2e30c6684d67288edb841c6125d48c608a242",
"versionType": "git"
},
{
"lessThan": "8a07b45fd3c2dda24fad43639be5335a4595196a",
"status": "affected",
"version": "eda2e30c6684d67288edb841c6125d48c608a242",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_chardev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: fix memory corruption in ioctl\n\nIf \"s_mem.bytes\" is larger than the buffer size it leads to memory\ncorruption."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:26.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e548f9503c4b3292a60a63fe77dccea62999a35a"
},
{
"url": "https://git.kernel.org/stable/c/868fc93b615b9f6c2b0b1894536618fa6cd66acc"
},
{
"url": "https://git.kernel.org/stable/c/fd1d3b265784a2243fcaef06aebfb2f8ee733cec"
},
{
"url": "https://git.kernel.org/stable/c/f143f1d9a8e5c6c9db3de81ca270191226fcce36"
},
{
"url": "https://git.kernel.org/stable/c/0c2e18924504208644d18415667895a4ac54cf2a"
},
{
"url": "https://git.kernel.org/stable/c/8a07b45fd3c2dda24fad43639be5335a4595196a"
}
],
"title": "platform/chrome: fix memory corruption in ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50570",
"datePublished": "2025-10-22T13:23:26.495Z",
"dateReserved": "2025-10-22T13:20:23.760Z",
"dateUpdated": "2025-10-22T13:23:26.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53578 (GCVE-0-2023-53578)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
Syzbot reported a bug as following:
=====================================================
BUG: KMSAN: uninit-value in qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230
qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230
qrtr_endpoint_post+0xf85/0x11b0 net/qrtr/af_qrtr.c:519
qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108
call_write_iter include/linux/fs.h:2189 [inline]
aio_write+0x63a/0x950 fs/aio.c:1600
io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
__do_sys_io_submit fs/aio.c:2078 [inline]
__se_sys_io_submit+0x293/0x770 fs/aio.c:2048
__x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook mm/slab.h:766 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
__kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:967 [inline]
__kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988
kmalloc_reserve net/core/skbuff.c:492 [inline]
__alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565
__netdev_alloc_skb+0x120/0x7d0 net/core/skbuff.c:630
qrtr_endpoint_post+0xbd/0x11b0 net/qrtr/af_qrtr.c:446
qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108
call_write_iter include/linux/fs.h:2189 [inline]
aio_write+0x63a/0x950 fs/aio.c:1600
io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
__do_sys_io_submit fs/aio.c:2078 [inline]
__se_sys_io_submit+0x293/0x770 fs/aio.c:2048
__x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
It is because that skb->len requires at least sizeof(struct qrtr_ctrl_pkt)
in qrtr_tx_resume(). And skb->len equals to size in qrtr_endpoint_post().
But size is less than sizeof(struct qrtr_ctrl_pkt) when qrtr_cb->type
equals to QRTR_TYPE_RESUME_TX in qrtr_endpoint_post() under the syzbot
scenario. This triggers the uninit variable access bug.
Add size check when qrtr_cb->type equals to QRTR_TYPE_RESUME_TX in
qrtr_endpoint_post() to fix the bug.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/qrtr/af_qrtr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3814d211ff13ee35f2d9437439a6c7df58524137",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "c6a796ee5a639ffb83c6e5469408cc2ec16cac6a",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "bef57c227b52c2bde00fad33556175d36d12cfa0",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "8c9ce34a6ff2c544f96ce0b088e8fd3c1b9698c4",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "6417070918de3bcdbe0646e7256dae58fd8083ba",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/qrtr/af_qrtr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()\n\nSyzbot reported a bug as following:\n\n=====================================================\nBUG: KMSAN: uninit-value in qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230\n qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230\n qrtr_endpoint_post+0xf85/0x11b0 net/qrtr/af_qrtr.c:519\n qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108\n call_write_iter include/linux/fs.h:2189 [inline]\n aio_write+0x63a/0x950 fs/aio.c:1600\n io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019\n __do_sys_io_submit fs/aio.c:2078 [inline]\n __se_sys_io_submit+0x293/0x770 fs/aio.c:2048\n __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:766 [inline]\n slab_alloc_node mm/slub.c:3452 [inline]\n __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491\n __do_kmalloc_node mm/slab_common.c:967 [inline]\n __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988\n kmalloc_reserve net/core/skbuff.c:492 [inline]\n __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565\n __netdev_alloc_skb+0x120/0x7d0 net/core/skbuff.c:630\n qrtr_endpoint_post+0xbd/0x11b0 net/qrtr/af_qrtr.c:446\n qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108\n call_write_iter include/linux/fs.h:2189 [inline]\n aio_write+0x63a/0x950 fs/aio.c:1600\n io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019\n __do_sys_io_submit fs/aio.c:2078 [inline]\n __se_sys_io_submit+0x293/0x770 fs/aio.c:2048\n __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIt is because that skb-\u003elen requires at least sizeof(struct qrtr_ctrl_pkt)\nin qrtr_tx_resume(). And skb-\u003elen equals to size in qrtr_endpoint_post().\nBut size is less than sizeof(struct qrtr_ctrl_pkt) when qrtr_cb-\u003etype\nequals to QRTR_TYPE_RESUME_TX in qrtr_endpoint_post() under the syzbot\nscenario. This triggers the uninit variable access bug.\n\nAdd size check when qrtr_cb-\u003etype equals to QRTR_TYPE_RESUME_TX in\nqrtr_endpoint_post() to fix the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:17.350Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3814d211ff13ee35f2d9437439a6c7df58524137"
},
{
"url": "https://git.kernel.org/stable/c/c6a796ee5a639ffb83c6e5469408cc2ec16cac6a"
},
{
"url": "https://git.kernel.org/stable/c/bef57c227b52c2bde00fad33556175d36d12cfa0"
},
{
"url": "https://git.kernel.org/stable/c/8c9ce34a6ff2c544f96ce0b088e8fd3c1b9698c4"
},
{
"url": "https://git.kernel.org/stable/c/6417070918de3bcdbe0646e7256dae58fd8083ba"
}
],
"title": "net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53578",
"datePublished": "2025-10-04T15:17:17.350Z",
"dateReserved": "2025-10-04T15:14:15.926Z",
"dateUpdated": "2025-10-04T15:17:17.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39996 (GCVE-0-2025-39996)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
The original code uses cancel_delayed_work() in flexcop_pci_remove(), which
does not guarantee that the delayed work item irq_check_work has fully
completed if it was already running. This leads to use-after-free scenarios
where flexcop_pci_remove() may free the flexcop_device while irq_check_work
is still active and attempts to dereference the device.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback)
flexcop_pci_remove() | flexcop_pci_irq_check_work()
cancel_delayed_work() |
flexcop_device_kfree(fc_pci->fc_dev) |
| fc = fc_pci->fc_dev; // UAF
This is confirmed by a KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff8880093aa8c8 by task bash/135
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? __pfx___run_timer_base.part.0+0x10/0x10
? __pfx_read_tsc+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
run_timer_softirq+0xd1/0x190
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 1:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x1be/0x460
flexcop_device_kmalloc+0x54/0xe0
flexcop_pci_probe+0x1f/0x9d0
local_pci_probe+0xdc/0x190
pci_device_probe+0x2fe/0x470
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__driver_attach+0xd2/0x310
bus_for_each_dev+0xed/0x170
bus_add_driver+0x208/0x500
driver_register+0x132/0x460
do_one_initcall+0x89/0x300
kernel_init_freeable+0x40d/0x720
kernel_init+0x1a/0x150
ret_from_fork+0x10c/0x1a0
ret_from_fork_asm+0x1a/0x30
Freed by task 135:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
flexcop_device_kfree+0x32/0x50
pci_device_remove+0xa6/0x1d0
device_release_driver_internal+0xf8/0x210
pci_stop_bus_device+0x105/0x150
pci_stop_and_remove_bus_device_locked+0x15/0x30
remove_store+0xcc/0xe0
kernfs_fop_write_iter+0x2c3/0x440
vfs_write+0x871/0xd70
ksys_write+0xee/0x1c0
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled and any executing delayed
work has finished before the device memory is deallocated.
This bug was initially identified through static analysis. To reproduce
and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced
artificial delays within the flexcop_pci_irq_check_work() function to
increase the likelihood of triggering the bug.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/b2c2/flexcop-pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "607010d07b8a509b01ed15ea12744acac6536a98",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "bde8173def374230226e8554efb51b271f4066ec",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "120e221b4bbe9d0f6c09b5c4dc53ca4ad91d956b",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "d502df8a716d993fa0f9d8c00684f1190750e28e",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "bb10a9ddc8d6c5dbf098f21eb1055a652652e524",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "514a519baa9e2be7ddc2714bd730bc5a883e1244",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "3ffabc79388e68877d9c02f724a0b7a38d519daf",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "6a92f5796880f5aa345f0fed53ef511e3fd6f706",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "01e03fb7db419d39e18d6090d4873c1bff103914",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/b2c2/flexcop-pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove\n\nThe original code uses cancel_delayed_work() in flexcop_pci_remove(), which\ndoes not guarantee that the delayed work item irq_check_work has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere flexcop_pci_remove() may free the flexcop_device while irq_check_work\nis still active and attempts to dereference the device.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove) | CPU 1 (delayed work callback)\nflexcop_pci_remove() | flexcop_pci_irq_check_work()\n cancel_delayed_work() |\n flexcop_device_kfree(fc_pci-\u003efc_dev) |\n | fc = fc_pci-\u003efc_dev; // UAF\n\nThis is confirmed by a KASAN report:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff8880093aa8c8 by task bash/135\n...\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n run_timer_softirq+0xd1/0x190\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \u003c/IRQ\u003e\n...\n\nAllocated by task 1:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x1be/0x460\n flexcop_device_kmalloc+0x54/0xe0\n flexcop_pci_probe+0x1f/0x9d0\n local_pci_probe+0xdc/0x190\n pci_device_probe+0x2fe/0x470\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __driver_attach+0xd2/0x310\n bus_for_each_dev+0xed/0x170\n bus_add_driver+0x208/0x500\n driver_register+0x132/0x460\n do_one_initcall+0x89/0x300\n kernel_init_freeable+0x40d/0x720\n kernel_init+0x1a/0x150\n ret_from_fork+0x10c/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 135:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n flexcop_device_kfree+0x32/0x50\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0xf8/0x210\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device_locked+0x15/0x30\n remove_store+0xcc/0xe0\n kernfs_fop_write_iter+0x2c3/0x440\n vfs_write+0x871/0xd70\n ksys_write+0xee/0x1c0\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing delayed\nwork has finished before the device memory is deallocated.\n\nThis bug was initially identified through static analysis. To reproduce\nand test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced\nartificial delays within the flexcop_pci_irq_check_work() function to\nincrease the likelihood of triggering the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:14.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/607010d07b8a509b01ed15ea12744acac6536a98"
},
{
"url": "https://git.kernel.org/stable/c/bde8173def374230226e8554efb51b271f4066ec"
},
{
"url": "https://git.kernel.org/stable/c/120e221b4bbe9d0f6c09b5c4dc53ca4ad91d956b"
},
{
"url": "https://git.kernel.org/stable/c/d502df8a716d993fa0f9d8c00684f1190750e28e"
},
{
"url": "https://git.kernel.org/stable/c/bb10a9ddc8d6c5dbf098f21eb1055a652652e524"
},
{
"url": "https://git.kernel.org/stable/c/514a519baa9e2be7ddc2714bd730bc5a883e1244"
},
{
"url": "https://git.kernel.org/stable/c/3ffabc79388e68877d9c02f724a0b7a38d519daf"
},
{
"url": "https://git.kernel.org/stable/c/6a92f5796880f5aa345f0fed53ef511e3fd6f706"
},
{
"url": "https://git.kernel.org/stable/c/01e03fb7db419d39e18d6090d4873c1bff103914"
}
],
"title": "media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39996",
"datePublished": "2025-10-15T07:58:21.049Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-29T13:19:14.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53336 (GCVE-0-2023-53336)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: ipu-bridge: Fix null pointer deref on SSDB/PLD parsing warnings
When ipu_bridge_parse_rotation() and ipu_bridge_parse_orientation() run
sensor->adev is not set yet.
So if either of the dev_warn() calls about unknown values are hit this
will lead to a NULL pointer deref.
Set sensor->adev earlier, with a borrowed ref to avoid making unrolling
on errors harder, to fix this.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/intel/ipu-bridge.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3de35e29cfddfe6bff762b15bcfe8d80bebac6cb",
"status": "affected",
"version": "485aa3df0dffa62d347ea4e0116f549338accc59",
"versionType": "git"
},
{
"lessThan": "e08b091e33ecf6e4cb2c0c5820a69abe7673280b",
"status": "affected",
"version": "485aa3df0dffa62d347ea4e0116f549338accc59",
"versionType": "git"
},
{
"lessThan": "284be5693163343e1cf17c03917eecd1d6681bcf",
"status": "affected",
"version": "485aa3df0dffa62d347ea4e0116f549338accc59",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/intel/ipu-bridge.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ipu-bridge: Fix null pointer deref on SSDB/PLD parsing warnings\n\nWhen ipu_bridge_parse_rotation() and ipu_bridge_parse_orientation() run\nsensor-\u003eadev is not set yet.\n\nSo if either of the dev_warn() calls about unknown values are hit this\nwill lead to a NULL pointer deref.\n\nSet sensor-\u003eadev earlier, with a borrowed ref to avoid making unrolling\non errors harder, to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:30.752Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3de35e29cfddfe6bff762b15bcfe8d80bebac6cb"
},
{
"url": "https://git.kernel.org/stable/c/e08b091e33ecf6e4cb2c0c5820a69abe7673280b"
},
{
"url": "https://git.kernel.org/stable/c/284be5693163343e1cf17c03917eecd1d6681bcf"
}
],
"title": "media: ipu-bridge: Fix null pointer deref on SSDB/PLD parsing warnings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53336",
"datePublished": "2025-09-17T14:56:30.752Z",
"dateReserved": "2025-09-16T16:08:59.565Z",
"dateUpdated": "2025-09-17T14:56:30.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53545 (GCVE-0-2023-53545)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: unmap and remove csa_va properly
Root PD BO should be reserved before unmap and remove
a bo_va from VM otherwise lockdep will complain.
v2: check fpriv->csa_va is not NULL instead of amdgpu_mcbp (christian)
[14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu]
[14616.937096] Call Trace:
[14616.937097] <TASK>
[14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu]
[14616.937187] drm_file_free+0x1d6/0x300 [drm]
[14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm]
[14616.937220] drm_release+0x5e/0x100 [drm]
[14616.937234] __fput+0x9f/0x280
[14616.937239] ____fput+0xe/0x20
[14616.937241] task_work_run+0x61/0x90
[14616.937246] exit_to_user_mode_prepare+0x215/0x220
[14616.937251] syscall_exit_to_user_mode+0x2a/0x60
[14616.937254] do_syscall_64+0x48/0x90
[14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h",
"drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3a96bf843c356d1d9b2d7f6d0784b6ee28ca9d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5daff15cd013422bc6d1efcfe82b586800025384",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h",
"drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: unmap and remove csa_va properly\n\nRoot PD BO should be reserved before unmap and remove\na bo_va from VM otherwise lockdep will complain.\n\nv2: check fpriv-\u003ecsa_va is not NULL instead of amdgpu_mcbp (christian)\n\n[14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu]\n[14616.937096] Call Trace:\n[14616.937097] \u003cTASK\u003e\n[14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu]\n[14616.937187] drm_file_free+0x1d6/0x300 [drm]\n[14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm]\n[14616.937220] drm_release+0x5e/0x100 [drm]\n[14616.937234] __fput+0x9f/0x280\n[14616.937239] ____fput+0xe/0x20\n[14616.937241] task_work_run+0x61/0x90\n[14616.937246] exit_to_user_mode_prepare+0x215/0x220\n[14616.937251] syscall_exit_to_user_mode+0x2a/0x60\n[14616.937254] do_syscall_64+0x48/0x90\n[14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:53.452Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3a96bf843c356d1d9b2d7f6d0784b6ee28ca9d0"
},
{
"url": "https://git.kernel.org/stable/c/5daff15cd013422bc6d1efcfe82b586800025384"
}
],
"title": "drm/amdgpu: unmap and remove csa_va properly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53545",
"datePublished": "2025-10-04T15:16:53.452Z",
"dateReserved": "2025-10-04T15:14:15.920Z",
"dateUpdated": "2025-10-04T15:16:53.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40091 (GCVE-0-2025-40091)
Vulnerability from cvelistv5
Published
2025-10-30 09:47
Modified
2025-10-30 09:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ixgbe: fix too early devlink_free() in ixgbe_remove()
Since ixgbe_adapter is embedded in devlink, calling devlink_free()
prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free()
to the end.
KASAN report:
BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe]
Read of size 8 at addr ffff0000adf813e0 by task bash/2095
CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full)
[...]
Call trace:
show_stack+0x30/0x90 (C)
dump_stack_lvl+0x9c/0xd0
print_address_description.constprop.0+0x90/0x310
print_report+0x104/0x1f0
kasan_report+0x88/0x180
__asan_report_load8_noabort+0x20/0x30
ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe]
ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe]
ixgbe_remove+0x2d0/0x8c0 [ixgbe]
pci_device_remove+0xa0/0x220
device_remove+0xb8/0x170
device_release_driver_internal+0x318/0x490
device_driver_detach+0x40/0x68
unbind_store+0xec/0x118
drv_attr_store+0x64/0xb8
sysfs_kf_write+0xcc/0x138
kernfs_fop_write_iter+0x294/0x440
new_sync_write+0x1fc/0x588
vfs_write+0x480/0x6a0
ksys_write+0xf0/0x1e0
__arm64_sys_write+0x70/0xc0
invoke_syscall.constprop.0+0xcc/0x280
el0_svc_common.constprop.0+0xa8/0x248
do_el0_svc+0x44/0x68
el0_svc+0x54/0x160
el0t_64_sync_handler+0xa0/0xe8
el0t_64_sync+0x1b0/0x1b8
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbe/ixgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df445969aa727cd64f3f29dc1f85fb60aca238d1",
"status": "affected",
"version": "a0285236ab93fdfdd1008afaa04561d142d6c276",
"versionType": "git"
},
{
"lessThan": "5feef67b646d8f5064bac288e22204ffba2b9a4a",
"status": "affected",
"version": "a0285236ab93fdfdd1008afaa04561d142d6c276",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbe/ixgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc2",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix too early devlink_free() in ixgbe_remove()\n\nSince ixgbe_adapter is embedded in devlink, calling devlink_free()\nprematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free()\nto the end.\n\nKASAN report:\n\n BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe]\n Read of size 8 at addr ffff0000adf813e0 by task bash/2095\n CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full)\n [...]\n Call trace:\n show_stack+0x30/0x90 (C)\n dump_stack_lvl+0x9c/0xd0\n print_address_description.constprop.0+0x90/0x310\n print_report+0x104/0x1f0\n kasan_report+0x88/0x180\n __asan_report_load8_noabort+0x20/0x30\n ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe]\n ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe]\n ixgbe_remove+0x2d0/0x8c0 [ixgbe]\n pci_device_remove+0xa0/0x220\n device_remove+0xb8/0x170\n device_release_driver_internal+0x318/0x490\n device_driver_detach+0x40/0x68\n unbind_store+0xec/0x118\n drv_attr_store+0x64/0xb8\n sysfs_kf_write+0xcc/0x138\n kernfs_fop_write_iter+0x294/0x440\n new_sync_write+0x1fc/0x588\n vfs_write+0x480/0x6a0\n ksys_write+0xf0/0x1e0\n __arm64_sys_write+0x70/0xc0\n invoke_syscall.constprop.0+0xcc/0x280\n el0_svc_common.constprop.0+0xa8/0x248\n do_el0_svc+0x44/0x68\n el0_svc+0x54/0x160\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1b0/0x1b8"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T09:47:59.253Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df445969aa727cd64f3f29dc1f85fb60aca238d1"
},
{
"url": "https://git.kernel.org/stable/c/5feef67b646d8f5064bac288e22204ffba2b9a4a"
}
],
"title": "ixgbe: fix too early devlink_free() in ixgbe_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40091",
"datePublished": "2025-10-30T09:47:59.253Z",
"dateReserved": "2025-04-16T07:20:57.162Z",
"dateUpdated": "2025-10-30T09:47:59.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38083 (GCVE-0-2025-38083)
Vulnerability from cvelistv5
Published
2025-06-20 11:21
Modified
2025-11-03 17:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: prio: fix a race in prio_tune()
Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7b8e0b6e659983154c8d7e756cdb833d89a3d4d7 Version: 7b8e0b6e659983154c8d7e756cdb833d89a3d4d7 Version: 7b8e0b6e659983154c8d7e756cdb833d89a3d4d7 Version: 7b8e0b6e659983154c8d7e756cdb833d89a3d4d7 Version: 7b8e0b6e659983154c8d7e756cdb833d89a3d4d7 Version: 7b8e0b6e659983154c8d7e756cdb833d89a3d4d7 Version: 7b8e0b6e659983154c8d7e756cdb833d89a3d4d7 Version: 7b8e0b6e659983154c8d7e756cdb833d89a3d4d7 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:50.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_prio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53d11560e957d53ee87a0653d258038ce12361b7",
"status": "affected",
"version": "7b8e0b6e659983154c8d7e756cdb833d89a3d4d7",
"versionType": "git"
},
{
"lessThan": "4483d8b9127591c60c4eb789d6cab953bc4522a9",
"status": "affected",
"version": "7b8e0b6e659983154c8d7e756cdb833d89a3d4d7",
"versionType": "git"
},
{
"lessThan": "20f68e6a9e41693cb0e55e5b9ebbcb40983a4b8f",
"status": "affected",
"version": "7b8e0b6e659983154c8d7e756cdb833d89a3d4d7",
"versionType": "git"
},
{
"lessThan": "3aaa7c01cf19d9b9bb64b88b65c3a6fd05da2eb4",
"status": "affected",
"version": "7b8e0b6e659983154c8d7e756cdb833d89a3d4d7",
"versionType": "git"
},
{
"lessThan": "46c15c9d0f65c9ba857d63f53264f4b17e8a715f",
"status": "affected",
"version": "7b8e0b6e659983154c8d7e756cdb833d89a3d4d7",
"versionType": "git"
},
{
"lessThan": "e3f6745006dc9423d2b065b90f191cfa11b1b584",
"status": "affected",
"version": "7b8e0b6e659983154c8d7e756cdb833d89a3d4d7",
"versionType": "git"
},
{
"lessThan": "93f9eeb678d4c9c1abf720b3615fa8299a490845",
"status": "affected",
"version": "7b8e0b6e659983154c8d7e756cdb833d89a3d4d7",
"versionType": "git"
},
{
"lessThan": "d35acc1be3480505b5931f17e4ea9b7617fea4d3",
"status": "affected",
"version": "7b8e0b6e659983154c8d7e756cdb833d89a3d4d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_prio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: prio: fix a race in prio_tune()\n\nGerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n | [5]: lock root\n | [6]: rehash\n | [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent\u0027s qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:11:55.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53d11560e957d53ee87a0653d258038ce12361b7"
},
{
"url": "https://git.kernel.org/stable/c/4483d8b9127591c60c4eb789d6cab953bc4522a9"
},
{
"url": "https://git.kernel.org/stable/c/20f68e6a9e41693cb0e55e5b9ebbcb40983a4b8f"
},
{
"url": "https://git.kernel.org/stable/c/3aaa7c01cf19d9b9bb64b88b65c3a6fd05da2eb4"
},
{
"url": "https://git.kernel.org/stable/c/46c15c9d0f65c9ba857d63f53264f4b17e8a715f"
},
{
"url": "https://git.kernel.org/stable/c/e3f6745006dc9423d2b065b90f191cfa11b1b584"
},
{
"url": "https://git.kernel.org/stable/c/93f9eeb678d4c9c1abf720b3615fa8299a490845"
},
{
"url": "https://git.kernel.org/stable/c/d35acc1be3480505b5931f17e4ea9b7617fea4d3"
}
],
"title": "net_sched: prio: fix a race in prio_tune()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38083",
"datePublished": "2025-06-20T11:21:51.554Z",
"dateReserved": "2025-04-16T04:51:23.981Z",
"dateUpdated": "2025-11-03T17:33:50.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53660 (GCVE-0-2023-53660)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, cpumap: Handle skb as well when clean up ptr_ring
The following warning was reported when running xdp_redirect_cpu with
both skb-mode and stress-mode enabled:
------------[ cut here ]------------
Incorrect XDP memory type (-2128176192) usage
WARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405
Modules linked in:
CPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Workqueue: events __cpu_map_entry_free
RIP: 0010:__xdp_return+0x1e4/0x4a0
......
Call Trace:
<TASK>
? show_regs+0x65/0x70
? __warn+0xa5/0x240
? __xdp_return+0x1e4/0x4a0
......
xdp_return_frame+0x4d/0x150
__cpu_map_entry_free+0xf9/0x230
process_one_work+0x6b0/0xb80
worker_thread+0x96/0x720
kthread+0x1a5/0x1f0
ret_from_fork+0x3a/0x70
ret_from_fork_asm+0x1b/0x30
</TASK>
The reason for the warning is twofold. One is due to the kthread
cpu_map_kthread_run() is stopped prematurely. Another one is
__cpu_map_ring_cleanup() doesn't handle skb mode and treats skbs in
ptr_ring as XDP frames.
Prematurely-stopped kthread will be fixed by the preceding patch and
ptr_ring will be empty when __cpu_map_ring_cleanup() is called. But
as the comments in __cpu_map_ring_cleanup() said, handling and freeing
skbs in ptr_ring as well to "catch any broken behaviour gracefully".
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cpumap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b58d34068fd9f96bfc7d389988dfaf9a92a8fe00",
"status": "affected",
"version": "11941f8a85362f612df61f4aaab0e41b64d2111d",
"versionType": "git"
},
{
"lessThan": "cbd000451885801e9bbfd9cf7a7946806a85cb5e",
"status": "affected",
"version": "11941f8a85362f612df61f4aaab0e41b64d2111d",
"versionType": "git"
},
{
"lessThan": "937345720d18f1ad006ba3d5dcb3fa121037b8a2",
"status": "affected",
"version": "11941f8a85362f612df61f4aaab0e41b64d2111d",
"versionType": "git"
},
{
"lessThan": "7c62b75cd1a792e14b037fa4f61f9b18914e7de1",
"status": "affected",
"version": "11941f8a85362f612df61f4aaab0e41b64d2111d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cpumap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cpumap: Handle skb as well when clean up ptr_ring\n\nThe following warning was reported when running xdp_redirect_cpu with\nboth skb-mode and stress-mode enabled:\n\n ------------[ cut here ]------------\n Incorrect XDP memory type (-2128176192) usage\n WARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405\n Modules linked in:\n CPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: events __cpu_map_entry_free\n RIP: 0010:__xdp_return+0x1e4/0x4a0\n ......\n Call Trace:\n \u003cTASK\u003e\n ? show_regs+0x65/0x70\n ? __warn+0xa5/0x240\n ? __xdp_return+0x1e4/0x4a0\n ......\n xdp_return_frame+0x4d/0x150\n __cpu_map_entry_free+0xf9/0x230\n process_one_work+0x6b0/0xb80\n worker_thread+0x96/0x720\n kthread+0x1a5/0x1f0\n ret_from_fork+0x3a/0x70\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e\n\nThe reason for the warning is twofold. One is due to the kthread\ncpu_map_kthread_run() is stopped prematurely. Another one is\n__cpu_map_ring_cleanup() doesn\u0027t handle skb mode and treats skbs in\nptr_ring as XDP frames.\n\nPrematurely-stopped kthread will be fixed by the preceding patch and\nptr_ring will be empty when __cpu_map_ring_cleanup() is called. But\nas the comments in __cpu_map_ring_cleanup() said, handling and freeing\nskbs in ptr_ring as well to \"catch any broken behaviour gracefully\"."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:20.307Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b58d34068fd9f96bfc7d389988dfaf9a92a8fe00"
},
{
"url": "https://git.kernel.org/stable/c/cbd000451885801e9bbfd9cf7a7946806a85cb5e"
},
{
"url": "https://git.kernel.org/stable/c/937345720d18f1ad006ba3d5dcb3fa121037b8a2"
},
{
"url": "https://git.kernel.org/stable/c/7c62b75cd1a792e14b037fa4f61f9b18914e7de1"
}
],
"title": "bpf, cpumap: Handle skb as well when clean up ptr_ring",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53660",
"datePublished": "2025-10-07T15:21:20.307Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:20.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53255 (GCVE-0-2023-53255)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-15 14:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool()
svc_create_memory_pool() is only called from stratix10_svc_drv_probe().
Most of resources in the probe are managed, but not this memremap() call.
There is also no memunmap() call in the file.
So switch to devm_memremap() to avoid a resource leak.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7ca5ce896524f5292e610b27d168269e5ab74951 Version: 7ca5ce896524f5292e610b27d168269e5ab74951 Version: 7ca5ce896524f5292e610b27d168269e5ab74951 Version: 7ca5ce896524f5292e610b27d168269e5ab74951 Version: 7ca5ce896524f5292e610b27d168269e5ab74951 Version: 7ca5ce896524f5292e610b27d168269e5ab74951 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/stratix10-svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3373e6b6c79aff698442b00d20c9f285d296e46",
"status": "affected",
"version": "7ca5ce896524f5292e610b27d168269e5ab74951",
"versionType": "git"
},
{
"lessThan": "c04ed61ebf01968d7699b121663982493ed577fb",
"status": "affected",
"version": "7ca5ce896524f5292e610b27d168269e5ab74951",
"versionType": "git"
},
{
"lessThan": "974ac045a05ad12a0b4578fb303f00dcc22f3aba",
"status": "affected",
"version": "7ca5ce896524f5292e610b27d168269e5ab74951",
"versionType": "git"
},
{
"lessThan": "cb8a31a56df8492fb0d900959238e1a3ff8b8981",
"status": "affected",
"version": "7ca5ce896524f5292e610b27d168269e5ab74951",
"versionType": "git"
},
{
"lessThan": "7363de081c793e47866cb54ce7cb8a480cffc259",
"status": "affected",
"version": "7ca5ce896524f5292e610b27d168269e5ab74951",
"versionType": "git"
},
{
"lessThan": "1995f15590ca222f91193ed11461862b450abfd6",
"status": "affected",
"version": "7ca5ce896524f5292e610b27d168269e5ab74951",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/stratix10-svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool()\n\nsvc_create_memory_pool() is only called from stratix10_svc_drv_probe().\nMost of resources in the probe are managed, but not this memremap() call.\n\nThere is also no memunmap() call in the file.\n\nSo switch to devm_memremap() to avoid a resource leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:27.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3373e6b6c79aff698442b00d20c9f285d296e46"
},
{
"url": "https://git.kernel.org/stable/c/c04ed61ebf01968d7699b121663982493ed577fb"
},
{
"url": "https://git.kernel.org/stable/c/974ac045a05ad12a0b4578fb303f00dcc22f3aba"
},
{
"url": "https://git.kernel.org/stable/c/cb8a31a56df8492fb0d900959238e1a3ff8b8981"
},
{
"url": "https://git.kernel.org/stable/c/7363de081c793e47866cb54ce7cb8a480cffc259"
},
{
"url": "https://git.kernel.org/stable/c/1995f15590ca222f91193ed11461862b450abfd6"
}
],
"title": "firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53255",
"datePublished": "2025-09-15T14:46:27.124Z",
"dateReserved": "2025-09-15T14:19:21.849Z",
"dateUpdated": "2025-09-15T14:46:27.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40060 (GCVE-0-2025-40060)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: trbe: Return NULL pointer for allocation failures
When the TRBE driver fails to allocate a buffer, it currently returns
the error code "-ENOMEM". However, the caller etm_setup_aux() only
checks for a NULL pointer, so it misses the error. As a result, the
driver continues and eventually causes a kernel panic.
Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on
allocation failures. This allows that the callers can properly handle
the failure.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cef047e0a55cb07906fcaae99170f19a9c0bb6c2",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "fe53a726d5edf864e80b490780cc135fc1adece9",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "9768536f82600a05ce901e31ccfabd92c027ff71",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "296da78494633e1ab5e2e74173a9c8683b04aa6b",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "f505a165f1c7cd37b4cb6952042a5984693a4067",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "8a55c161f7f9c1aa1c70611b39830d51c83ef36d",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: trbe: Return NULL pointer for allocation failures\n\nWhen the TRBE driver fails to allocate a buffer, it currently returns\nthe error code \"-ENOMEM\". However, the caller etm_setup_aux() only\nchecks for a NULL pointer, so it misses the error. As a result, the\ndriver continues and eventually causes a kernel panic.\n\nFix this by returning a NULL pointer from arm_trbe_alloc_buffer() on\nallocation failures. This allows that the callers can properly handle\nthe failure."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:32.775Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cef047e0a55cb07906fcaae99170f19a9c0bb6c2"
},
{
"url": "https://git.kernel.org/stable/c/fe53a726d5edf864e80b490780cc135fc1adece9"
},
{
"url": "https://git.kernel.org/stable/c/9768536f82600a05ce901e31ccfabd92c027ff71"
},
{
"url": "https://git.kernel.org/stable/c/296da78494633e1ab5e2e74173a9c8683b04aa6b"
},
{
"url": "https://git.kernel.org/stable/c/f505a165f1c7cd37b4cb6952042a5984693a4067"
},
{
"url": "https://git.kernel.org/stable/c/8a55c161f7f9c1aa1c70611b39830d51c83ef36d"
}
],
"title": "coresight: trbe: Return NULL pointer for allocation failures",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40060",
"datePublished": "2025-10-28T11:48:32.775Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-10-28T11:48:32.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53649 (GCVE-0-2023-53649)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf trace: Really free the evsel->priv area
In 3cb4d5e00e037c70 ("perf trace: Free syscall tp fields in
evsel->priv") it only was freeing if strcmp(evsel->tp_format->system,
"syscalls") returned zero, while the corresponding initialization of
evsel->priv was being performed if it was _not_ zero, i.e. if the tp
system wasn't 'syscalls'.
Just stop looking for that and free it if evsel->priv was set, which
should be equivalent.
Also use the pre-existing evsel_trace__delete() function.
This resolves these leaks, detected with:
$ make EXTRA_CFLAGS="-fsanitize=address" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin
=================================================================
==481565==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)
#1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)
#2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307
#3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333
#4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458
#5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480
#6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212
#7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891
#8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156
#9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323
#10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377
#11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421
#12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537
#13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)
#1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)
#2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307
#3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333
#4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458
#5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480
#6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205
#7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891
#8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156
#9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323
#10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377
#11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421
#12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537
#13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s).
[root@quaco ~]#
With this we plug all leaks with "perf trace sleep 1".
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"tools/perf/builtin-trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c3bc668581e71e7c3bc7eb1d647f25f8db222163",
"status": "affected",
"version": "3cb4d5e00e037c70f239173bdd399a7e6040830f",
"versionType": "git"
},
{
"lessThan": "62dd514c34be63d3d5cae1f52a7e8b96c6dd6630",
"status": "affected",
"version": "3cb4d5e00e037c70f239173bdd399a7e6040830f",
"versionType": "git"
},
{
"lessThan": "27f396f64537b1ae48d0644d7cbf0d250b3c0b33",
"status": "affected",
"version": "3cb4d5e00e037c70f239173bdd399a7e6040830f",
"versionType": "git"
},
{
"lessThan": "7962ef13651a9163f07b530607392ea123482e8a",
"status": "affected",
"version": "3cb4d5e00e037c70f239173bdd399a7e6040830f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"tools/perf/builtin-trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf trace: Really free the evsel-\u003epriv area\n\nIn 3cb4d5e00e037c70 (\"perf trace: Free syscall tp fields in\nevsel-\u003epriv\") it only was freeing if strcmp(evsel-\u003etp_format-\u003esystem,\n\"syscalls\") returned zero, while the corresponding initialization of\nevsel-\u003epriv was being performed if it was _not_ zero, i.e. if the tp\nsystem wasn\u0027t \u0027syscalls\u0027.\n\nJust stop looking for that and free it if evsel-\u003epriv was set, which\nshould be equivalent.\n\nAlso use the pre-existing evsel_trace__delete() function.\n\nThis resolves these leaks, detected with:\n\n $ make EXTRA_CFLAGS=\"-fsanitize=address\" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin\n\n =================================================================\n ==481565==ERROR: LeakSanitizer: detected memory leaks\n\n Direct leak of 40 byte(s) in 1 object(s) allocated from:\n #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)\n #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)\n #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307\n #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333\n #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458\n #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480\n #6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212\n #7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891\n #8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156\n #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323\n #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377\n #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421\n #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537\n #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)\n\n Direct leak of 40 byte(s) in 1 object(s) allocated from:\n #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)\n #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)\n #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307\n #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333\n #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458\n #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480\n #6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205\n #7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891\n #8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156\n #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323\n #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377\n #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421\n #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537\n #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)\n\n SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s).\n [root@quaco ~]#\n\nWith this we plug all leaks with \"perf trace sleep 1\"."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:46.459Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c3bc668581e71e7c3bc7eb1d647f25f8db222163"
},
{
"url": "https://git.kernel.org/stable/c/62dd514c34be63d3d5cae1f52a7e8b96c6dd6630"
},
{
"url": "https://git.kernel.org/stable/c/27f396f64537b1ae48d0644d7cbf0d250b3c0b33"
},
{
"url": "https://git.kernel.org/stable/c/7962ef13651a9163f07b530607392ea123482e8a"
}
],
"title": "perf trace: Really free the evsel-\u003epriv area",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53649",
"datePublished": "2025-10-07T15:19:46.459Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:46.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39848 (GCVE-0-2025-39848)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ax25: properly unshare skbs in ax25_kiss_rcv()
Bernard Pidoux reported a regression apparently caused by commit
c353e8983e0d ("net: introduce per netns packet chains").
skb->dev becomes NULL and we crash in __netif_receive_skb_core().
Before above commit, different kind of bugs or corruptions could happen
without a major crash.
But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
without checking if this skb is shared or not.
Many thanks to Bernard Pidoux for his help, diagnosis and tests.
We had a similar issue years ago fixed with commit 7aaed57c5c28
("phonet: properly unshare skbs in phonet_rcv()").
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:06.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ax25/ax25_in.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "42b46684e2c78ee052d8c2ee8d9c2089233c9094",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b079be1b9da49ad88fc304c874d4be7085f7883",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2bd0f67212908243ce88e35bf69fa77155b47b14",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "01a2984cb803f2d487b7074f9718db2bf3531f69",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d449b7a6c8ee434d10a483feed7c5c50108cf56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "89064cf534bea4bb28c83fe6bbb26657b19dd5fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1c71d674a308d2fbc83efcf88bfc4217a86aa17",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8156210d36a43e76372312c87eb5ea3dbb405a85",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ax25/ax25_in.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: properly unshare skbs in ax25_kiss_rcv()\n\nBernard Pidoux reported a regression apparently caused by commit\nc353e8983e0d (\"net: introduce per netns packet chains\").\n\nskb-\u003edev becomes NULL and we crash in __netif_receive_skb_core().\n\nBefore above commit, different kind of bugs or corruptions could happen\nwithout a major crash.\n\nBut the root cause is that ax25_kiss_rcv() can queue/mangle input skb\nwithout checking if this skb is shared or not.\n\nMany thanks to Bernard Pidoux for his help, diagnosis and tests.\n\nWe had a similar issue years ago fixed with commit 7aaed57c5c28\n(\"phonet: properly unshare skbs in phonet_rcv()\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:58.643Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/42b46684e2c78ee052d8c2ee8d9c2089233c9094"
},
{
"url": "https://git.kernel.org/stable/c/5b079be1b9da49ad88fc304c874d4be7085f7883"
},
{
"url": "https://git.kernel.org/stable/c/2bd0f67212908243ce88e35bf69fa77155b47b14"
},
{
"url": "https://git.kernel.org/stable/c/01a2984cb803f2d487b7074f9718db2bf3531f69"
},
{
"url": "https://git.kernel.org/stable/c/7d449b7a6c8ee434d10a483feed7c5c50108cf56"
},
{
"url": "https://git.kernel.org/stable/c/89064cf534bea4bb28c83fe6bbb26657b19dd5fe"
},
{
"url": "https://git.kernel.org/stable/c/b1c71d674a308d2fbc83efcf88bfc4217a86aa17"
},
{
"url": "https://git.kernel.org/stable/c/8156210d36a43e76372312c87eb5ea3dbb405a85"
}
],
"title": "ax25: properly unshare skbs in ax25_kiss_rcv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39848",
"datePublished": "2025-09-19T15:26:21.403Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-11-03T17:44:06.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53681 (GCVE-0-2023-53681)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent
In some specific situations, the return value of __bch_btree_node_alloc
may be NULL. This may lead to a potential NULL pointer dereference in
caller function like a calling chain :
btree_split->bch_btree_node_alloc->__bch_btree_node_alloc.
Fix it by initializing the return value in __bch_btree_node_alloc.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/bcache/btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "587b4e8bb5dac682f09280ab35db4632b29d5ac4",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "b070f29a61436f6f8a2e3abc7ea4f4be81695198",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "a4405f6ee03323410d7b10966fd67b35f71b1944",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "f67b0e3081f2a24170280a33ac66f6b112083c03",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "7ecea5ce3dc17339c280c75b58ac93d8c8620d9f",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "4514847aee18d9391a0cf3aad75d3567c72795a4",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "80fca8a10b604afad6c14213fdfd816c4eda3ee4",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/bcache/btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: Fix __bch_btree_node_alloc to make the failure behavior consistent\n\nIn some specific situations, the return value of __bch_btree_node_alloc\nmay be NULL. This may lead to a potential NULL pointer dereference in\ncaller function like a calling chain :\nbtree_split-\u003ebch_btree_node_alloc-\u003e__bch_btree_node_alloc.\n\nFix it by initializing the return value in __bch_btree_node_alloc."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:35.315Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/587b4e8bb5dac682f09280ab35db4632b29d5ac4"
},
{
"url": "https://git.kernel.org/stable/c/b070f29a61436f6f8a2e3abc7ea4f4be81695198"
},
{
"url": "https://git.kernel.org/stable/c/a4405f6ee03323410d7b10966fd67b35f71b1944"
},
{
"url": "https://git.kernel.org/stable/c/f67b0e3081f2a24170280a33ac66f6b112083c03"
},
{
"url": "https://git.kernel.org/stable/c/7ecea5ce3dc17339c280c75b58ac93d8c8620d9f"
},
{
"url": "https://git.kernel.org/stable/c/4514847aee18d9391a0cf3aad75d3567c72795a4"
},
{
"url": "https://git.kernel.org/stable/c/80fca8a10b604afad6c14213fdfd816c4eda3ee4"
}
],
"title": "bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53681",
"datePublished": "2025-10-07T15:21:35.315Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:35.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38734 (GCVE-0-2025-38734)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-09-29 05:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix UAF on smcsk after smc_listen_out()
BPF CI testing report a UAF issue:
[ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0
[ 16.447134] #PF: supervisor read access in kernel mod e
[ 16.447516] #PF: error_code(0x0000) - not-present pag e
[ 16.447878] PGD 0 P4D 0
[ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I
[ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda73-dirty #4 2
[ 16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL E
[ 16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201 4
[ 16.450201] Workqueue: smc_hs_wq smc_listen_wor k
[ 16.450531] RIP: 0010:smc_listen_work+0xc02/0x159 0
[ 16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024 6
[ 16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030 0
[ 16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000 0
[ 16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000 5
[ 16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640 0
[ 16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092 0
[ 16.454996] FS: 0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000 0
[ 16.455557] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003 3
[ 16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef 0
[ 16.456459] PKRU: 5555555 4
[ 16.456654] Call Trace :
[ 16.456832] <TASK >
[ 16.456989] ? __die+0x23/0x7 0
[ 16.457215] ? page_fault_oops+0x180/0x4c 0
[ 16.457508] ? __lock_acquire+0x3e6/0x249 0
[ 16.457801] ? exc_page_fault+0x68/0x20 0
[ 16.458080] ? asm_exc_page_fault+0x26/0x3 0
[ 16.458389] ? smc_listen_work+0xc02/0x159 0
[ 16.458689] ? smc_listen_work+0xc02/0x159 0
[ 16.458987] ? lock_is_held_type+0x8f/0x10 0
[ 16.459284] process_one_work+0x1ea/0x6d 0
[ 16.459570] worker_thread+0x1c3/0x38 0
[ 16.459839] ? __pfx_worker_thread+0x10/0x1 0
[ 16.460144] kthread+0xe0/0x11 0
[ 16.460372] ? __pfx_kthread+0x10/0x1 0
[ 16.460640] ret_from_fork+0x31/0x5 0
[ 16.460896] ? __pfx_kthread+0x10/0x1 0
[ 16.461166] ret_from_fork_asm+0x1a/0x3 0
[ 16.461453] </TASK >
[ 16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE) ]
[ 16.462134] CR2: 000000000000003 0
[ 16.462380] ---[ end trace 0000000000000000 ]---
[ 16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590
The direct cause of this issue is that after smc_listen_out_connected(),
newclcsock->sk may be NULL since it will releases the smcsk. Therefore,
if the application closes the socket immediately after accept,
newclcsock->sk can be NULL. A possible execution order could be as
follows:
smc_listen_work | userspace
-----------------------------------------------------------------
lock_sock(sk) |
smc_listen_out_connected() |
| \- smc_listen_out |
| | \- release_sock |
| |- sk->sk_data_ready() |
| fd = accept();
| close(fd);
| \- socket->sk = NULL;
/* newclcsock->sk is NULL now */
SMC_STAT_SERV_SUCC_INC(sock_net(newclcsock->sk))
Since smc_listen_out_connected() will not fail, simply swapping the order
of the code can easily fix this issue.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "070b4af44c4b6e4c35fb1ca7001a6a88fd2d318f",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "2e765ba0ee0eae35688b443e97108308a716773e",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "85545f1525f9fa9bf44fec77ba011024f15da342",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "d9cef55ed49117bd63695446fb84b4b91815c0b4",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix UAF on smcsk after smc_listen_out()\n\nBPF CI testing report a UAF issue:\n\n [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0\n [ 16.447134] #PF: supervisor read access in kernel mod e\n [ 16.447516] #PF: error_code(0x0000) - not-present pag e\n [ 16.447878] PGD 0 P4D 0\n [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I\n [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda73-dirty #4 2\n [ 16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL E\n [ 16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201 4\n [ 16.450201] Workqueue: smc_hs_wq smc_listen_wor k\n [ 16.450531] RIP: 0010:smc_listen_work+0xc02/0x159 0\n [ 16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024 6\n [ 16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030 0\n [ 16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000 0\n [ 16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000 5\n [ 16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640 0\n [ 16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092 0\n [ 16.454996] FS: 0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000 0\n [ 16.455557] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003 3\n [ 16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef 0\n [ 16.456459] PKRU: 5555555 4\n [ 16.456654] Call Trace :\n [ 16.456832] \u003cTASK \u003e\n [ 16.456989] ? __die+0x23/0x7 0\n [ 16.457215] ? page_fault_oops+0x180/0x4c 0\n [ 16.457508] ? __lock_acquire+0x3e6/0x249 0\n [ 16.457801] ? exc_page_fault+0x68/0x20 0\n [ 16.458080] ? asm_exc_page_fault+0x26/0x3 0\n [ 16.458389] ? smc_listen_work+0xc02/0x159 0\n [ 16.458689] ? smc_listen_work+0xc02/0x159 0\n [ 16.458987] ? lock_is_held_type+0x8f/0x10 0\n [ 16.459284] process_one_work+0x1ea/0x6d 0\n [ 16.459570] worker_thread+0x1c3/0x38 0\n [ 16.459839] ? __pfx_worker_thread+0x10/0x1 0\n [ 16.460144] kthread+0xe0/0x11 0\n [ 16.460372] ? __pfx_kthread+0x10/0x1 0\n [ 16.460640] ret_from_fork+0x31/0x5 0\n [ 16.460896] ? __pfx_kthread+0x10/0x1 0\n [ 16.461166] ret_from_fork_asm+0x1a/0x3 0\n [ 16.461453] \u003c/TASK \u003e\n [ 16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE) ]\n [ 16.462134] CR2: 000000000000003 0\n [ 16.462380] ---[ end trace 0000000000000000 ]---\n [ 16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590\n\nThe direct cause of this issue is that after smc_listen_out_connected(),\nnewclcsock-\u003esk may be NULL since it will releases the smcsk. Therefore,\nif the application closes the socket immediately after accept,\nnewclcsock-\u003esk can be NULL. A possible execution order could be as\nfollows:\n\nsmc_listen_work | userspace\n-----------------------------------------------------------------\nlock_sock(sk) |\nsmc_listen_out_connected() |\n| \\- smc_listen_out |\n| | \\- release_sock |\n | |- sk-\u003esk_data_ready() |\n | fd = accept();\n | close(fd);\n | \\- socket-\u003esk = NULL;\n/* newclcsock-\u003esk is NULL now */\nSMC_STAT_SERV_SUCC_INC(sock_net(newclcsock-\u003esk))\n\nSince smc_listen_out_connected() will not fail, simply swapping the order\nof the code can easily fix this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:03.016Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/070b4af44c4b6e4c35fb1ca7001a6a88fd2d318f"
},
{
"url": "https://git.kernel.org/stable/c/2e765ba0ee0eae35688b443e97108308a716773e"
},
{
"url": "https://git.kernel.org/stable/c/85545f1525f9fa9bf44fec77ba011024f15da342"
},
{
"url": "https://git.kernel.org/stable/c/d9cef55ed49117bd63695446fb84b4b91815c0b4"
}
],
"title": "net/smc: fix UAF on smcsk after smc_listen_out()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38734",
"datePublished": "2025-09-05T17:20:34.126Z",
"dateReserved": "2025-04-16T04:51:24.034Z",
"dateUpdated": "2025-09-29T05:57:03.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53148 (GCVE-0-2023-53148)
Vulnerability from cvelistv5
Published
2025-09-15 14:03
Modified
2025-09-15 14:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
igb: Fix igb_down hung on surprise removal
In a setup where a Thunderbolt hub connects to Ethernet and a display
through USB Type-C, users may experience a hung task timeout when they
remove the cable between the PC and the Thunderbolt hub.
This is because the igb_down function is called multiple times when
the Thunderbolt hub is unplugged. For example, the igb_io_error_detected
triggers the first call, and the igb_remove triggers the second call.
The second call to igb_down will block at napi_synchronize.
Here's the call trace:
__schedule+0x3b0/0xddb
? __mod_timer+0x164/0x5d3
schedule+0x44/0xa8
schedule_timeout+0xb2/0x2a4
? run_local_timers+0x4e/0x4e
msleep+0x31/0x38
igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4]
__igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4]
igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4]
__dev_close_many+0x95/0xec
dev_close_many+0x6e/0x103
unregister_netdevice_many+0x105/0x5b1
unregister_netdevice_queue+0xc2/0x10d
unregister_netdev+0x1c/0x23
igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4]
pci_device_remove+0x3f/0x9c
device_release_driver_internal+0xfe/0x1b4
pci_stop_bus_device+0x5b/0x7f
pci_stop_bus_device+0x30/0x7f
pci_stop_bus_device+0x30/0x7f
pci_stop_and_remove_bus_device+0x12/0x19
pciehp_unconfigure_device+0x76/0xe9
pciehp_disable_slot+0x6e/0x131
pciehp_handle_presence_or_link_change+0x7a/0x3f7
pciehp_ist+0xbe/0x194
irq_thread_fn+0x22/0x4d
? irq_thread+0x1fd/0x1fd
irq_thread+0x17b/0x1fd
? irq_forced_thread_fn+0x5f/0x5f
kthread+0x142/0x153
? __irq_get_irqchip_state+0x46/0x46
? kthread_associate_blkcg+0x71/0x71
ret_from_fork+0x1f/0x30
In this case, igb_io_error_detected detaches the network interface
and requests a PCIE slot reset, however, the PCIE reset callback is
not being invoked and thus the Ethernet connection breaks down.
As the PCIE error in this case is a non-fatal one, requesting a
slot reset can be avoided.
This patch fixes the task hung issue and preserves Ethernet
connection by ignoring non-fatal PCIE errors.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igb/igb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2312e1d12b1c3ee4100c173131b102e2aed4d04",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "124e39a734cb90658b8f0dc110847bbfc6e33792",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9f56f3c7bc908caa772112d3ae71cdd5d18c257",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "994c2ceb70ea99264ccc6f09e6703ca267dad63c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa92c463eba75dcedbd8d689ffdcb83293aaa0c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39695e87d86f0e7d897fba1d2559f825aa20caeb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "41f63b72a01c0e0ac59ab83fd2d921fcce0f602d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "004d25060c78fc31f66da0fa439c544dda1ac9d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igb/igb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix igb_down hung on surprise removal\n\nIn a setup where a Thunderbolt hub connects to Ethernet and a display\nthrough USB Type-C, users may experience a hung task timeout when they\nremove the cable between the PC and the Thunderbolt hub.\nThis is because the igb_down function is called multiple times when\nthe Thunderbolt hub is unplugged. For example, the igb_io_error_detected\ntriggers the first call, and the igb_remove triggers the second call.\nThe second call to igb_down will block at napi_synchronize.\nHere\u0027s the call trace:\n __schedule+0x3b0/0xddb\n ? __mod_timer+0x164/0x5d3\n schedule+0x44/0xa8\n schedule_timeout+0xb2/0x2a4\n ? run_local_timers+0x4e/0x4e\n msleep+0x31/0x38\n igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4]\n __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4]\n igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4]\n __dev_close_many+0x95/0xec\n dev_close_many+0x6e/0x103\n unregister_netdevice_many+0x105/0x5b1\n unregister_netdevice_queue+0xc2/0x10d\n unregister_netdev+0x1c/0x23\n igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4]\n pci_device_remove+0x3f/0x9c\n device_release_driver_internal+0xfe/0x1b4\n pci_stop_bus_device+0x5b/0x7f\n pci_stop_bus_device+0x30/0x7f\n pci_stop_bus_device+0x30/0x7f\n pci_stop_and_remove_bus_device+0x12/0x19\n pciehp_unconfigure_device+0x76/0xe9\n pciehp_disable_slot+0x6e/0x131\n pciehp_handle_presence_or_link_change+0x7a/0x3f7\n pciehp_ist+0xbe/0x194\n irq_thread_fn+0x22/0x4d\n ? irq_thread+0x1fd/0x1fd\n irq_thread+0x17b/0x1fd\n ? irq_forced_thread_fn+0x5f/0x5f\n kthread+0x142/0x153\n ? __irq_get_irqchip_state+0x46/0x46\n ? kthread_associate_blkcg+0x71/0x71\n ret_from_fork+0x1f/0x30\n\nIn this case, igb_io_error_detected detaches the network interface\nand requests a PCIE slot reset, however, the PCIE reset callback is\nnot being invoked and thus the Ethernet connection breaks down.\nAs the PCIE error in this case is a non-fatal one, requesting a\nslot reset can be avoided.\nThis patch fixes the task hung issue and preserves Ethernet\nconnection by ignoring non-fatal PCIE errors."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:03:10.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2312e1d12b1c3ee4100c173131b102e2aed4d04"
},
{
"url": "https://git.kernel.org/stable/c/124e39a734cb90658b8f0dc110847bbfc6e33792"
},
{
"url": "https://git.kernel.org/stable/c/c9f56f3c7bc908caa772112d3ae71cdd5d18c257"
},
{
"url": "https://git.kernel.org/stable/c/994c2ceb70ea99264ccc6f09e6703ca267dad63c"
},
{
"url": "https://git.kernel.org/stable/c/fa92c463eba75dcedbd8d689ffdcb83293aaa0c3"
},
{
"url": "https://git.kernel.org/stable/c/39695e87d86f0e7d897fba1d2559f825aa20caeb"
},
{
"url": "https://git.kernel.org/stable/c/41f63b72a01c0e0ac59ab83fd2d921fcce0f602d"
},
{
"url": "https://git.kernel.org/stable/c/004d25060c78fc31f66da0fa439c544dda1ac9d5"
}
],
"title": "igb: Fix igb_down hung on surprise removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53148",
"datePublished": "2025-09-15T14:03:10.395Z",
"dateReserved": "2025-05-02T15:51:43.565Z",
"dateUpdated": "2025-09-15T14:03:10.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53705 (GCVE-0-2023-53705)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix out-of-bounds access in ipv6_find_tlv()
optlen is fetched without checking whether there is more than one byte to parse.
It can lead to out-of-bounds access.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c61a404325093250b676f40ad8f4dd00f3bcab5f Version: c61a404325093250b676f40ad8f4dd00f3bcab5f Version: c61a404325093250b676f40ad8f4dd00f3bcab5f Version: c61a404325093250b676f40ad8f4dd00f3bcab5f Version: c61a404325093250b676f40ad8f4dd00f3bcab5f Version: c61a404325093250b676f40ad8f4dd00f3bcab5f Version: c61a404325093250b676f40ad8f4dd00f3bcab5f Version: c61a404325093250b676f40ad8f4dd00f3bcab5f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59e656d0d4a84ea0ee9a39c6f69160a3effccc94",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "04bf69e3de435d793a203aacc4b774f8f9f2baeb",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "011f47c8b8389154f996f5f69da8efc3a3beefef",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "e5f82688ae10f5f386952e65e941bb8868ee54dc",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "9b92e2d0eb696d7586ba832c8854653b59887da0",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "91dd8aab9c9f193210681b86b6b92840ffe74f0c",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "ae68c0f7edbc9a294094ce03a0aaf45aa489ce40",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
},
{
"lessThan": "878ecb0897f4737a4c9401f3523fd49589025671",
"status": "affected",
"version": "c61a404325093250b676f40ad8f4dd00f3bcab5f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix out-of-bounds access in ipv6_find_tlv()\n\noptlen is fetched without checking whether there is more than one byte to parse.\nIt can lead to out-of-bounds access.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:42.641Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59e656d0d4a84ea0ee9a39c6f69160a3effccc94"
},
{
"url": "https://git.kernel.org/stable/c/04bf69e3de435d793a203aacc4b774f8f9f2baeb"
},
{
"url": "https://git.kernel.org/stable/c/011f47c8b8389154f996f5f69da8efc3a3beefef"
},
{
"url": "https://git.kernel.org/stable/c/e5f82688ae10f5f386952e65e941bb8868ee54dc"
},
{
"url": "https://git.kernel.org/stable/c/9b92e2d0eb696d7586ba832c8854653b59887da0"
},
{
"url": "https://git.kernel.org/stable/c/91dd8aab9c9f193210681b86b6b92840ffe74f0c"
},
{
"url": "https://git.kernel.org/stable/c/ae68c0f7edbc9a294094ce03a0aaf45aa489ce40"
},
{
"url": "https://git.kernel.org/stable/c/878ecb0897f4737a4c9401f3523fd49589025671"
}
],
"title": "ipv6: Fix out-of-bounds access in ipv6_find_tlv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53705",
"datePublished": "2025-10-22T13:23:42.641Z",
"dateReserved": "2025-10-22T13:21:37.346Z",
"dateUpdated": "2025-10-22T13:23:42.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53394 (GCVE-0-2023-53394)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: xsk: Fix crash on regular rq reactivation
When the regular rq is reactivated after the XSK socket is closed
it could be reading stale cqes which eventually corrupts the rq.
This leads to no more traffic being received on the regular rq and a
crash on the next close or deactivation of the rq.
Kal Cuttler Conely reported this issue as a crash on the release
path when the xdpsock sample program is stopped (killed) and restarted
in sequence while traffic is running.
This patch flushes all cqes when during the rq flush. The cqe flushing
is done in the reset state of the rq. mlx5e_rq_to_ready code is moved
into the flush function to allow for this.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "02a84eb2af6bea7871cd34264fb27f141f005fd9",
"status": "affected",
"version": "082a9edf12fef88400172e7d1b131d65a3ed492e",
"versionType": "git"
},
{
"lessThan": "39646d9bcd1a65d2396328026626859a1dab59d7",
"status": "affected",
"version": "082a9edf12fef88400172e7d1b131d65a3ed492e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: xsk: Fix crash on regular rq reactivation\n\nWhen the regular rq is reactivated after the XSK socket is closed\nit could be reading stale cqes which eventually corrupts the rq.\nThis leads to no more traffic being received on the regular rq and a\ncrash on the next close or deactivation of the rq.\n\nKal Cuttler Conely reported this issue as a crash on the release\npath when the xdpsock sample program is stopped (killed) and restarted\nin sequence while traffic is running.\n\nThis patch flushes all cqes when during the rq flush. The cqe flushing\nis done in the reset state of the rq. mlx5e_rq_to_ready code is moved\ninto the flush function to allow for this."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:35.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/02a84eb2af6bea7871cd34264fb27f141f005fd9"
},
{
"url": "https://git.kernel.org/stable/c/39646d9bcd1a65d2396328026626859a1dab59d7"
}
],
"title": "net/mlx5e: xsk: Fix crash on regular rq reactivation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53394",
"datePublished": "2025-09-18T13:33:35.895Z",
"dateReserved": "2025-09-17T14:54:09.738Z",
"dateUpdated": "2025-09-18T13:33:35.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53204 (GCVE-0-2023-53204)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix data-races around user->unix_inflight.
user->unix_inflight is changed under spin_lock(unix_gc_lock),
but too_many_unix_fds() reads it locklessly.
Let's annotate the write/read accesses to user->unix_inflight.
BUG: KCSAN: data-race in unix_attach_fds / unix_inflight
write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:
unix_inflight+0x157/0x180 net/unix/scm.c:66
unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123
unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg+0x148/0x160 net/socket.c:748
____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
___sys_sendmsg+0xc6/0x140 net/socket.c:2548
__sys_sendmsg+0x94/0x140 net/socket.c:2577
__do_sys_sendmsg net/socket.c:2586 [inline]
__se_sys_sendmsg net/socket.c:2584 [inline]
__x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0:
too_many_unix_fds net/unix/scm.c:101 [inline]
unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110
unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg+0x148/0x160 net/socket.c:748
____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
___sys_sendmsg+0xc6/0x140 net/socket.c:2548
__sys_sendmsg+0x94/0x140 net/socket.c:2577
__do_sys_sendmsg net/socket.c:2586 [inline]
__se_sys_sendmsg net/socket.c:2584 [inline]
__x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
value changed: 0x000000000000000c -> 0x000000000000000d
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 712f4aad406bb1ed67f3f98d04c044191f0ff593 Version: 712f4aad406bb1ed67f3f98d04c044191f0ff593 Version: 712f4aad406bb1ed67f3f98d04c044191f0ff593 Version: 712f4aad406bb1ed67f3f98d04c044191f0ff593 Version: 712f4aad406bb1ed67f3f98d04c044191f0ff593 Version: 712f4aad406bb1ed67f3f98d04c044191f0ff593 Version: 712f4aad406bb1ed67f3f98d04c044191f0ff593 Version: 712f4aad406bb1ed67f3f98d04c044191f0ff593 Version: a5a6cf8c405e826ff7ed1308dde72560c0ed4854 Version: df87da0783c4492b944badfea9d5c3c56b834697 Version: 3d024dcef2548028e9f9b7876a544e6e0af00175 Version: aa51d1c24ec3b6605f7cc7ef500c96cd71d7ef90 Version: a5b9e44af8d3edaf49d14a91cc519a9fba439e67 Version: dc6b0ec667f67d4768e72c1b7f1bbc14ea52379c Version: 9b8b611fe0f86f07a4ff4a5f3bcb0ea7ceb7da3b Version: 5e226f9689d90ad8ab21b4a969ae3058777f0aff |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/scm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df97b5ea9f3ac9308c3a633524dab382cd59d9e5",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "03d133dfbcec9d439729cc64706c7eb6d1663a24",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "adcf4e069358cdee8593663650ea447215a1c49e",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "b401d7e485b0a234cf8fe9a6ae99dbcd20863138",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "9151ed4b006125cba7c06c79df504340ea4e9386",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "b9cdbb38e030fc2fe97fe27b54cbb6b4fbff250f",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "ac92f239a079678a035c0faad9089354a874aede",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"lessThan": "0bc36c0650b21df36fbec8136add83936eaf0607",
"status": "affected",
"version": "712f4aad406bb1ed67f3f98d04c044191f0ff593",
"versionType": "git"
},
{
"status": "affected",
"version": "a5a6cf8c405e826ff7ed1308dde72560c0ed4854",
"versionType": "git"
},
{
"status": "affected",
"version": "df87da0783c4492b944badfea9d5c3c56b834697",
"versionType": "git"
},
{
"status": "affected",
"version": "3d024dcef2548028e9f9b7876a544e6e0af00175",
"versionType": "git"
},
{
"status": "affected",
"version": "aa51d1c24ec3b6605f7cc7ef500c96cd71d7ef90",
"versionType": "git"
},
{
"status": "affected",
"version": "a5b9e44af8d3edaf49d14a91cc519a9fba439e67",
"versionType": "git"
},
{
"status": "affected",
"version": "dc6b0ec667f67d4768e72c1b7f1bbc14ea52379c",
"versionType": "git"
},
{
"status": "affected",
"version": "9b8b611fe0f86f07a4ff4a5f3bcb0ea7ceb7da3b",
"versionType": "git"
},
{
"status": "affected",
"version": "5e226f9689d90ad8ab21b4a969ae3058777f0aff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/scm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data-races around user-\u003eunix_inflight.\n\nuser-\u003eunix_inflight is changed under spin_lock(unix_gc_lock),\nbut too_many_unix_fds() reads it locklessly.\n\nLet\u0027s annotate the write/read accesses to user-\u003eunix_inflight.\n\nBUG: KCSAN: data-race in unix_attach_fds / unix_inflight\n\nwrite to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:\n unix_inflight+0x157/0x180 net/unix/scm.c:66\n unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123\n unix_scm_to_skb net/unix/af_unix.c:1827 [inline]\n unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950\n unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]\n unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292\n sock_sendmsg_nosec net/socket.c:725 [inline]\n sock_sendmsg+0x148/0x160 net/socket.c:748\n ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494\n ___sys_sendmsg+0xc6/0x140 net/socket.c:2548\n __sys_sendmsg+0x94/0x140 net/socket.c:2577\n __do_sys_sendmsg net/socket.c:2586 [inline]\n __se_sys_sendmsg net/socket.c:2584 [inline]\n __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nread to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0:\n too_many_unix_fds net/unix/scm.c:101 [inline]\n unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110\n unix_scm_to_skb net/unix/af_unix.c:1827 [inline]\n unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950\n unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]\n unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292\n sock_sendmsg_nosec net/socket.c:725 [inline]\n sock_sendmsg+0x148/0x160 net/socket.c:748\n ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494\n ___sys_sendmsg+0xc6/0x140 net/socket.c:2548\n __sys_sendmsg+0x94/0x140 net/socket.c:2577\n __do_sys_sendmsg net/socket.c:2586 [inline]\n __se_sys_sendmsg net/socket.c:2584 [inline]\n __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nvalue changed: 0x000000000000000c -\u003e 0x000000000000000d\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:32.696Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df97b5ea9f3ac9308c3a633524dab382cd59d9e5"
},
{
"url": "https://git.kernel.org/stable/c/03d133dfbcec9d439729cc64706c7eb6d1663a24"
},
{
"url": "https://git.kernel.org/stable/c/adcf4e069358cdee8593663650ea447215a1c49e"
},
{
"url": "https://git.kernel.org/stable/c/b401d7e485b0a234cf8fe9a6ae99dbcd20863138"
},
{
"url": "https://git.kernel.org/stable/c/9151ed4b006125cba7c06c79df504340ea4e9386"
},
{
"url": "https://git.kernel.org/stable/c/b9cdbb38e030fc2fe97fe27b54cbb6b4fbff250f"
},
{
"url": "https://git.kernel.org/stable/c/ac92f239a079678a035c0faad9089354a874aede"
},
{
"url": "https://git.kernel.org/stable/c/0bc36c0650b21df36fbec8136add83936eaf0607"
}
],
"title": "af_unix: Fix data-races around user-\u003eunix_inflight.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53204",
"datePublished": "2025-09-15T14:21:32.696Z",
"dateReserved": "2025-09-15T13:59:19.068Z",
"dateUpdated": "2025-09-15T14:21:32.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53272 (GCVE-0-2023-53272)
Vulnerability from cvelistv5
Published
2025-09-16 08:07
Modified
2025-09-16 08:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ena: fix shift-out-of-bounds in exponential backoff
The ENA adapters on our instances occasionally reset. Once recently
logged a UBSAN failure to console in the process:
UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/ena_com.c:540:13
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 28 PID: 70012 Comm: kworker/u72:2 Kdump: loaded not tainted 5.15.117
Hardware name: Amazon EC2 c5d.9xlarge/, BIOS 1.0 10/16/2017
Workqueue: ena ena_fw_reset_device [ena]
Call Trace:
<TASK>
dump_stack_lvl+0x4a/0x63
dump_stack+0x10/0x16
ubsan_epilogue+0x9/0x36
__ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e
? __const_udelay+0x43/0x50
ena_delay_exponential_backoff_us.cold+0x16/0x1e [ena]
wait_for_reset_state+0x54/0xa0 [ena]
ena_com_dev_reset+0xc8/0x110 [ena]
ena_down+0x3fe/0x480 [ena]
ena_destroy_device+0xeb/0xf0 [ena]
ena_fw_reset_device+0x30/0x50 [ena]
process_one_work+0x22b/0x3d0
worker_thread+0x4d/0x3f0
? process_one_work+0x3d0/0x3d0
kthread+0x12a/0x150
? set_kthread_struct+0x50/0x50
ret_from_fork+0x22/0x30
</TASK>
Apparently, the reset delays are getting so large they can trigger a
UBSAN panic.
Looking at the code, the current timeout is capped at 5000us. Using a
base value of 100us, the current code will overflow after (1<<29). Even
at values before 32, this function wraps around, perhaps
unintentionally.
Cap the value of the exponent used for this backoff at (1<<16) which is
larger than currently necessary, but large enough to support bigger
values in the future.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/amazon/ena/ena_com.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e760b2d18bf129b3da052c2946c02758e97d15e",
"status": "affected",
"version": "4bb7f4cf60e38a00965d22aa5979ab143193d41f",
"versionType": "git"
},
{
"lessThan": "3e36cc94d6e60a27f27498adf1c71eeba769ab33",
"status": "affected",
"version": "4bb7f4cf60e38a00965d22aa5979ab143193d41f",
"versionType": "git"
},
{
"lessThan": "90947ebf8794e3c229fb2e16e37f1bfea6877f14",
"status": "affected",
"version": "4bb7f4cf60e38a00965d22aa5979ab143193d41f",
"versionType": "git"
},
{
"lessThan": "0939c264729d4a081ff88efce2ffdf85dc5331e0",
"status": "affected",
"version": "4bb7f4cf60e38a00965d22aa5979ab143193d41f",
"versionType": "git"
},
{
"lessThan": "1e9cb763e9bacf0c932aa948f50dcfca6f519a26",
"status": "affected",
"version": "4bb7f4cf60e38a00965d22aa5979ab143193d41f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/amazon/ena/ena_com.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: fix shift-out-of-bounds in exponential backoff\n\nThe ENA adapters on our instances occasionally reset. Once recently\nlogged a UBSAN failure to console in the process:\n\n UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/ena_com.c:540:13\n shift exponent 32 is too large for 32-bit type \u0027unsigned int\u0027\n CPU: 28 PID: 70012 Comm: kworker/u72:2 Kdump: loaded not tainted 5.15.117\n Hardware name: Amazon EC2 c5d.9xlarge/, BIOS 1.0 10/16/2017\n Workqueue: ena ena_fw_reset_device [ena]\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4a/0x63\n dump_stack+0x10/0x16\n ubsan_epilogue+0x9/0x36\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e\n ? __const_udelay+0x43/0x50\n ena_delay_exponential_backoff_us.cold+0x16/0x1e [ena]\n wait_for_reset_state+0x54/0xa0 [ena]\n ena_com_dev_reset+0xc8/0x110 [ena]\n ena_down+0x3fe/0x480 [ena]\n ena_destroy_device+0xeb/0xf0 [ena]\n ena_fw_reset_device+0x30/0x50 [ena]\n process_one_work+0x22b/0x3d0\n worker_thread+0x4d/0x3f0\n ? process_one_work+0x3d0/0x3d0\n kthread+0x12a/0x150\n ? set_kthread_struct+0x50/0x50\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e\n\nApparently, the reset delays are getting so large they can trigger a\nUBSAN panic.\n\nLooking at the code, the current timeout is capped at 5000us. Using a\nbase value of 100us, the current code will overflow after (1\u003c\u003c29). Even\nat values before 32, this function wraps around, perhaps\nunintentionally.\n\nCap the value of the exponent used for this backoff at (1\u003c\u003c16) which is\nlarger than currently necessary, but large enough to support bigger\nvalues in the future."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:07:01.589Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e760b2d18bf129b3da052c2946c02758e97d15e"
},
{
"url": "https://git.kernel.org/stable/c/3e36cc94d6e60a27f27498adf1c71eeba769ab33"
},
{
"url": "https://git.kernel.org/stable/c/90947ebf8794e3c229fb2e16e37f1bfea6877f14"
},
{
"url": "https://git.kernel.org/stable/c/0939c264729d4a081ff88efce2ffdf85dc5331e0"
},
{
"url": "https://git.kernel.org/stable/c/1e9cb763e9bacf0c932aa948f50dcfca6f519a26"
}
],
"title": "net: ena: fix shift-out-of-bounds in exponential backoff",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53272",
"datePublished": "2025-09-16T08:07:01.589Z",
"dateReserved": "2025-09-16T08:05:12.516Z",
"dateUpdated": "2025-09-16T08:07:01.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53652 (GCVE-0-2023-53652)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vdpa: Add features attr to vdpa_nl_policy for nlattr length check
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa features attr to avoid
such bugs.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "44b508cc96889e61799cc0fc6c00766a54f3ab5a",
"status": "affected",
"version": "90fea5a800c3dd80fb8ad9a02929bcef5fde42b8",
"versionType": "git"
},
{
"lessThan": "645d17e06c502e71b880b2b854930e5a64014640",
"status": "affected",
"version": "90fea5a800c3dd80fb8ad9a02929bcef5fde42b8",
"versionType": "git"
},
{
"lessThan": "79c8651587504ba263d2fd67fd4406240fb21f69",
"status": "affected",
"version": "90fea5a800c3dd80fb8ad9a02929bcef5fde42b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: Add features attr to vdpa_nl_policy for nlattr length check\n\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info-\u003eattrs before entering into each handler\nin vdpa_nl_ops.\n\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\n\nThis patch adds the missing nla_policy for vdpa features attr to avoid\nsuch bugs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:48.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/44b508cc96889e61799cc0fc6c00766a54f3ab5a"
},
{
"url": "https://git.kernel.org/stable/c/645d17e06c502e71b880b2b854930e5a64014640"
},
{
"url": "https://git.kernel.org/stable/c/79c8651587504ba263d2fd67fd4406240fb21f69"
}
],
"title": "vdpa: Add features attr to vdpa_nl_policy for nlattr length check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53652",
"datePublished": "2025-10-07T15:19:48.628Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:19:48.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40102 (GCVE-0-2025-40102)
Vulnerability from cvelistv5
Published
2025-10-30 09:48
Modified
2025-10-30 09:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Prevent access to vCPU events before init
Another day, another syzkaller bug. KVM erroneously allows userspace to
pend vCPU events for a vCPU that hasn't been initialized yet, leading to
KVM interpreting a bunch of uninitialized garbage for routing /
injecting the exception.
In one case the injection code and the hyp disagree on whether the vCPU
has a 32bit EL1 and put the vCPU into an illegal mode for AArch64,
tripping the BUG() in exception_target_el() during the next injection:
kernel BUG at arch/arm64/kvm/inject_fault.c:40!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT
Hardware name: linux,dummy-virt (DT)
pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : exception_target_el+0x88/0x8c
lr : pend_serror_exception+0x18/0x13c
sp : ffff800082f03a10
x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000
x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000
x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004
x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20
Call trace:
exception_target_el+0x88/0x8c (P)
kvm_inject_serror_esr+0x40/0x3b4
__kvm_arm_vcpu_set_events+0xf0/0x100
kvm_arch_vcpu_ioctl+0x180/0x9d4
kvm_vcpu_ioctl+0x60c/0x9f4
__arm64_sys_ioctl+0xac/0x104
invoke_syscall+0x48/0x110
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xf0
el0t_64_sync_handler+0xa0/0xe4
el0t_64_sync+0x198/0x19c
Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000)
Reject the ioctls outright as no sane VMM would call these before
KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been
thrown away by the eventual reset of the vCPU's state.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64a04e6320fc5affbadc59dc7024d79f909bfe84",
"status": "affected",
"version": "b7b27facc7b50a5fce0afaa3df56157136ce181a",
"versionType": "git"
},
{
"lessThan": "0aa1b76fe1429629215a7c79820e4b96233ac4a3",
"status": "affected",
"version": "b7b27facc7b50a5fce0afaa3df56157136ce181a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc2",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Prevent access to vCPU events before init\n\nAnother day, another syzkaller bug. KVM erroneously allows userspace to\npend vCPU events for a vCPU that hasn\u0027t been initialized yet, leading to\nKVM interpreting a bunch of uninitialized garbage for routing /\ninjecting the exception.\n\nIn one case the injection code and the hyp disagree on whether the vCPU\nhas a 32bit EL1 and put the vCPU into an illegal mode for AArch64,\ntripping the BUG() in exception_target_el() during the next injection:\n\n kernel BUG at arch/arm64/kvm/inject_fault.c:40!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT\n Hardware name: linux,dummy-virt (DT)\n pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : exception_target_el+0x88/0x8c\n lr : pend_serror_exception+0x18/0x13c\n sp : ffff800082f03a10\n x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000\n x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000\n x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004\n x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20\n Call trace:\n exception_target_el+0x88/0x8c (P)\n kvm_inject_serror_esr+0x40/0x3b4\n __kvm_arm_vcpu_set_events+0xf0/0x100\n kvm_arch_vcpu_ioctl+0x180/0x9d4\n kvm_vcpu_ioctl+0x60c/0x9f4\n __arm64_sys_ioctl+0xac/0x104\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xf0\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\n Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000)\n\nReject the ioctls outright as no sane VMM would call these before\nKVM_ARM_VCPU_INIT anyway. Even if it did the exception would\u0027ve been\nthrown away by the eventual reset of the vCPU\u0027s state."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T09:48:07.790Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64a04e6320fc5affbadc59dc7024d79f909bfe84"
},
{
"url": "https://git.kernel.org/stable/c/0aa1b76fe1429629215a7c79820e4b96233ac4a3"
}
],
"title": "KVM: arm64: Prevent access to vCPU events before init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40102",
"datePublished": "2025-10-30T09:48:07.790Z",
"dateReserved": "2025-04-16T07:20:57.164Z",
"dateUpdated": "2025-10-30T09:48:07.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39826 (GCVE-0-2025-39826)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: convert 'use' field to refcount_t
The 'use' field in struct rose_neigh is used as a reference counter but
lacks atomicity. This can lead to race conditions where a rose_neigh
structure is freed while still being referenced by other code paths.
For example, when rose_neigh->use becomes zero during an ioctl operation
via rose_rt_ioctl(), the structure may be removed while its timer is
still active, potentially causing use-after-free issues.
This patch changes the type of 'use' from unsigned short to refcount_t and
updates all code paths to use rose_neigh_hold() and rose_neigh_put() which
operate reference counts atomically.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:47.184Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/rose.h",
"net/rose/af_rose.c",
"net/rose/rose_in.c",
"net/rose/rose_route.c",
"net/rose/rose_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb07156cc0742ba4e93dfcc84280c011d05b301f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f8c29fc437d03a98fb075c31c5be761cc8326284",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0085b250fcc79f900c82a69980ec2f3e1871823b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "203e4f42596ede31498744018716a3db6dbb7f51",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d860d1faa6b2ce3becfdb8b0c2b048ad31800061",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/rose.h",
"net/rose/af_rose.c",
"net/rose/rose_in.c",
"net/rose/rose_route.c",
"net/rose/rose_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: convert \u0027use\u0027 field to refcount_t\n\nThe \u0027use\u0027 field in struct rose_neigh is used as a reference counter but\nlacks atomicity. This can lead to race conditions where a rose_neigh\nstructure is freed while still being referenced by other code paths.\n\nFor example, when rose_neigh-\u003euse becomes zero during an ioctl operation\nvia rose_rt_ioctl(), the structure may be removed while its timer is\nstill active, potentially causing use-after-free issues.\n\nThis patch changes the type of \u0027use\u0027 from unsigned short to refcount_t and\nupdates all code paths to use rose_neigh_hold() and rose_neigh_put() which\noperate reference counts atomically."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:27.641Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb07156cc0742ba4e93dfcc84280c011d05b301f"
},
{
"url": "https://git.kernel.org/stable/c/f8c29fc437d03a98fb075c31c5be761cc8326284"
},
{
"url": "https://git.kernel.org/stable/c/0085b250fcc79f900c82a69980ec2f3e1871823b"
},
{
"url": "https://git.kernel.org/stable/c/203e4f42596ede31498744018716a3db6dbb7f51"
},
{
"url": "https://git.kernel.org/stable/c/d860d1faa6b2ce3becfdb8b0c2b048ad31800061"
}
],
"title": "net: rose: convert \u0027use\u0027 field to refcount_t",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39826",
"datePublished": "2025-09-16T13:00:24.618Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-11-03T17:43:47.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53717 (GCVE-0-2023-53717)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
Fix a stack-out-of-bounds write that occurs in a WMI response callback
function that is called after a timeout occurs in ath9k_wmi_cmd().
The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that
could no longer be valid when a timeout occurs. Set wmi->last_seq_id to
0 when a timeout occurred.
Found by a modified version of syzkaller.
BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx
Write of size 4
Call Trace:
memcpy
ath9k_wmi_ctrl_rx
ath9k_htc_rx_msg
ath9k_hif_usb_reg_in_cb
__usb_hcd_giveback_urb
usb_hcd_giveback_urb
dummy_timer
call_timer_fn
run_timer_softirq
__do_softirq
irq_exit_rcu
sysvec_apic_timer_interrupt
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89a33c3c847b19b19205cde1d924df2a6c70d8eb",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "ae4933b4f17de8e2b7ff6f91b17d3b0099a6d6bc",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "bf6dc175a2b53098a69db1236d9d53982f4b1bc0",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "78b56b0a613a87b61290b95be497fdfe2fe58aa6",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "1af7eacfad45149c54893a8a9df9e92ef89f0a90",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "8f28513d9520184059530c01a9f928a1b3809d3f",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "554048a72d7ecfdd58cc1bfb56e0a1864e64e82c",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "8a2f35b9830692f7a616f2f627f943bc748af13a",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()\n\nFix a stack-out-of-bounds write that occurs in a WMI response callback\nfunction that is called after a timeout occurs in ath9k_wmi_cmd().\nThe callback writes to wmi-\u003ecmd_rsp_buf, a stack-allocated buffer that\ncould no longer be valid when a timeout occurs. Set wmi-\u003elast_seq_id to\n0 when a timeout occurred.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx\nWrite of size 4\nCall Trace:\n memcpy\n ath9k_wmi_ctrl_rx\n ath9k_htc_rx_msg\n ath9k_hif_usb_reg_in_cb\n __usb_hcd_giveback_urb\n usb_hcd_giveback_urb\n dummy_timer\n call_timer_fn\n run_timer_softirq\n __do_softirq\n irq_exit_rcu\n sysvec_apic_timer_interrupt"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:50.161Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89a33c3c847b19b19205cde1d924df2a6c70d8eb"
},
{
"url": "https://git.kernel.org/stable/c/ae4933b4f17de8e2b7ff6f91b17d3b0099a6d6bc"
},
{
"url": "https://git.kernel.org/stable/c/bf6dc175a2b53098a69db1236d9d53982f4b1bc0"
},
{
"url": "https://git.kernel.org/stable/c/78b56b0a613a87b61290b95be497fdfe2fe58aa6"
},
{
"url": "https://git.kernel.org/stable/c/1af7eacfad45149c54893a8a9df9e92ef89f0a90"
},
{
"url": "https://git.kernel.org/stable/c/8f28513d9520184059530c01a9f928a1b3809d3f"
},
{
"url": "https://git.kernel.org/stable/c/554048a72d7ecfdd58cc1bfb56e0a1864e64e82c"
},
{
"url": "https://git.kernel.org/stable/c/8a2f35b9830692f7a616f2f627f943bc748af13a"
}
],
"title": "wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53717",
"datePublished": "2025-10-22T13:23:50.161Z",
"dateReserved": "2025-10-22T13:21:37.347Z",
"dateUpdated": "2025-10-22T13:23:50.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39984 (GCVE-0-2025-39984)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: tun: Update napi->skb after XDP process
The syzbot report a UAF issue:
BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline]
BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline]
BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758
Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079
CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
skb_reset_mac_header include/linux/skbuff.h:3150 [inline]
napi_frags_skb net/core/gro.c:723 [inline]
napi_gro_frags+0x6e/0x1030 net/core/gro.c:758
tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Allocated by task 6079:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:330 [inline]
__kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558
kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline]
napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295
__alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657
napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811
napi_get_frags+0x69/0x140 net/core/gro.c:673
tun_napi_alloc_frags drivers/net/tun.c:1404 [inline]
tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6079:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kmem_cache_free+0x18f/0x400 mm/slub.c:4797
skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969
netif_skb_check_for_xdp net/core/dev.c:5390 [inline]
netif_receive_generic_xdp net/core/dev.c:5431 [inline]
do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499
tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
After commit e6d5dbdd20aa ("xdp: add multi-buff support for xdp running in
generic mode"), the original skb may be freed in skb_pp_cow_data() when
XDP program was attached, which was allocated in tun_napi_alloc_frags().
However, the napi->skb still point to the original skb, update it after
XDP process.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "953200d56fc23eebf80a5ad9eed6e2e8a3065093",
"status": "affected",
"version": "e6d5dbdd20aa6a86974af51deb9414cd2e7794cb",
"versionType": "git"
},
{
"lessThan": "1697577e1669b0321d02cd848384a5d33e284296",
"status": "affected",
"version": "e6d5dbdd20aa6a86974af51deb9414cd2e7794cb",
"versionType": "git"
},
{
"lessThan": "1091860a16a86ccdd77c09f2b21a5f634f5ab9ec",
"status": "affected",
"version": "e6d5dbdd20aa6a86974af51deb9414cd2e7794cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Update napi-\u003eskb after XDP process\n\nThe syzbot report a UAF issue:\n\n BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline]\n BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline]\n BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758\n Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079\n CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n skb_reset_mac_header include/linux/skbuff.h:3150 [inline]\n napi_frags_skb net/core/gro.c:723 [inline]\n napi_gro_frags+0x6e/0x1030 net/core/gro.c:758\n tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\n Allocated by task 6079:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:330 [inline]\n __kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558\n kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline]\n napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295\n __alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657\n napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811\n napi_get_frags+0x69/0x140 net/core/gro.c:673\n tun_napi_alloc_frags drivers/net/tun.c:1404 [inline]\n tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 6079:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2422 [inline]\n slab_free mm/slub.c:4695 [inline]\n kmem_cache_free+0x18f/0x400 mm/slub.c:4797\n skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969\n netif_skb_check_for_xdp net/core/dev.c:5390 [inline]\n netif_receive_generic_xdp net/core/dev.c:5431 [inline]\n do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499\n tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nAfter commit e6d5dbdd20aa (\"xdp: add multi-buff support for xdp running in\ngeneric mode\"), the original skb may be freed in skb_pp_cow_data() when\nXDP program was attached, which was allocated in tun_napi_alloc_frags().\nHowever, the napi-\u003eskb still point to the original skb, update it after\nXDP process."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:03.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/953200d56fc23eebf80a5ad9eed6e2e8a3065093"
},
{
"url": "https://git.kernel.org/stable/c/1697577e1669b0321d02cd848384a5d33e284296"
},
{
"url": "https://git.kernel.org/stable/c/1091860a16a86ccdd77c09f2b21a5f634f5ab9ec"
}
],
"title": "net: tun: Update napi-\u003eskb after XDP process",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39984",
"datePublished": "2025-10-15T07:56:03.438Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:03.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53175 (GCVE-0-2023-53175)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-15 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation
When a Linux VM with an assigned PCI device runs on Hyper-V, if the PCI
device driver is not loaded yet (i.e. MSI-X/MSI is not enabled on the
device yet), doing a VM hibernation triggers a panic in
hv_pci_restore_msi_msg() -> msi_lock_descs(&pdev->dev), because
pdev->dev.msi.data is still NULL.
Avoid the panic by checking if MSI-X/MSI is enabled.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/pci-hyperv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "223fc5352054900f70b8b5e10cfc2f297e70c512",
"status": "affected",
"version": "dc2b453290c471266a2d56d7ead981e3c5cea05e",
"versionType": "git"
},
{
"lessThan": "d0687755407b21d252b98dca6be459153a60c62a",
"status": "affected",
"version": "dc2b453290c471266a2d56d7ead981e3c5cea05e",
"versionType": "git"
},
{
"lessThan": "e32fc2168aa6b477290392ddbb73d95f012b050c",
"status": "affected",
"version": "dc2b453290c471266a2d56d7ead981e3c5cea05e",
"versionType": "git"
},
{
"lessThan": "04bbe863241a9be7d57fb4cf217ee4a72f480e70",
"status": "affected",
"version": "dc2b453290c471266a2d56d7ead981e3c5cea05e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/pci-hyperv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation\n\nWhen a Linux VM with an assigned PCI device runs on Hyper-V, if the PCI\ndevice driver is not loaded yet (i.e. MSI-X/MSI is not enabled on the\ndevice yet), doing a VM hibernation triggers a panic in\nhv_pci_restore_msi_msg() -\u003e msi_lock_descs(\u0026pdev-\u003edev), because\npdev-\u003edev.msi.data is still NULL.\n\nAvoid the panic by checking if MSI-X/MSI is enabled."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:04:09.618Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/223fc5352054900f70b8b5e10cfc2f297e70c512"
},
{
"url": "https://git.kernel.org/stable/c/d0687755407b21d252b98dca6be459153a60c62a"
},
{
"url": "https://git.kernel.org/stable/c/e32fc2168aa6b477290392ddbb73d95f012b050c"
},
{
"url": "https://git.kernel.org/stable/c/04bbe863241a9be7d57fb4cf217ee4a72f480e70"
}
],
"title": "PCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53175",
"datePublished": "2025-09-15T14:04:09.618Z",
"dateReserved": "2025-09-15T13:59:19.064Z",
"dateUpdated": "2025-09-15T14:04:09.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53479 (GCVE-0-2023-53479)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cxl/acpi: Fix a use-after-free in cxl_parse_cfmws()
KASAN and KFENCE detected an user-after-free in the CXL driver. This
happens in the cxl_decoder_add() fail path. KASAN prints the following
error:
BUG: KASAN: slab-use-after-free in cxl_parse_cfmws (drivers/cxl/acpi.c:299)
This happens in cxl_parse_cfmws(), where put_device() is called,
releasing cxld, which is accessed later.
Use the local variables in the dev_err() instead of pointing to the
released memory. Since the dev_err() is printing a resource, change the open
coded print format to use the %pr format specifier.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cxl/acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "748fadc08bcbdaf573b34d9784bb3dbd87441dbf",
"status": "affected",
"version": "e50fe01e1f2a4aba2275edee7d5c77ac87674ddb",
"versionType": "git"
},
{
"lessThan": "316db489647b8ddc381682597e89787eac61a278",
"status": "affected",
"version": "e50fe01e1f2a4aba2275edee7d5c77ac87674ddb",
"versionType": "git"
},
{
"lessThan": "4cf67d3cc9994a59cf77bb9c0ccf9007fe916afe",
"status": "affected",
"version": "e50fe01e1f2a4aba2275edee7d5c77ac87674ddb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cxl/acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/acpi: Fix a use-after-free in cxl_parse_cfmws()\n\nKASAN and KFENCE detected an user-after-free in the CXL driver. This\nhappens in the cxl_decoder_add() fail path. KASAN prints the following\nerror:\n\n BUG: KASAN: slab-use-after-free in cxl_parse_cfmws (drivers/cxl/acpi.c:299)\n\nThis happens in cxl_parse_cfmws(), where put_device() is called,\nreleasing cxld, which is accessed later.\n\nUse the local variables in the dev_err() instead of pointing to the\nreleased memory. Since the dev_err() is printing a resource, change the open\ncoded print format to use the %pr format specifier."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:47.987Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/748fadc08bcbdaf573b34d9784bb3dbd87441dbf"
},
{
"url": "https://git.kernel.org/stable/c/316db489647b8ddc381682597e89787eac61a278"
},
{
"url": "https://git.kernel.org/stable/c/4cf67d3cc9994a59cf77bb9c0ccf9007fe916afe"
}
],
"title": "cxl/acpi: Fix a use-after-free in cxl_parse_cfmws()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53479",
"datePublished": "2025-10-01T11:42:47.987Z",
"dateReserved": "2025-10-01T11:39:39.401Z",
"dateUpdated": "2025-10-01T11:42:47.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53173 (GCVE-0-2024-53173)
Vulnerability from cvelistv5
Published
2024-12-27 13:49
Modified
2025-11-03 20:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4.0: Fix a use-after-free problem in the asynchronous open()
Yang Erkun reports that when two threads are opening files at the same
time, and are forced to abort before a reply is seen, then the call to
nfs_release_seqid() in nfs4_opendata_free() can result in a
use-after-free of the pointer to the defunct rpc task of the other
thread.
The fix is to ensure that if the RPC call is aborted before the call to
nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid()
in nfs4_open_release() before the rpc_task is freed.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 24ac23ab88df5b21b5b2df8cde748bf99b289099 Version: 24ac23ab88df5b21b5b2df8cde748bf99b289099 Version: 24ac23ab88df5b21b5b2df8cde748bf99b289099 Version: 24ac23ab88df5b21b5b2df8cde748bf99b289099 Version: 24ac23ab88df5b21b5b2df8cde748bf99b289099 Version: 24ac23ab88df5b21b5b2df8cde748bf99b289099 Version: 24ac23ab88df5b21b5b2df8cde748bf99b289099 Version: 24ac23ab88df5b21b5b2df8cde748bf99b289099 Version: 24ac23ab88df5b21b5b2df8cde748bf99b289099 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:43:40.051195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:27.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:47:06.823Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1cfae9575296f5040cdc84b0730e79078c081d2d",
"status": "affected",
"version": "24ac23ab88df5b21b5b2df8cde748bf99b289099",
"versionType": "git"
},
{
"lessThan": "7bf6bf130af8ee7d93a99c28a7512df3017ec759",
"status": "affected",
"version": "24ac23ab88df5b21b5b2df8cde748bf99b289099",
"versionType": "git"
},
{
"lessThan": "5237a297ffd374a1c4157a53543b7a69d7bbbc03",
"status": "affected",
"version": "24ac23ab88df5b21b5b2df8cde748bf99b289099",
"versionType": "git"
},
{
"lessThan": "2ab9639f16b05d948066a6c4cf19a0fdc61046ff",
"status": "affected",
"version": "24ac23ab88df5b21b5b2df8cde748bf99b289099",
"versionType": "git"
},
{
"lessThan": "ba6e6c04f60fe52d91520ac4d749d372d4c74521",
"status": "affected",
"version": "24ac23ab88df5b21b5b2df8cde748bf99b289099",
"versionType": "git"
},
{
"lessThan": "229a30ed42bb87bcb044c5523fabd9e4f0e75648",
"status": "affected",
"version": "24ac23ab88df5b21b5b2df8cde748bf99b289099",
"versionType": "git"
},
{
"lessThan": "e2277a1d9d5cd0d625a4fd7c04fce2b53e66df77",
"status": "affected",
"version": "24ac23ab88df5b21b5b2df8cde748bf99b289099",
"versionType": "git"
},
{
"lessThan": "b56ae8e715557b4fc227c9381d2e681ffafe7b15",
"status": "affected",
"version": "24ac23ab88df5b21b5b2df8cde748bf99b289099",
"versionType": "git"
},
{
"lessThan": "2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889",
"status": "affected",
"version": "24ac23ab88df5b21b5b2df8cde748bf99b289099",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.325",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.325",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.0: Fix a use-after-free problem in the asynchronous open()\n\nYang Erkun reports that when two threads are opening files at the same\ntime, and are forced to abort before a reply is seen, then the call to\nnfs_release_seqid() in nfs4_opendata_free() can result in a\nuse-after-free of the pointer to the defunct rpc task of the other\nthread.\nThe fix is to ensure that if the RPC call is aborted before the call to\nnfs_wait_on_sequence() is complete, then we must call nfs_release_seqid()\nin nfs4_open_release() before the rpc_task is freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:54:53.469Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1cfae9575296f5040cdc84b0730e79078c081d2d"
},
{
"url": "https://git.kernel.org/stable/c/7bf6bf130af8ee7d93a99c28a7512df3017ec759"
},
{
"url": "https://git.kernel.org/stable/c/5237a297ffd374a1c4157a53543b7a69d7bbbc03"
},
{
"url": "https://git.kernel.org/stable/c/2ab9639f16b05d948066a6c4cf19a0fdc61046ff"
},
{
"url": "https://git.kernel.org/stable/c/ba6e6c04f60fe52d91520ac4d749d372d4c74521"
},
{
"url": "https://git.kernel.org/stable/c/229a30ed42bb87bcb044c5523fabd9e4f0e75648"
},
{
"url": "https://git.kernel.org/stable/c/e2277a1d9d5cd0d625a4fd7c04fce2b53e66df77"
},
{
"url": "https://git.kernel.org/stable/c/b56ae8e715557b4fc227c9381d2e681ffafe7b15"
},
{
"url": "https://git.kernel.org/stable/c/2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889"
}
],
"title": "NFSv4.0: Fix a use-after-free problem in the asynchronous open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53173",
"datePublished": "2024-12-27T13:49:17.981Z",
"dateReserved": "2024-11-19T17:17:25.006Z",
"dateUpdated": "2025-11-03T20:47:06.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8805 (GCVE-0-2024-8805)
Vulnerability from cvelistv5
Published
2024-11-22 21:02
Modified
2025-11-03 22:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the HID over GATT Profile. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25177.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bluez:bluez:5.77:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bluez",
"vendor": "bluez",
"versions": [
{
"status": "affected",
"version": "5.77"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T15:15:28.447300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T14:42:11.502Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:33:02.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "BlueZ",
"vendor": "BlueZ",
"versions": [
{
"status": "affected",
"version": "5.77"
}
]
}
],
"dateAssigned": "2024-09-13T17:57:29.700Z",
"datePublic": "2024-09-17T16:05:38.915Z",
"descriptions": [
{
"lang": "en",
"value": "BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the HID over GATT Profile. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25177."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T21:02:52.231Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-1229",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1229/"
}
],
"source": {
"lang": "en",
"value": "MICHAEL RANDRIANANTENAINA [https://elkamika.blogspot.com/]"
},
"title": "BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2024-8805",
"datePublished": "2024-11-22T21:02:52.231Z",
"dateReserved": "2024-09-13T17:57:29.617Z",
"dateUpdated": "2025-11-03T22:33:02.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40037 (GCVE-0-2025-40037)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: simplefb: Fix use after free in simplefb_detach_genpds()
The pm_domain cleanup can not be devres managed as it uses struct
simplefb_par which is allocated within struct fb_info by
framebuffer_alloc(). This allocation is explicitly freed by
unregister_framebuffer() in simplefb_remove().
Devres managed cleanup runs after the device remove call and thus can no
longer access struct simplefb_par.
Call simplefb_detach_genpds() explicitly from simplefb_destroy() like
the cleanup functions for clocks and regulators.
Fixes an use after free on M2 Mac mini during
aperture_remove_conflicting_devices() using the downstream asahi kernel
with Debian's kernel config. For unknown reasons this started to
consistently dereference an invalid pointer in v6.16.3 based kernels.
[ 6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220
[ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227
[ 6.750697]
[ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY
[ 6.752186] Tainted: [S]=CPU_OUT_OF_SPEC
[ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT)
[ 6.752189] Call trace:
[ 6.752190] show_stack+0x34/0x98 (C)
[ 6.752194] dump_stack_lvl+0x60/0x80
[ 6.752197] print_report+0x17c/0x4d8
[ 6.752201] kasan_report+0xb4/0x100
[ 6.752206] __asan_report_load4_noabort+0x20/0x30
[ 6.752209] simplefb_detach_genpds+0x58/0x220
[ 6.752213] devm_action_release+0x50/0x98
[ 6.752216] release_nodes+0xd0/0x2c8
[ 6.752219] devres_release_all+0xfc/0x178
[ 6.752221] device_unbind_cleanup+0x28/0x168
[ 6.752224] device_release_driver_internal+0x34c/0x470
[ 6.752228] device_release_driver+0x20/0x38
[ 6.752231] bus_remove_device+0x1b0/0x380
[ 6.752234] device_del+0x314/0x820
[ 6.752238] platform_device_del+0x3c/0x1e8
[ 6.752242] platform_device_unregister+0x20/0x50
[ 6.752246] aperture_detach_platform_device+0x1c/0x30
[ 6.752250] aperture_detach_devices+0x16c/0x290
[ 6.752253] aperture_remove_conflicting_devices+0x34/0x50
...
[ 6.752343]
[ 6.967409] Allocated by task 62:
[ 6.970724] kasan_save_stack+0x3c/0x70
[ 6.974560] kasan_save_track+0x20/0x40
[ 6.978397] kasan_save_alloc_info+0x40/0x58
[ 6.982670] __kasan_kmalloc+0xd4/0xd8
[ 6.986420] __kmalloc_noprof+0x194/0x540
[ 6.990432] framebuffer_alloc+0xc8/0x130
[ 6.994444] simplefb_probe+0x258/0x2378
...
[ 7.054356]
[ 7.055838] Freed by task 227:
[ 7.058891] kasan_save_stack+0x3c/0x70
[ 7.062727] kasan_save_track+0x20/0x40
[ 7.066565] kasan_save_free_info+0x4c/0x80
[ 7.070751] __kasan_slab_free+0x6c/0xa0
[ 7.074675] kfree+0x10c/0x380
[ 7.077727] framebuffer_release+0x5c/0x90
[ 7.081826] simplefb_destroy+0x1b4/0x2c0
[ 7.085837] put_fb_info+0x98/0x100
[ 7.089326] unregister_framebuffer+0x178/0x320
[ 7.093861] simplefb_remove+0x3c/0x60
[ 7.097611] platform_remove+0x60/0x98
[ 7.101361] device_remove+0xb8/0x160
[ 7.105024] device_release_driver_internal+0x2fc/0x470
[ 7.110256] device_release_driver+0x20/0x38
[ 7.114529] bus_remove_device+0x1b0/0x380
[ 7.118628] device_del+0x314/0x820
[ 7.122116] platform_device_del+0x3c/0x1e8
[ 7.126302] platform_device_unregister+0x20/0x50
[ 7.131012] aperture_detach_platform_device+0x1c/0x30
[ 7.136157] aperture_detach_devices+0x16c/0x290
[ 7.140779] aperture_remove_conflicting_devices+0x34/0x50
...
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/simplefb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1deb39cfd614fb2f278b71011692a8dbf0f05ba",
"status": "affected",
"version": "92a511a568e44cf11681a2223cae4d576a1a515d",
"versionType": "git"
},
{
"lessThan": "b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353",
"status": "affected",
"version": "92a511a568e44cf11681a2223cae4d576a1a515d",
"versionType": "git"
},
{
"lessThan": "da1bb9135213744e7ec398826c8f2e843de4fb94",
"status": "affected",
"version": "92a511a568e44cf11681a2223cae4d576a1a515d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/simplefb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: simplefb: Fix use after free in simplefb_detach_genpds()\n\nThe pm_domain cleanup can not be devres managed as it uses struct\nsimplefb_par which is allocated within struct fb_info by\nframebuffer_alloc(). This allocation is explicitly freed by\nunregister_framebuffer() in simplefb_remove().\nDevres managed cleanup runs after the device remove call and thus can no\nlonger access struct simplefb_par.\nCall simplefb_detach_genpds() explicitly from simplefb_destroy() like\nthe cleanup functions for clocks and regulators.\n\nFixes an use after free on M2 Mac mini during\naperture_remove_conflicting_devices() using the downstream asahi kernel\nwith Debian\u0027s kernel config. For unknown reasons this started to\nconsistently dereference an invalid pointer in v6.16.3 based kernels.\n\n[ 6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220\n[ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227\n[ 6.750697]\n[ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY\n[ 6.752186] Tainted: [S]=CPU_OUT_OF_SPEC\n[ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT)\n[ 6.752189] Call trace:\n[ 6.752190] show_stack+0x34/0x98 (C)\n[ 6.752194] dump_stack_lvl+0x60/0x80\n[ 6.752197] print_report+0x17c/0x4d8\n[ 6.752201] kasan_report+0xb4/0x100\n[ 6.752206] __asan_report_load4_noabort+0x20/0x30\n[ 6.752209] simplefb_detach_genpds+0x58/0x220\n[ 6.752213] devm_action_release+0x50/0x98\n[ 6.752216] release_nodes+0xd0/0x2c8\n[ 6.752219] devres_release_all+0xfc/0x178\n[ 6.752221] device_unbind_cleanup+0x28/0x168\n[ 6.752224] device_release_driver_internal+0x34c/0x470\n[ 6.752228] device_release_driver+0x20/0x38\n[ 6.752231] bus_remove_device+0x1b0/0x380\n[ 6.752234] device_del+0x314/0x820\n[ 6.752238] platform_device_del+0x3c/0x1e8\n[ 6.752242] platform_device_unregister+0x20/0x50\n[ 6.752246] aperture_detach_platform_device+0x1c/0x30\n[ 6.752250] aperture_detach_devices+0x16c/0x290\n[ 6.752253] aperture_remove_conflicting_devices+0x34/0x50\n...\n[ 6.752343]\n[ 6.967409] Allocated by task 62:\n[ 6.970724] kasan_save_stack+0x3c/0x70\n[ 6.974560] kasan_save_track+0x20/0x40\n[ 6.978397] kasan_save_alloc_info+0x40/0x58\n[ 6.982670] __kasan_kmalloc+0xd4/0xd8\n[ 6.986420] __kmalloc_noprof+0x194/0x540\n[ 6.990432] framebuffer_alloc+0xc8/0x130\n[ 6.994444] simplefb_probe+0x258/0x2378\n...\n[ 7.054356]\n[ 7.055838] Freed by task 227:\n[ 7.058891] kasan_save_stack+0x3c/0x70\n[ 7.062727] kasan_save_track+0x20/0x40\n[ 7.066565] kasan_save_free_info+0x4c/0x80\n[ 7.070751] __kasan_slab_free+0x6c/0xa0\n[ 7.074675] kfree+0x10c/0x380\n[ 7.077727] framebuffer_release+0x5c/0x90\n[ 7.081826] simplefb_destroy+0x1b4/0x2c0\n[ 7.085837] put_fb_info+0x98/0x100\n[ 7.089326] unregister_framebuffer+0x178/0x320\n[ 7.093861] simplefb_remove+0x3c/0x60\n[ 7.097611] platform_remove+0x60/0x98\n[ 7.101361] device_remove+0xb8/0x160\n[ 7.105024] device_release_driver_internal+0x2fc/0x470\n[ 7.110256] device_release_driver+0x20/0x38\n[ 7.114529] bus_remove_device+0x1b0/0x380\n[ 7.118628] device_del+0x314/0x820\n[ 7.122116] platform_device_del+0x3c/0x1e8\n[ 7.126302] platform_device_unregister+0x20/0x50\n[ 7.131012] aperture_detach_platform_device+0x1c/0x30\n[ 7.136157] aperture_detach_devices+0x16c/0x290\n[ 7.140779] aperture_remove_conflicting_devices+0x34/0x50\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:18.274Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1deb39cfd614fb2f278b71011692a8dbf0f05ba"
},
{
"url": "https://git.kernel.org/stable/c/b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353"
},
{
"url": "https://git.kernel.org/stable/c/da1bb9135213744e7ec398826c8f2e843de4fb94"
}
],
"title": "fbdev: simplefb: Fix use after free in simplefb_detach_genpds()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40037",
"datePublished": "2025-10-28T11:48:18.274Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-10-28T11:48:18.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53632 (GCVE-0-2023-53632)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Take RTNL lock when needed before calling xdp_set_features()
Hold RTNL lock when calling xdp_set_features() with a registered netdev,
as the call triggers the netdev notifiers. This could happen when
switching from uplink rep to nic profile for example.
This resolves the following call trace:
RTNL: assertion failed at net/core/dev.c (1953)
WARNING: CPU: 6 PID: 112670 at net/core/dev.c:1953 call_netdevice_notifiers_info+0x7c/0x80
Modules linked in: sch_mqprio sch_mqprio_lib act_tunnel_key act_mirred act_skbedit cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress bonding ib_umad ip_gre rdma_ucm mlx5_vfio_pci ipip tunnel4 ip6_gre gre mlx5_ib vfio_pci vfio_pci_core vfio_iommu_type1 ib_uverbs vfio mlx5_core ib_ipoib geneve nf_tables ip6_tunnel tunnel6 iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]
CPU: 6 PID: 112670 Comm: devlink Not tainted 6.4.0-rc7_for_upstream_min_debug_2023_06_28_17_02 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:call_netdevice_notifiers_info+0x7c/0x80
Code: 90 ff 80 3d 2d 6b f7 00 00 75 c5 ba a1 07 00 00 48 c7 c6 e4 ce 0b 82 48 c7 c7 c8 f4 04 82 c6 05 11 6b f7 00 01 e8 a4 7c 8e ff <0f> 0b eb a2 0f 1f 44 00 00 55 48 89 e5 41 54 48 83 e4 f0 48 83 ec
RSP: 0018:ffff8882a21c3948 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff82e6f880 RCX: 0000000000000027
RDX: ffff88885f99b5c8 RSI: 0000000000000001 RDI: ffff88885f99b5c0
RBP: 0000000000000028 R08: ffff88887ffabaa8 R09: 0000000000000003
R10: ffff88887fecbac0 R11: ffff88887ff7bac0 R12: ffff8882a21c3968
R13: ffff88811c018940 R14: 0000000000000000 R15: ffff8881274401a0
FS: 00007fe141c81800(0000) GS:ffff88885f980000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f787c28b948 CR3: 000000014bcf3005 CR4: 0000000000370ea0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __warn+0x79/0x120
? call_netdevice_notifiers_info+0x7c/0x80
? report_bug+0x17c/0x190
? handle_bug+0x3c/0x60
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? call_netdevice_notifiers_info+0x7c/0x80
? call_netdevice_notifiers_info+0x7c/0x80
call_netdevice_notifiers+0x2e/0x50
mlx5e_set_xdp_feature+0x21/0x50 [mlx5_core]
mlx5e_nic_init+0xf1/0x1a0 [mlx5_core]
mlx5e_netdev_init_profile+0x76/0x110 [mlx5_core]
mlx5e_netdev_attach_profile+0x1f/0x90 [mlx5_core]
mlx5e_netdev_change_profile+0x92/0x160 [mlx5_core]
mlx5e_netdev_attach_nic_profile+0x1b/0x30 [mlx5_core]
mlx5e_vport_rep_unload+0xaa/0xc0 [mlx5_core]
__esw_offloads_unload_rep+0x52/0x60 [mlx5_core]
mlx5_esw_offloads_rep_unload+0x52/0x70 [mlx5_core]
esw_offloads_unload_rep+0x34/0x70 [mlx5_core]
esw_offloads_disable+0x2b/0x90 [mlx5_core]
mlx5_eswitch_disable_locked+0x1b9/0x210 [mlx5_core]
mlx5_devlink_eswitch_mode_set+0xf5/0x630 [mlx5_core]
? devlink_get_from_attrs_lock+0x9e/0x110
devlink_nl_cmd_eswitch_set_doit+0x60/0xe0
genl_family_rcv_msg_doit.isra.0+0xc2/0x110
genl_rcv_msg+0x17d/0x2b0
? devlink_get_from_attrs_lock+0x110/0x110
? devlink_nl_cmd_eswitch_get_doit+0x290/0x290
? devlink_pernet_pre_exit+0xf0/0xf0
? genl_family_rcv_msg_doit.isra.0+0x110/0x110
netlink_rcv_skb+0x54/0x100
genl_rcv+0x24/0x40
netlink_unicast+0x1f6/0x2c0
netlink_sendmsg+0x232/0x4a0
sock_sendmsg+0x38/0x60
? _copy_from_user+0x2a/0x60
__sys_sendto+0x110/0x160
? __count_memcg_events+0x48/0x90
? handle_mm_fault+0x161/0x260
? do_user_addr_fault+0x278/0x6e0
__x64_sys_sendto+0x20/0x30
do_syscall_64+0x3d/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16b7775ae4389dd1e885732ea610321c64284e5f",
"status": "affected",
"version": "4d5ab0ad964df178beba031b89429a601893ff61",
"versionType": "git"
},
{
"lessThan": "72cc654970658e88a1cdea08f06b11c218efa4da",
"status": "affected",
"version": "4d5ab0ad964df178beba031b89429a601893ff61",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Take RTNL lock when needed before calling xdp_set_features()\n\nHold RTNL lock when calling xdp_set_features() with a registered netdev,\nas the call triggers the netdev notifiers. This could happen when\nswitching from uplink rep to nic profile for example.\n\nThis resolves the following call trace:\n\nRTNL: assertion failed at net/core/dev.c (1953)\nWARNING: CPU: 6 PID: 112670 at net/core/dev.c:1953 call_netdevice_notifiers_info+0x7c/0x80\nModules linked in: sch_mqprio sch_mqprio_lib act_tunnel_key act_mirred act_skbedit cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress bonding ib_umad ip_gre rdma_ucm mlx5_vfio_pci ipip tunnel4 ip6_gre gre mlx5_ib vfio_pci vfio_pci_core vfio_iommu_type1 ib_uverbs vfio mlx5_core ib_ipoib geneve nf_tables ip6_tunnel tunnel6 iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]\nCPU: 6 PID: 112670 Comm: devlink Not tainted 6.4.0-rc7_for_upstream_min_debug_2023_06_28_17_02 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:call_netdevice_notifiers_info+0x7c/0x80\nCode: 90 ff 80 3d 2d 6b f7 00 00 75 c5 ba a1 07 00 00 48 c7 c6 e4 ce 0b 82 48 c7 c7 c8 f4 04 82 c6 05 11 6b f7 00 01 e8 a4 7c 8e ff \u003c0f\u003e 0b eb a2 0f 1f 44 00 00 55 48 89 e5 41 54 48 83 e4 f0 48 83 ec\nRSP: 0018:ffff8882a21c3948 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff82e6f880 RCX: 0000000000000027\nRDX: ffff88885f99b5c8 RSI: 0000000000000001 RDI: ffff88885f99b5c0\nRBP: 0000000000000028 R08: ffff88887ffabaa8 R09: 0000000000000003\nR10: ffff88887fecbac0 R11: ffff88887ff7bac0 R12: ffff8882a21c3968\nR13: ffff88811c018940 R14: 0000000000000000 R15: ffff8881274401a0\nFS: 00007fe141c81800(0000) GS:ffff88885f980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f787c28b948 CR3: 000000014bcf3005 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __warn+0x79/0x120\n ? call_netdevice_notifiers_info+0x7c/0x80\n ? report_bug+0x17c/0x190\n ? handle_bug+0x3c/0x60\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? call_netdevice_notifiers_info+0x7c/0x80\n ? call_netdevice_notifiers_info+0x7c/0x80\n call_netdevice_notifiers+0x2e/0x50\n mlx5e_set_xdp_feature+0x21/0x50 [mlx5_core]\n mlx5e_nic_init+0xf1/0x1a0 [mlx5_core]\n mlx5e_netdev_init_profile+0x76/0x110 [mlx5_core]\n mlx5e_netdev_attach_profile+0x1f/0x90 [mlx5_core]\n mlx5e_netdev_change_profile+0x92/0x160 [mlx5_core]\n mlx5e_netdev_attach_nic_profile+0x1b/0x30 [mlx5_core]\n mlx5e_vport_rep_unload+0xaa/0xc0 [mlx5_core]\n __esw_offloads_unload_rep+0x52/0x60 [mlx5_core]\n mlx5_esw_offloads_rep_unload+0x52/0x70 [mlx5_core]\n esw_offloads_unload_rep+0x34/0x70 [mlx5_core]\n esw_offloads_disable+0x2b/0x90 [mlx5_core]\n mlx5_eswitch_disable_locked+0x1b9/0x210 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0xf5/0x630 [mlx5_core]\n ? devlink_get_from_attrs_lock+0x9e/0x110\n devlink_nl_cmd_eswitch_set_doit+0x60/0xe0\n genl_family_rcv_msg_doit.isra.0+0xc2/0x110\n genl_rcv_msg+0x17d/0x2b0\n ? devlink_get_from_attrs_lock+0x110/0x110\n ? devlink_nl_cmd_eswitch_get_doit+0x290/0x290\n ? devlink_pernet_pre_exit+0xf0/0xf0\n ? genl_family_rcv_msg_doit.isra.0+0x110/0x110\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1f6/0x2c0\n netlink_sendmsg+0x232/0x4a0\n sock_sendmsg+0x38/0x60\n ? _copy_from_user+0x2a/0x60\n __sys_sendto+0x110/0x160\n ? __count_memcg_events+0x48/0x90\n ? handle_mm_fault+0x161/0x260\n ? do_user_addr_fault+0x278/0x6e0\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:34.970Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16b7775ae4389dd1e885732ea610321c64284e5f"
},
{
"url": "https://git.kernel.org/stable/c/72cc654970658e88a1cdea08f06b11c218efa4da"
}
],
"title": "net/mlx5e: Take RTNL lock when needed before calling xdp_set_features()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53632",
"datePublished": "2025-10-07T15:19:34.970Z",
"dateReserved": "2025-10-07T15:16:59.656Z",
"dateUpdated": "2025-10-07T15:19:34.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53491 (GCVE-0-2023-53491)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
start_kernel: Add __no_stack_protector function attribute
Back during the discussion of
commit a9a3ed1eff36 ("x86: Fix early boot crash on gcc-10, third try")
we discussed the need for a function attribute to control the omission
of stack protectors on a per-function basis; at the time Clang had
support for no_stack_protector but GCC did not. This was fixed in
gcc-11. Now that the function attribute is available, let's start using
it.
Callers of boot_init_stack_canary need to use this function attribute
unless they're compiled with -fno-stack-protector, otherwise the canary
stored in the stack slot of the caller will differ upon the call to
boot_init_stack_canary. This will lead to a call to __stack_chk_fail()
then panic.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/smp.c",
"include/linux/compiler_attributes.h",
"init/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25e73018b4093e0cfbcec5dc4a4bb86d0b69ed56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "514ca14ed5444b911de59ed3381dfd195d99fe4b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/smp.c",
"include/linux/compiler_attributes.h",
"init/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstart_kernel: Add __no_stack_protector function attribute\n\nBack during the discussion of\ncommit a9a3ed1eff36 (\"x86: Fix early boot crash on gcc-10, third try\")\nwe discussed the need for a function attribute to control the omission\nof stack protectors on a per-function basis; at the time Clang had\nsupport for no_stack_protector but GCC did not. This was fixed in\ngcc-11. Now that the function attribute is available, let\u0027s start using\nit.\n\nCallers of boot_init_stack_canary need to use this function attribute\nunless they\u0027re compiled with -fno-stack-protector, otherwise the canary\nstored in the stack slot of the caller will differ upon the call to\nboot_init_stack_canary. This will lead to a call to __stack_chk_fail()\nthen panic."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:43.101Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25e73018b4093e0cfbcec5dc4a4bb86d0b69ed56"
},
{
"url": "https://git.kernel.org/stable/c/514ca14ed5444b911de59ed3381dfd195d99fe4b"
}
],
"title": "start_kernel: Add __no_stack_protector function attribute",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53491",
"datePublished": "2025-10-01T11:45:43.101Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:43.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39946 (GCVE-0-2025-39946)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: make sure to abort the stream if headers are bogus
Normally we wait for the socket to buffer up the whole record
before we service it. If the socket has a tiny buffer, however,
we read out the data sooner, to prevent connection stalls.
Make sure that we abort the connection when we find out late
that the record is actually invalid. Retrying the parsing is
fine in itself but since we copy some more data each time
before we parse we can overflow the allocated skb space.
Constructing a scenario in which we're under pressure without
enough data in the socket to parse the length upfront is quite
hard. syzbot figured out a way to do this by serving us the header
in small OOB sends, and then filling in the recvbuf with a large
normal send.
Make sure that tls_rx_msg_size() aborts strp, if we reach
an invalid record there's really no way to recover.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls.h",
"net/tls/tls_strp.c",
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b36462146d86b1f22e594fe4dae611dffacfb203",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "4cefe5be73886f383639fe0850bb72d5b568a7b9",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "208640e6225cc929a05adbf79d1df558add3e231",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "61ca2da5fb8f433ce8bbd1657c84a86272133e6b",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "0aeb54ac4cd5cf8f60131b4d9ec0b6dc9c27b20d",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls.h",
"net/tls/tls_strp.c",
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: make sure to abort the stream if headers are bogus\n\nNormally we wait for the socket to buffer up the whole record\nbefore we service it. If the socket has a tiny buffer, however,\nwe read out the data sooner, to prevent connection stalls.\nMake sure that we abort the connection when we find out late\nthat the record is actually invalid. Retrying the parsing is\nfine in itself but since we copy some more data each time\nbefore we parse we can overflow the allocated skb space.\n\nConstructing a scenario in which we\u0027re under pressure without\nenough data in the socket to parse the length upfront is quite\nhard. syzbot figured out a way to do this by serving us the header\nin small OOB sends, and then filling in the recvbuf with a large\nnormal send.\n\nMake sure that tls_rx_msg_size() aborts strp, if we reach\nan invalid record there\u0027s really no way to recover."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:07.871Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b36462146d86b1f22e594fe4dae611dffacfb203"
},
{
"url": "https://git.kernel.org/stable/c/4cefe5be73886f383639fe0850bb72d5b568a7b9"
},
{
"url": "https://git.kernel.org/stable/c/208640e6225cc929a05adbf79d1df558add3e231"
},
{
"url": "https://git.kernel.org/stable/c/61ca2da5fb8f433ce8bbd1657c84a86272133e6b"
},
{
"url": "https://git.kernel.org/stable/c/0aeb54ac4cd5cf8f60131b4d9ec0b6dc9c27b20d"
}
],
"title": "tls: make sure to abort the stream if headers are bogus",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39946",
"datePublished": "2025-10-04T07:31:07.871Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:07.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38499 (GCVE-0-2025-38499)
Vulnerability from cvelistv5
Published
2025-08-11 16:01
Modified
2025-11-03 17:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
What we want is to verify there is that clone won't expose something
hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo"
may be a result of MNT_LOCKED on a child, but it may also come from
lacking admin rights in the userns of the namespace mount belongs to.
clone_private_mnt() checks the former, but not the latter.
There's a number of rather confusing CAP_SYS_ADMIN checks in various
userns during the mount, especially with the new mount API; they serve
different purposes and in case of clone_private_mnt() they usually,
but not always end up covering the missing check mentioned above.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: 427215d85e8d1476da1a86b8d67aceb485eb3631 Version: c6e8810d25295acb40a7b69ed3962ff181919571 Version: e3eee87c846dc47f6d8eb6d85e7271f24122a279 Version: 517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce Version: 963d85d630dabe75a3cfde44a006fec3304d07b8 Version: 812f39ed5b0b7f34868736de3055c92c7c4cf459 Version: 6a002d48a66076524f67098132538bef17e8445e Version: 41812f4b84484530057513478c6770590347dc30 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:08.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36fecd740de2d542d2091d65d36554ee2bcf9c65",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "d717325b5ecf2a40daca85c61923e17f32306179",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "dc6a664089f10eab0fb36b6e4f705022210191d2",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "e77078e52fbf018ab986efb3c79065ab35025607",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "38628ae06e2a37770cd794802a3f1310cf9846e3",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "c28f922c9dcee0e4876a2c095939d77fe7e15116",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"status": "affected",
"version": "c6e8810d25295acb40a7b69ed3962ff181919571",
"versionType": "git"
},
{
"status": "affected",
"version": "e3eee87c846dc47f6d8eb6d85e7271f24122a279",
"versionType": "git"
},
{
"status": "affected",
"version": "517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce",
"versionType": "git"
},
{
"status": "affected",
"version": "963d85d630dabe75a3cfde44a006fec3304d07b8",
"versionType": "git"
},
{
"status": "affected",
"version": "812f39ed5b0b7f34868736de3055c92c7c4cf459",
"versionType": "git"
},
{
"status": "affected",
"version": "6a002d48a66076524f67098132538bef17e8445e",
"versionType": "git"
},
{
"status": "affected",
"version": "41812f4b84484530057513478c6770590347dc30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.280",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:32.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36fecd740de2d542d2091d65d36554ee2bcf9c65"
},
{
"url": "https://git.kernel.org/stable/c/d717325b5ecf2a40daca85c61923e17f32306179"
},
{
"url": "https://git.kernel.org/stable/c/dc6a664089f10eab0fb36b6e4f705022210191d2"
},
{
"url": "https://git.kernel.org/stable/c/e77078e52fbf018ab986efb3c79065ab35025607"
},
{
"url": "https://git.kernel.org/stable/c/38628ae06e2a37770cd794802a3f1310cf9846e3"
},
{
"url": "https://git.kernel.org/stable/c/c28f922c9dcee0e4876a2c095939d77fe7e15116"
}
],
"title": "clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38499",
"datePublished": "2025-08-11T16:01:08.257Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-11-03T17:39:08.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38681 (GCVE-0-2025-38681)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
Memory hot remove unmaps and tears down various kernel page table regions
as required. The ptdump code can race with concurrent modifications of
the kernel page tables. When leaf entries are modified concurrently, the
dump code may log stale or inconsistent information for a VA range, but
this is otherwise not harmful.
But when intermediate levels of kernel page table are freed, the dump code
will continue to use memory that has been freed and potentially
reallocated for another purpose. In such cases, the ptdump code may
dereference bogus addresses, leading to a number of potential problems.
To avoid the above mentioned race condition, platforms such as arm64,
riscv and s390 take memory hotplug lock, while dumping kernel page table
via the sysfs interface /sys/kernel/debug/kernel_page_tables.
Similar race condition exists while checking for pages that might have
been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages
which in turn calls ptdump_check_wx(). Instead of solving this race
condition again, let's just move the memory hotplug lock inside generic
ptdump_check_wx() which will benefit both the scenarios.
Drop get_online_mems() and put_online_mems() combination from all existing
platform ptdump code paths.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bbd6ec605c0fc286c3f8ce60b4ed44635361d58b Version: bbd6ec605c0fc286c3f8ce60b4ed44635361d58b Version: bbd6ec605c0fc286c3f8ce60b4ed44635361d58b Version: bbd6ec605c0fc286c3f8ce60b4ed44635361d58b Version: bbd6ec605c0fc286c3f8ce60b4ed44635361d58b Version: bbd6ec605c0fc286c3f8ce60b4ed44635361d58b Version: bbd6ec605c0fc286c3f8ce60b4ed44635361d58b Version: bbd6ec605c0fc286c3f8ce60b4ed44635361d58b |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:07.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/ptdump_debugfs.c",
"arch/riscv/mm/ptdump.c",
"arch/s390/mm/dump_pagetables.c",
"mm/ptdump.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ee9a8c27bfd72c3f465004fa8455785d61be5e8",
"status": "affected",
"version": "bbd6ec605c0fc286c3f8ce60b4ed44635361d58b",
"versionType": "git"
},
{
"lessThan": "69bea84b06b5e779627e7afdbf4b60a7d231c76f",
"status": "affected",
"version": "bbd6ec605c0fc286c3f8ce60b4ed44635361d58b",
"versionType": "git"
},
{
"lessThan": "ac25ec5fa2bf6e606dc7954488e4dded272fa9cd",
"status": "affected",
"version": "bbd6ec605c0fc286c3f8ce60b4ed44635361d58b",
"versionType": "git"
},
{
"lessThan": "1636b5e9c3543b87d673e32a47e7c18698882425",
"status": "affected",
"version": "bbd6ec605c0fc286c3f8ce60b4ed44635361d58b",
"versionType": "git"
},
{
"lessThan": "ff40839e018b82c4d756d035f34a63aa2d93be83",
"status": "affected",
"version": "bbd6ec605c0fc286c3f8ce60b4ed44635361d58b",
"versionType": "git"
},
{
"lessThan": "67995d4244694928ce701928e530b5b4adeb17b4",
"status": "affected",
"version": "bbd6ec605c0fc286c3f8ce60b4ed44635361d58b",
"versionType": "git"
},
{
"lessThan": "ca8c414499f2e5337a95a76be0d21b728ee31c6b",
"status": "affected",
"version": "bbd6ec605c0fc286c3f8ce60b4ed44635361d58b",
"versionType": "git"
},
{
"lessThan": "59305202c67fea50378dcad0cc199dbc13a0e99a",
"status": "affected",
"version": "bbd6ec605c0fc286c3f8ce60b4ed44635361d58b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/ptdump_debugfs.c",
"arch/riscv/mm/ptdump.c",
"arch/s390/mm/dump_pagetables.c",
"mm/ptdump.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()\n\nMemory hot remove unmaps and tears down various kernel page table regions\nas required. The ptdump code can race with concurrent modifications of\nthe kernel page tables. When leaf entries are modified concurrently, the\ndump code may log stale or inconsistent information for a VA range, but\nthis is otherwise not harmful.\n\nBut when intermediate levels of kernel page table are freed, the dump code\nwill continue to use memory that has been freed and potentially\nreallocated for another purpose. In such cases, the ptdump code may\ndereference bogus addresses, leading to a number of potential problems.\n\nTo avoid the above mentioned race condition, platforms such as arm64,\nriscv and s390 take memory hotplug lock, while dumping kernel page table\nvia the sysfs interface /sys/kernel/debug/kernel_page_tables.\n\nSimilar race condition exists while checking for pages that might have\nbeen marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages\nwhich in turn calls ptdump_check_wx(). Instead of solving this race\ncondition again, let\u0027s just move the memory hotplug lock inside generic\nptdump_check_wx() which will benefit both the scenarios.\n\nDrop get_online_mems() and put_online_mems() combination from all existing\nplatform ptdump code paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:52.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ee9a8c27bfd72c3f465004fa8455785d61be5e8"
},
{
"url": "https://git.kernel.org/stable/c/69bea84b06b5e779627e7afdbf4b60a7d231c76f"
},
{
"url": "https://git.kernel.org/stable/c/ac25ec5fa2bf6e606dc7954488e4dded272fa9cd"
},
{
"url": "https://git.kernel.org/stable/c/1636b5e9c3543b87d673e32a47e7c18698882425"
},
{
"url": "https://git.kernel.org/stable/c/ff40839e018b82c4d756d035f34a63aa2d93be83"
},
{
"url": "https://git.kernel.org/stable/c/67995d4244694928ce701928e530b5b4adeb17b4"
},
{
"url": "https://git.kernel.org/stable/c/ca8c414499f2e5337a95a76be0d21b728ee31c6b"
},
{
"url": "https://git.kernel.org/stable/c/59305202c67fea50378dcad0cc199dbc13a0e99a"
}
],
"title": "mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38681",
"datePublished": "2025-09-04T15:32:36.681Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2025-11-03T17:41:07.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50580 (GCVE-0-2022-50580)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-throttle: prevent overflow while calculating wait time
There is a problem found by code review in tg_with_in_bps_limit() that
'bps_limit * jiffy_elapsed_rnd' might overflow. Fix the problem by
calling mul_u64_u64_div_u64() instead.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-throttle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19c010ae44f0ce52b5436080492a61a092ee0cf4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "70b2adb1d698fbc63d3b3848c452524dc15872c5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cc6f0855bf8d9b729df28ff443ced7350c380dbd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ca67b0563b39e79290c23e509319c178b9ca9104",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d6bbaada2e0a65f9012ac4c2506460160e7237a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-throttle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: prevent overflow while calculating wait time\n\nThere is a problem found by code review in tg_with_in_bps_limit() that\n\u0027bps_limit * jiffy_elapsed_rnd\u0027 might overflow. Fix the problem by\ncalling mul_u64_u64_div_u64() instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:32.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19c010ae44f0ce52b5436080492a61a092ee0cf4"
},
{
"url": "https://git.kernel.org/stable/c/70b2adb1d698fbc63d3b3848c452524dc15872c5"
},
{
"url": "https://git.kernel.org/stable/c/cc6f0855bf8d9b729df28ff443ced7350c380dbd"
},
{
"url": "https://git.kernel.org/stable/c/ca67b0563b39e79290c23e509319c178b9ca9104"
},
{
"url": "https://git.kernel.org/stable/c/8d6bbaada2e0a65f9012ac4c2506460160e7237a"
}
],
"title": "blk-throttle: prevent overflow while calculating wait time",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50580",
"datePublished": "2025-10-22T13:23:32.808Z",
"dateReserved": "2025-10-22T13:20:23.762Z",
"dateUpdated": "2025-10-22T13:23:32.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39987 (GCVE-0-2025-39987)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, hi3110_hard_start_xmit() receives a CAN XL frame which it is
not able to correctly handle and will thus misinterpret it as a CAN
frame. The driver will consume frame->len as-is with no further
checks.
This can result in a buffer overflow later on in hi3110_hw_tx() on
this line:
memcpy(buf + HI3110_FIFO_EXT_DATA_OFF,
frame->data, frame->len);
Here, frame->len corresponds to the flags field of the CAN XL frame.
In our previous example, we set canxl_frame->flags to 0xff. Because
the maximum expected length is 8, a buffer overflow of 247 bytes
occurs!
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2c247e9581024d8b3dd44cbe086bf2bebbef42c",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "8f351db6b2367991f0736b2cff082f5de4872113",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "7ab85762274c0fa997f0ef9a2307b2001aae43c4",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "57d332ce8c921d0e340650470bb0c1d707f216ee",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "be1b25005fd0f9d4e78bec6695711ef87ee33398",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "def814b4ba31b563584061d6895d5ff447d5bc14",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "e77fdf9e33a83a08f04ab0cb68c19ddb365a622f",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "ac1c7656fa717f29fac3ea073af63f0b9919ec9a",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: hi311x: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the sun4i_can driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, hi3110_hard_start_xmit() receives a CAN XL frame which it is\nnot able to correctly handle and will thus misinterpret it as a CAN\nframe. The driver will consume frame-\u003elen as-is with no further\nchecks.\n\nThis can result in a buffer overflow later on in hi3110_hw_tx() on\nthis line:\n\n\tmemcpy(buf + HI3110_FIFO_EXT_DATA_OFF,\n\t frame-\u003edata, frame-\u003elen);\n\nHere, frame-\u003elen corresponds to the flags field of the CAN XL frame.\nIn our previous example, we set canxl_frame-\u003eflags to 0xff. Because\nthe maximum expected length is 8, a buffer overflow of 247 bytes\noccurs!\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:05.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2c247e9581024d8b3dd44cbe086bf2bebbef42c"
},
{
"url": "https://git.kernel.org/stable/c/8f351db6b2367991f0736b2cff082f5de4872113"
},
{
"url": "https://git.kernel.org/stable/c/7ab85762274c0fa997f0ef9a2307b2001aae43c4"
},
{
"url": "https://git.kernel.org/stable/c/57d332ce8c921d0e340650470bb0c1d707f216ee"
},
{
"url": "https://git.kernel.org/stable/c/be1b25005fd0f9d4e78bec6695711ef87ee33398"
},
{
"url": "https://git.kernel.org/stable/c/def814b4ba31b563584061d6895d5ff447d5bc14"
},
{
"url": "https://git.kernel.org/stable/c/e77fdf9e33a83a08f04ab0cb68c19ddb365a622f"
},
{
"url": "https://git.kernel.org/stable/c/ac1c7656fa717f29fac3ea073af63f0b9919ec9a"
}
],
"title": "can: hi311x: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39987",
"datePublished": "2025-10-15T07:56:05.878Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:05.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39846 (GCVE-0-2025-39846)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to
res and used in pci_bus_alloc_resource(). There is a dereference of res
in pci_bus_alloc_resource(), which could lead to a NULL pointer
dereference on failure of pcmcia_make_resource().
Fix this bug by adding a check of res.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 49b1153adfe18a3cce7e70aa26c690f275917cd0 Version: 49b1153adfe18a3cce7e70aa26c690f275917cd0 Version: 49b1153adfe18a3cce7e70aa26c690f275917cd0 Version: 49b1153adfe18a3cce7e70aa26c690f275917cd0 Version: 49b1153adfe18a3cce7e70aa26c690f275917cd0 Version: 49b1153adfe18a3cce7e70aa26c690f275917cd0 Version: 49b1153adfe18a3cce7e70aa26c690f275917cd0 Version: 49b1153adfe18a3cce7e70aa26c690f275917cd0 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:02.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_iodyn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b990c8c6ff50649ad3352507398e443b1e3527b2",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "5ff2826c998370bf7f9ae26fe802140d220e3510",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "4bd570f494124608a0696da070f00236a96fb610",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "ce3b7766276894d2fbb07e2047a171f9deb965de",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "2ee32c4c4f636e474cd8ab7c19a68cf36072ea93",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "fafa7450075f41d232bc785a4ebcbf16374f2076",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "d7286005e8fde0a430dc180a9f46c088c7d74483",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
},
{
"lessThan": "44822df89e8f3386871d9cad563ece8e2fd8f0e7",
"status": "affected",
"version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_iodyn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()\n\nIn __iodyn_find_io_region(), pcmcia_make_resource() is assigned to\nres and used in pci_bus_alloc_resource(). There is a dereference of res\nin pci_bus_alloc_resource(), which could lead to a NULL pointer\ndereference on failure of pcmcia_make_resource().\n\nFix this bug by adding a check of res."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:56.145Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b990c8c6ff50649ad3352507398e443b1e3527b2"
},
{
"url": "https://git.kernel.org/stable/c/5ff2826c998370bf7f9ae26fe802140d220e3510"
},
{
"url": "https://git.kernel.org/stable/c/4bd570f494124608a0696da070f00236a96fb610"
},
{
"url": "https://git.kernel.org/stable/c/ce3b7766276894d2fbb07e2047a171f9deb965de"
},
{
"url": "https://git.kernel.org/stable/c/2ee32c4c4f636e474cd8ab7c19a68cf36072ea93"
},
{
"url": "https://git.kernel.org/stable/c/fafa7450075f41d232bc785a4ebcbf16374f2076"
},
{
"url": "https://git.kernel.org/stable/c/d7286005e8fde0a430dc180a9f46c088c7d74483"
},
{
"url": "https://git.kernel.org/stable/c/44822df89e8f3386871d9cad563ece8e2fd8f0e7"
}
],
"title": "pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39846",
"datePublished": "2025-09-19T15:26:19.932Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:44:02.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38498 (GCVE-0-2025-38498)
Vulnerability from cvelistv5
Published
2025-07-30 06:03
Modified
2025-11-03 17:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
do_change_type(): refuse to operate on unmounted/not ours mounts
Ensure that propagation settings can only be changed for mounts located
in the caller's mount namespace. This change aligns permission checking
with the rest of mount(2).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 Version: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:07.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "787937c4e373f1722c4343e5a5a4eb0f8543e589",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "432a171d60056489270c462e651e6c3a13f855b1",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "064014f7812744451d5d0592f3d2bcd727f2ee93",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "4f091ad0862b02dc42a19a120b7048de848561f8",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "19554c79a2095ddde850906a067915c1ef3a4114",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "12f147ddd6de7382dad54812e65f3f08d05809fc",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_change_type(): refuse to operate on unmounted/not ours mounts\n\nEnsure that propagation settings can only be changed for mounts located\nin the caller\u0027s mount namespace. This change aligns permission checking\nwith the rest of mount(2)."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T06:03:36.483Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/787937c4e373f1722c4343e5a5a4eb0f8543e589"
},
{
"url": "https://git.kernel.org/stable/c/c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2"
},
{
"url": "https://git.kernel.org/stable/c/432a171d60056489270c462e651e6c3a13f855b1"
},
{
"url": "https://git.kernel.org/stable/c/064014f7812744451d5d0592f3d2bcd727f2ee93"
},
{
"url": "https://git.kernel.org/stable/c/4f091ad0862b02dc42a19a120b7048de848561f8"
},
{
"url": "https://git.kernel.org/stable/c/9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23"
},
{
"url": "https://git.kernel.org/stable/c/19554c79a2095ddde850906a067915c1ef3a4114"
},
{
"url": "https://git.kernel.org/stable/c/12f147ddd6de7382dad54812e65f3f08d05809fc"
}
],
"title": "do_change_type(): refuse to operate on unmounted/not ours mounts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38498",
"datePublished": "2025-07-30T06:03:36.483Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-11-03T17:39:07.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53547 (GCVE-0-2023-53547)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix sdma v4 sw fini error
Fix sdma v4 sw fini error for sdma 4.2.2 to
solve the following general protection fault
[ +0.108196] general protection fault, probably for non-canonical
address 0xd5e5a4ae79d24a32: 0000 [#1] PREEMPT SMP PTI
[ +0.000018] RIP: 0010:free_fw_priv+0xd/0x70
[ +0.000022] Call Trace:
[ +0.000012] <TASK>
[ +0.000011] release_firmware+0x55/0x80
[ +0.000021] amdgpu_ucode_release+0x11/0x20 [amdgpu]
[ +0.000415] amdgpu_sdma_destroy_inst_ctx+0x4f/0x90 [amdgpu]
[ +0.000360] sdma_v4_0_sw_fini+0xce/0x110 [amdgpu]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "210ef6cd8e634f18fd889421012192b81325b27b",
"status": "affected",
"version": "a2d3b4b81fd49b14782ce0ff68ca74e40f16609a",
"versionType": "git"
},
{
"lessThan": "0ebc02d9ff85626a526353584526da6aa9c96792",
"status": "affected",
"version": "a2d3b4b81fd49b14782ce0ff68ca74e40f16609a",
"versionType": "git"
},
{
"lessThan": "5e08e9c742a00384e5abe74bd40cf4dc15cb3a2e",
"status": "affected",
"version": "a2d3b4b81fd49b14782ce0ff68ca74e40f16609a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix sdma v4 sw fini error\n\nFix sdma v4 sw fini error for sdma 4.2.2 to\nsolve the following general protection fault\n\n[ +0.108196] general protection fault, probably for non-canonical\naddress 0xd5e5a4ae79d24a32: 0000 [#1] PREEMPT SMP PTI\n[ +0.000018] RIP: 0010:free_fw_priv+0xd/0x70\n[ +0.000022] Call Trace:\n[ +0.000012] \u003cTASK\u003e\n[ +0.000011] release_firmware+0x55/0x80\n[ +0.000021] amdgpu_ucode_release+0x11/0x20 [amdgpu]\n[ +0.000415] amdgpu_sdma_destroy_inst_ctx+0x4f/0x90 [amdgpu]\n[ +0.000360] sdma_v4_0_sw_fini+0xce/0x110 [amdgpu]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:29.575Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/210ef6cd8e634f18fd889421012192b81325b27b"
},
{
"url": "https://git.kernel.org/stable/c/0ebc02d9ff85626a526353584526da6aa9c96792"
},
{
"url": "https://git.kernel.org/stable/c/5e08e9c742a00384e5abe74bd40cf4dc15cb3a2e"
}
],
"title": "drm/amdgpu: Fix sdma v4 sw fini error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53547",
"datePublished": "2025-10-04T15:16:54.794Z",
"dateReserved": "2025-10-04T15:14:15.921Z",
"dateUpdated": "2025-10-29T10:50:29.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53274 (GCVE-0-2023-53274)
Vulnerability from cvelistv5
Published
2025-09-16 08:11
Modified
2025-09-16 08:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: mediatek: mt8183: Add back SSPM related clocks
This reverts commit 860690a93ef23b567f781c1b631623e27190f101.
On the MT8183, the SSPM related clocks were removed claiming a lack of
usage. This however causes some issues when the driver was converted to
the new simple-probe mechanism. This mechanism allocates enough space
for all the clocks defined in the clock driver, not the highest index
in the DT binding. This leads to out-of-bound writes if their are holes
in the DT binding or the driver (due to deprecated or unimplemented
clocks). These errors can go unnoticed and cause memory corruption,
leading to crashes in unrelated areas, or nothing at all. KASAN will
detect them.
Add the SSPM related clocks back to the MT8183 clock driver to fully
implement the DT binding. The SSPM clocks are for the power management
co-processor, and should never be turned off. They are marked as such.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/mediatek/clk-mt8183.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "45d69917a4af6c869193f95932dc6d6f15d5ef86",
"status": "affected",
"version": "3f37ba7cc385ba07762ffcd7ac38af8c0f84dd3e",
"versionType": "git"
},
{
"lessThan": "1eb8d61ac5c9c7ec56bb96d433532807509b9288",
"status": "affected",
"version": "3f37ba7cc385ba07762ffcd7ac38af8c0f84dd3e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/mediatek/clk-mt8183.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: mt8183: Add back SSPM related clocks\n\nThis reverts commit 860690a93ef23b567f781c1b631623e27190f101.\n\nOn the MT8183, the SSPM related clocks were removed claiming a lack of\nusage. This however causes some issues when the driver was converted to\nthe new simple-probe mechanism. This mechanism allocates enough space\nfor all the clocks defined in the clock driver, not the highest index\nin the DT binding. This leads to out-of-bound writes if their are holes\nin the DT binding or the driver (due to deprecated or unimplemented\nclocks). These errors can go unnoticed and cause memory corruption,\nleading to crashes in unrelated areas, or nothing at all. KASAN will\ndetect them.\n\nAdd the SSPM related clocks back to the MT8183 clock driver to fully\nimplement the DT binding. The SSPM clocks are for the power management\nco-processor, and should never be turned off. They are marked as such."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:09.549Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/45d69917a4af6c869193f95932dc6d6f15d5ef86"
},
{
"url": "https://git.kernel.org/stable/c/1eb8d61ac5c9c7ec56bb96d433532807509b9288"
}
],
"title": "clk: mediatek: mt8183: Add back SSPM related clocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53274",
"datePublished": "2025-09-16T08:11:09.549Z",
"dateReserved": "2025-09-16T08:09:37.990Z",
"dateUpdated": "2025-09-16T08:11:09.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40082 (GCVE-0-2025-40082)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186
Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290
CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x5f0 mm/kasan/report.c:482
kasan_report+0xca/0x100 mm/kasan/report.c:595
hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186
hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738
vfs_listxattr+0xbe/0x140 fs/xattr.c:493
listxattr+0xee/0x190 fs/xattr.c:924
filename_listxattr fs/xattr.c:958 [inline]
path_listxattrat+0x143/0x360 fs/xattr.c:988
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe0e9fae16d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3
RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000
RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000
</TASK>
Allocated by task 14290:
kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4333 [inline]
__kmalloc_noprof+0x219/0x540 mm/slub.c:4345
kmalloc_noprof include/linux/slab.h:909 [inline]
hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21
hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697
vfs_listxattr+0xbe/0x140 fs/xattr.c:493
listxattr+0xee/0x190 fs/xattr.c:924
filename_listxattr fs/xattr.c:958 [inline]
path_listxattrat+0x143/0x360 fs/xattr.c:988
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
When hfsplus_uni2asc is called from hfsplus_listxattr,
it actually passes in a struct hfsplus_attr_unistr*.
The size of the corresponding structure is different from that of hfsplus_unistr,
so the previous fix (94458781aee6) is insufficient.
The pointer on the unicode buffer is still going beyond the allocated memory.
This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and
hfsplus_uni2asc_str to process two unicode buffers,
struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.
When ustrlen value is bigger than the allocated memory size,
the ustrlen value is limited to an safe size.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 94458781aee6045bd3d0ad4b80b02886b9e2219b Version: 94458781aee6045bd3d0ad4b80b02886b9e2219b Version: 73f7da507d787b489761a0fa280716f84fa32b2f Version: 76a4c6636a69d69409aa253b049b1be717a539c5 Version: ccf0ad56a779e6704c0b27f555dec847f50c7557 Version: 13604b1d7e7b125fb428cddbec6b8d92baad25d5 Version: 291bb5d931c6f3cd7227b913302a17be21cf53b0 Version: f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee Version: 6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9 Version: 1ca69007e52a73bd8b84b988b61b319816ca8b01 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/dir.c",
"fs/hfsplus/hfsplus_fs.h",
"fs/hfsplus/unicode.c",
"fs/hfsplus/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "857aefc70d4ae3b9bf1ae67434d27d0f79f80c9e",
"status": "affected",
"version": "94458781aee6045bd3d0ad4b80b02886b9e2219b",
"versionType": "git"
},
{
"lessThan": "bea3e1d4467bcf292c8e54f080353d556d355e26",
"status": "affected",
"version": "94458781aee6045bd3d0ad4b80b02886b9e2219b",
"versionType": "git"
},
{
"status": "affected",
"version": "73f7da507d787b489761a0fa280716f84fa32b2f",
"versionType": "git"
},
{
"status": "affected",
"version": "76a4c6636a69d69409aa253b049b1be717a539c5",
"versionType": "git"
},
{
"status": "affected",
"version": "ccf0ad56a779e6704c0b27f555dec847f50c7557",
"versionType": "git"
},
{
"status": "affected",
"version": "13604b1d7e7b125fb428cddbec6b8d92baad25d5",
"versionType": "git"
},
{
"status": "affected",
"version": "291bb5d931c6f3cd7227b913302a17be21cf53b0",
"versionType": "git"
},
{
"status": "affected",
"version": "f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee",
"versionType": "git"
},
{
"status": "affected",
"version": "6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9",
"versionType": "git"
},
{
"status": "affected",
"version": "1ca69007e52a73bd8b84b988b61b319816ca8b01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/dir.c",
"fs/hfsplus/hfsplus_fs.h",
"fs/hfsplus/unicode.c",
"fs/hfsplus/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\n\nBUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\nRead of size 2 at addr ffff8880289ef218 by task syz.6.248/14290\n\nCPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x5f0 mm/kasan/report.c:482\n kasan_report+0xca/0x100 mm/kasan/report.c:595\n hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\n hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\n listxattr+0xee/0x190 fs/xattr.c:924\n filename_listxattr fs/xattr.c:958 [inline]\n path_listxattrat+0x143/0x360 fs/xattr.c:988\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe0e9fae16d\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3\nRAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000\nRBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000\n \u003c/TASK\u003e\n\nAllocated by task 14290:\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4333 [inline]\n __kmalloc_noprof+0x219/0x540 mm/slub.c:4345\n kmalloc_noprof include/linux/slab.h:909 [inline]\n hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21\n hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\n listxattr+0xee/0x190 fs/xattr.c:924\n filename_listxattr fs/xattr.c:958 [inline]\n path_listxattrat+0x143/0x360 fs/xattr.c:988\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWhen hfsplus_uni2asc is called from hfsplus_listxattr,\nit actually passes in a struct hfsplus_attr_unistr*.\nThe size of the corresponding structure is different from that of hfsplus_unistr,\nso the previous fix (94458781aee6) is insufficient.\nThe pointer on the unicode buffer is still going beyond the allocated memory.\n\nThis patch introduces two warpper functions hfsplus_uni2asc_xattr_str and\nhfsplus_uni2asc_str to process two unicode buffers,\nstruct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.\nWhen ustrlen value is bigger than the allocated memory size,\nthe ustrlen value is limited to an safe size."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:45.975Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/857aefc70d4ae3b9bf1ae67434d27d0f79f80c9e"
},
{
"url": "https://git.kernel.org/stable/c/bea3e1d4467bcf292c8e54f080353d556d355e26"
}
],
"title": "hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40082",
"datePublished": "2025-10-28T11:48:45.975Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2025-10-28T11:48:45.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53368 (GCVE-0-2023-53368)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix race issue between cpu buffer write and swap
Warning happened in rb_end_commit() at code:
if (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing)))
WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142
rb_commit+0x402/0x4a0
Call Trace:
ring_buffer_unlock_commit+0x42/0x250
trace_buffer_unlock_commit_regs+0x3b/0x250
trace_event_buffer_commit+0xe5/0x440
trace_event_buffer_reserve+0x11c/0x150
trace_event_raw_event_sched_switch+0x23c/0x2c0
__traceiter_sched_switch+0x59/0x80
__schedule+0x72b/0x1580
schedule+0x92/0x120
worker_thread+0xa0/0x6f0
It is because the race between writing event into cpu buffer and swapping
cpu buffer through file per_cpu/cpu0/snapshot:
Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1
-------- --------
tracing_snapshot_write()
[...]
ring_buffer_lock_reserve()
cpu_buffer = buffer->buffers[cpu]; // 1. Suppose find 'cpu_buffer_a';
[...]
rb_reserve_next_event()
[...]
ring_buffer_swap_cpu()
if (local_read(&cpu_buffer_a->committing))
goto out_dec;
if (local_read(&cpu_buffer_b->committing))
goto out_dec;
buffer_a->buffers[cpu] = cpu_buffer_b;
buffer_b->buffers[cpu] = cpu_buffer_a;
// 2. cpu_buffer has swapped here.
rb_start_commit(cpu_buffer);
if (unlikely(READ_ONCE(cpu_buffer->buffer)
!= buffer)) { // 3. This check passed due to 'cpu_buffer->buffer'
[...] // has not changed here.
return NULL;
}
cpu_buffer_b->buffer = buffer_a;
cpu_buffer_a->buffer = buffer_b;
[...]
// 4. Reserve event from 'cpu_buffer_a'.
ring_buffer_unlock_commit()
[...]
cpu_buffer = buffer->buffers[cpu]; // 5. Now find 'cpu_buffer_b' !!!
rb_commit(cpu_buffer)
rb_end_commit() // 6. WARN for the wrong 'committing' state !!!
Based on above analysis, we can easily reproduce by following testcase:
``` bash
#!/bin/bash
dmesg -n 7
sysctl -w kernel.panic_on_warn=1
TR=/sys/kernel/tracing
echo 7 > ${TR}/buffer_size_kb
echo "sched:sched_switch" > ${TR}/set_event
while [ true ]; do
echo 1 > ${TR}/per_cpu/cpu0/snapshot
done &
while [ true ]; do
echo 1 > ${TR}/per_cpu/cpu0/snapshot
done &
while [ true ]; do
echo 1 > ${TR}/per_cpu/cpu0/snapshot
done &
```
To fix it, IIUC, we can use smp_call_function_single() to do the swap on
the target cpu where the buffer is located, so that above race would be
avoided.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f1affcaaa861f27752a769f889bf1486ebd301fe Version: f1affcaaa861f27752a769f889bf1486ebd301fe Version: f1affcaaa861f27752a769f889bf1486ebd301fe Version: f1affcaaa861f27752a769f889bf1486ebd301fe Version: f1affcaaa861f27752a769f889bf1486ebd301fe Version: f1affcaaa861f27752a769f889bf1486ebd301fe Version: f1affcaaa861f27752a769f889bf1486ebd301fe |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90e037cabc2c2dfc39b3dd9c5b22ea91f995539a",
"status": "affected",
"version": "f1affcaaa861f27752a769f889bf1486ebd301fe",
"versionType": "git"
},
{
"lessThan": "c5d30d6aa83d99fba8dfdd9cf6c4e4e7a63244db",
"status": "affected",
"version": "f1affcaaa861f27752a769f889bf1486ebd301fe",
"versionType": "git"
},
{
"lessThan": "6182318ac04648b46db9d441fd7d696337fcdd0b",
"status": "affected",
"version": "f1affcaaa861f27752a769f889bf1486ebd301fe",
"versionType": "git"
},
{
"lessThan": "74c85396bd73eca80b96510b4edf93b9a3aff75f",
"status": "affected",
"version": "f1affcaaa861f27752a769f889bf1486ebd301fe",
"versionType": "git"
},
{
"lessThan": "89c89da92a60028013f9539be0dcce7e44405a43",
"status": "affected",
"version": "f1affcaaa861f27752a769f889bf1486ebd301fe",
"versionType": "git"
},
{
"lessThan": "37ca1b686078b00cc4ffa008e2190615f7709b5d",
"status": "affected",
"version": "f1affcaaa861f27752a769f889bf1486ebd301fe",
"versionType": "git"
},
{
"lessThan": "3163f635b20e9e1fb4659e74f47918c9dddfe64e",
"status": "affected",
"version": "f1affcaaa861f27752a769f889bf1486ebd301fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race issue between cpu buffer write and swap\n\nWarning happened in rb_end_commit() at code:\n\tif (RB_WARN_ON(cpu_buffer, !local_read(\u0026cpu_buffer-\u003ecommitting)))\n\n WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142\n\trb_commit+0x402/0x4a0\n Call Trace:\n ring_buffer_unlock_commit+0x42/0x250\n trace_buffer_unlock_commit_regs+0x3b/0x250\n trace_event_buffer_commit+0xe5/0x440\n trace_event_buffer_reserve+0x11c/0x150\n trace_event_raw_event_sched_switch+0x23c/0x2c0\n __traceiter_sched_switch+0x59/0x80\n __schedule+0x72b/0x1580\n schedule+0x92/0x120\n worker_thread+0xa0/0x6f0\n\nIt is because the race between writing event into cpu buffer and swapping\ncpu buffer through file per_cpu/cpu0/snapshot:\n\n Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1\n -------- --------\n tracing_snapshot_write()\n [...]\n\n ring_buffer_lock_reserve()\n cpu_buffer = buffer-\u003ebuffers[cpu]; // 1. Suppose find \u0027cpu_buffer_a\u0027;\n [...]\n rb_reserve_next_event()\n [...]\n\n ring_buffer_swap_cpu()\n if (local_read(\u0026cpu_buffer_a-\u003ecommitting))\n goto out_dec;\n if (local_read(\u0026cpu_buffer_b-\u003ecommitting))\n goto out_dec;\n buffer_a-\u003ebuffers[cpu] = cpu_buffer_b;\n buffer_b-\u003ebuffers[cpu] = cpu_buffer_a;\n // 2. cpu_buffer has swapped here.\n\n rb_start_commit(cpu_buffer);\n if (unlikely(READ_ONCE(cpu_buffer-\u003ebuffer)\n != buffer)) { // 3. This check passed due to \u0027cpu_buffer-\u003ebuffer\u0027\n [...] // has not changed here.\n return NULL;\n }\n cpu_buffer_b-\u003ebuffer = buffer_a;\n cpu_buffer_a-\u003ebuffer = buffer_b;\n [...]\n\n // 4. Reserve event from \u0027cpu_buffer_a\u0027.\n\n ring_buffer_unlock_commit()\n [...]\n cpu_buffer = buffer-\u003ebuffers[cpu]; // 5. Now find \u0027cpu_buffer_b\u0027 !!!\n rb_commit(cpu_buffer)\n rb_end_commit() // 6. WARN for the wrong \u0027committing\u0027 state !!!\n\nBased on above analysis, we can easily reproduce by following testcase:\n ``` bash\n #!/bin/bash\n\n dmesg -n 7\n sysctl -w kernel.panic_on_warn=1\n TR=/sys/kernel/tracing\n echo 7 \u003e ${TR}/buffer_size_kb\n echo \"sched:sched_switch\" \u003e ${TR}/set_event\n while [ true ]; do\n echo 1 \u003e ${TR}/per_cpu/cpu0/snapshot\n done \u0026\n while [ true ]; do\n echo 1 \u003e ${TR}/per_cpu/cpu0/snapshot\n done \u0026\n while [ true ]; do\n echo 1 \u003e ${TR}/per_cpu/cpu0/snapshot\n done \u0026\n ```\n\nTo fix it, IIUC, we can use smp_call_function_single() to do the swap on\nthe target cpu where the buffer is located, so that above race would be\navoided."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:56.752Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90e037cabc2c2dfc39b3dd9c5b22ea91f995539a"
},
{
"url": "https://git.kernel.org/stable/c/c5d30d6aa83d99fba8dfdd9cf6c4e4e7a63244db"
},
{
"url": "https://git.kernel.org/stable/c/6182318ac04648b46db9d441fd7d696337fcdd0b"
},
{
"url": "https://git.kernel.org/stable/c/74c85396bd73eca80b96510b4edf93b9a3aff75f"
},
{
"url": "https://git.kernel.org/stable/c/89c89da92a60028013f9539be0dcce7e44405a43"
},
{
"url": "https://git.kernel.org/stable/c/37ca1b686078b00cc4ffa008e2190615f7709b5d"
},
{
"url": "https://git.kernel.org/stable/c/3163f635b20e9e1fb4659e74f47918c9dddfe64e"
}
],
"title": "tracing: Fix race issue between cpu buffer write and swap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53368",
"datePublished": "2025-09-17T14:56:56.752Z",
"dateReserved": "2025-09-17T14:54:09.734Z",
"dateUpdated": "2025-09-17T14:56:56.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39679 (GCVE-0-2025-39679)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-09-29 05:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor().
When the nvif_vmm_type is invalid, we will return error directly
without freeing the args in nvif_vmm_ctor(), which leading a memory
leak. Fix it by setting the ret -EINVAL and goto done.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvif/vmm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72553fe19317fe93cb8591c83095c446bc7fe292",
"status": "affected",
"version": "6b252cf42281045a9f803d2198023500cfa6ebd2",
"versionType": "git"
},
{
"lessThan": "cabcb52d76d3d42f16c344a96e098dd9d18602f8",
"status": "affected",
"version": "6b252cf42281045a9f803d2198023500cfa6ebd2",
"versionType": "git"
},
{
"lessThan": "7d9110e3b35d08832661da1a1fc2d24455981a04",
"status": "affected",
"version": "6b252cf42281045a9f803d2198023500cfa6ebd2",
"versionType": "git"
},
{
"lessThan": "bb8aeaa3191b617c6faf8ae937252e059673b7ea",
"status": "affected",
"version": "6b252cf42281045a9f803d2198023500cfa6ebd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvif/vmm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor().\n\nWhen the nvif_vmm_type is invalid, we will return error directly\nwithout freeing the args in nvif_vmm_ctor(), which leading a memory\nleak. Fix it by setting the ret -EINVAL and goto done."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:15.710Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72553fe19317fe93cb8591c83095c446bc7fe292"
},
{
"url": "https://git.kernel.org/stable/c/cabcb52d76d3d42f16c344a96e098dd9d18602f8"
},
{
"url": "https://git.kernel.org/stable/c/7d9110e3b35d08832661da1a1fc2d24455981a04"
},
{
"url": "https://git.kernel.org/stable/c/bb8aeaa3191b617c6faf8ae937252e059673b7ea"
}
],
"title": "drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39679",
"datePublished": "2025-09-05T17:20:45.357Z",
"dateReserved": "2025-04-16T07:20:57.112Z",
"dateUpdated": "2025-09-29T05:57:15.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53659 (GCVE-0-2023-53659)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: Fix out-of-bounds when setting channels on remove
If we set channels greater during iavf_remove(), and waiting reset done
would be timeout, then returned with error but changed num_active_queues
directly, that will lead to OOB like the following logs. Because the
num_active_queues is greater than tx/rx_rings[] allocated actually.
Reproducer:
[root@host ~]# cat repro.sh
#!/bin/bash
pf_dbsf="0000:41:00.0"
vf0_dbsf="0000:41:02.0"
g_pids=()
function do_set_numvf()
{
echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs
sleep $((RANDOM%3+1))
echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs
sleep $((RANDOM%3+1))
}
function do_set_channel()
{
local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)
[ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; }
ifconfig $nic 192.168.18.5 netmask 255.255.255.0
ifconfig $nic up
ethtool -L $nic combined 1
ethtool -L $nic combined 4
sleep $((RANDOM%3))
}
function on_exit()
{
local pid
for pid in "${g_pids[@]}"; do
kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null
done
g_pids=()
}
trap "on_exit; exit" EXIT
while :; do do_set_numvf ; done &
g_pids+=($!)
while :; do do_set_channel ; done &
g_pids+=($!)
wait
Result:
[ 3506.152887] iavf 0000:41:02.0: Removing device
[ 3510.400799] ==================================================================
[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf]
[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536
[ 3510.400823]
[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1
[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021
[ 3510.400835] Call Trace:
[ 3510.400851] dump_stack+0x71/0xab
[ 3510.400860] print_address_description+0x6b/0x290
[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf]
[ 3510.400868] kasan_report+0x14a/0x2b0
[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf]
[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf]
[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf]
[ 3510.400891] ? wait_woken+0x1d0/0x1d0
[ 3510.400895] ? notifier_call_chain+0xc1/0x130
[ 3510.400903] pci_device_remove+0xa8/0x1f0
[ 3510.400910] device_release_driver_internal+0x1c6/0x460
[ 3510.400916] pci_stop_bus_device+0x101/0x150
[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20
[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420
[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10
[ 3510.400929] ? pci_get_subsys+0x90/0x90
[ 3510.400932] sriov_disable+0xed/0x3e0
[ 3510.400936] ? bus_find_device+0x12d/0x1a0
[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e]
[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e]
[ 3510.400968] ? pci_get_device+0x7c/0x90
[ 3510.400970] ? pci_get_subsys+0x90/0x90
[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210
[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10
[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]
[ 3510.401001] sriov_numvfs_store+0x214/0x290
[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30
[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10
[ 3510.401011] ? __check_object_size+0x15a/0x350
[ 3510.401018] kernfs_fop_write+0x280/0x3f0
[ 3510.401022] vfs_write+0x145/0x440
[ 3510.401025] ksys_write+0xab/0x160
[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0
[ 3510.401031] ? fput_many+0x1a/0x120
[ 3510.401032] ? filp_close+0xf0/0x130
[ 3510.401038] do_syscall_64+0xa0/0x370
[ 3510.401041] ? page_fault+0x8/0x30
[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca
[ 3510.401073] RIP: 0033:0x7f3a9bb842c0
[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b92defe4e8ee86996c16417ad8c804cb4395fddd",
"status": "affected",
"version": "1555d83ddbb7204ef60c58aee6ca3bbef2c5e99f",
"versionType": "git"
},
{
"lessThan": "0fb37ce6c01e17839e26d03222f0b44e6a3ed2b9",
"status": "affected",
"version": "68d4274034e618b7f190dc9fbfc4f3436a7430f4",
"versionType": "git"
},
{
"lessThan": "6e1d8f1332076a002e6d910d255aa5903d341c56",
"status": "affected",
"version": "4e5e6b5d9d1334d3490326b6922a2daaf56a867f",
"versionType": "git"
},
{
"lessThan": "65ecebc9ac09427b2c65f271cd5e5bd536c3fe38",
"status": "affected",
"version": "4e5e6b5d9d1334d3490326b6922a2daaf56a867f",
"versionType": "git"
},
{
"lessThan": "7c4bced3caa749ce468b0c5de711c98476b23a52",
"status": "affected",
"version": "4e5e6b5d9d1334d3490326b6922a2daaf56a867f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.10.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.15.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix out-of-bounds when setting channels on remove\n\nIf we set channels greater during iavf_remove(), and waiting reset done\nwould be timeout, then returned with error but changed num_active_queues\ndirectly, that will lead to OOB like the following logs. Because the\nnum_active_queues is greater than tx/rx_rings[] allocated actually.\n\nReproducer:\n\n [root@host ~]# cat repro.sh\n #!/bin/bash\n\n pf_dbsf=\"0000:41:00.0\"\n vf0_dbsf=\"0000:41:02.0\"\n g_pids=()\n\n function do_set_numvf()\n {\n echo 2 \u003e/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n sleep $((RANDOM%3+1))\n echo 0 \u003e/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n sleep $((RANDOM%3+1))\n }\n\n function do_set_channel()\n {\n local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)\n [ -z \"$nic\" ] \u0026\u0026 { sleep $((RANDOM%3)) ; return 1; }\n ifconfig $nic 192.168.18.5 netmask 255.255.255.0\n ifconfig $nic up\n ethtool -L $nic combined 1\n ethtool -L $nic combined 4\n sleep $((RANDOM%3))\n }\n\n function on_exit()\n {\n local pid\n for pid in \"${g_pids[@]}\"; do\n kill -0 \"$pid\" \u0026\u003e/dev/null \u0026\u0026 kill \"$pid\" \u0026\u003e/dev/null\n done\n g_pids=()\n }\n\n trap \"on_exit; exit\" EXIT\n\n while :; do do_set_numvf ; done \u0026\n g_pids+=($!)\n while :; do do_set_channel ; done \u0026\n g_pids+=($!)\n\n wait\n\nResult:\n\n[ 3506.152887] iavf 0000:41:02.0: Removing device\n[ 3510.400799] ==================================================================\n[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536\n[ 3510.400823]\n[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1\n[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021\n[ 3510.400835] Call Trace:\n[ 3510.400851] dump_stack+0x71/0xab\n[ 3510.400860] print_address_description+0x6b/0x290\n[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400868] kasan_report+0x14a/0x2b0\n[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf]\n[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf]\n[ 3510.400891] ? wait_woken+0x1d0/0x1d0\n[ 3510.400895] ? notifier_call_chain+0xc1/0x130\n[ 3510.400903] pci_device_remove+0xa8/0x1f0\n[ 3510.400910] device_release_driver_internal+0x1c6/0x460\n[ 3510.400916] pci_stop_bus_device+0x101/0x150\n[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20\n[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420\n[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10\n[ 3510.400929] ? pci_get_subsys+0x90/0x90\n[ 3510.400932] sriov_disable+0xed/0x3e0\n[ 3510.400936] ? bus_find_device+0x12d/0x1a0\n[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e]\n[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e]\n[ 3510.400968] ? pci_get_device+0x7c/0x90\n[ 3510.400970] ? pci_get_subsys+0x90/0x90\n[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210\n[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10\n[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]\n[ 3510.401001] sriov_numvfs_store+0x214/0x290\n[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30\n[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10\n[ 3510.401011] ? __check_object_size+0x15a/0x350\n[ 3510.401018] kernfs_fop_write+0x280/0x3f0\n[ 3510.401022] vfs_write+0x145/0x440\n[ 3510.401025] ksys_write+0xab/0x160\n[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0\n[ 3510.401031] ? fput_many+0x1a/0x120\n[ 3510.401032] ? filp_close+0xf0/0x130\n[ 3510.401038] do_syscall_64+0xa0/0x370\n[ 3510.401041] ? page_fault+0x8/0x30\n[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 3510.401073] RIP: 0033:0x7f3a9bb842c0\n[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:19.619Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b92defe4e8ee86996c16417ad8c804cb4395fddd"
},
{
"url": "https://git.kernel.org/stable/c/0fb37ce6c01e17839e26d03222f0b44e6a3ed2b9"
},
{
"url": "https://git.kernel.org/stable/c/6e1d8f1332076a002e6d910d255aa5903d341c56"
},
{
"url": "https://git.kernel.org/stable/c/65ecebc9ac09427b2c65f271cd5e5bd536c3fe38"
},
{
"url": "https://git.kernel.org/stable/c/7c4bced3caa749ce468b0c5de711c98476b23a52"
}
],
"title": "iavf: Fix out-of-bounds when setting channels on remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53659",
"datePublished": "2025-10-07T15:21:19.619Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:19.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53147 (GCVE-0-2023-53147)
Vulnerability from cvelistv5
Published
2025-09-15 14:03
Modified
2025-09-15 14:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: add NULL check in xfrm_update_ae_params
Normally, x->replay_esn and x->preplay_esn should be allocated at
xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the
xfrm_update_ae_params(...) is okay to update them. However, the current
implementation of xfrm_new_ae(...) allows a malicious user to directly
dereference a NULL pointer and crash the kernel like below.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4
RIP: 0010:memcpy_orig+0xad/0x140
Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c
RSP: 0018:ffff888008f57658 EFLAGS: 00000202
RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571
RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818
R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000
FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0
Call Trace:
<TASK>
? __die+0x1f/0x70
? page_fault_oops+0x1e8/0x500
? __pfx_is_prefetch.constprop.0+0x10/0x10
? __pfx_page_fault_oops+0x10/0x10
? _raw_spin_unlock_irqrestore+0x11/0x40
? fixup_exception+0x36/0x460
? _raw_spin_unlock_irqrestore+0x11/0x40
? exc_page_fault+0x5e/0xc0
? asm_exc_page_fault+0x26/0x30
? xfrm_update_ae_params+0xd1/0x260
? memcpy_orig+0xad/0x140
? __pfx__raw_spin_lock_bh+0x10/0x10
xfrm_update_ae_params+0xe7/0x260
xfrm_new_ae+0x298/0x4e0
? __pfx_xfrm_new_ae+0x10/0x10
? __pfx_xfrm_new_ae+0x10/0x10
xfrm_user_rcv_msg+0x25a/0x410
? __pfx_xfrm_user_rcv_msg+0x10/0x10
? __alloc_skb+0xcf/0x210
? stack_trace_save+0x90/0xd0
? filter_irq_stacks+0x1c/0x70
? __stack_depot_save+0x39/0x4e0
? __kasan_slab_free+0x10a/0x190
? kmem_cache_free+0x9c/0x340
? netlink_recvmsg+0x23c/0x660
? sock_recvmsg+0xeb/0xf0
? __sys_recvfrom+0x13c/0x1f0
? __x64_sys_recvfrom+0x71/0x90
? do_syscall_64+0x3f/0x90
? entry_SYSCALL_64_after_hwframe+0x72/0xdc
? copyout+0x3e/0x50
netlink_rcv_skb+0xd6/0x210
? __pfx_xfrm_user_rcv_msg+0x10/0x10
? __pfx_netlink_rcv_skb+0x10/0x10
? __pfx_sock_has_perm+0x10/0x10
? mutex_lock+0x8d/0xe0
? __pfx_mutex_lock+0x10/0x10
xfrm_netlink_rcv+0x44/0x50
netlink_unicast+0x36f/0x4c0
? __pfx_netlink_unicast+0x10/0x10
? netlink_recvmsg+0x500/0x660
netlink_sendmsg+0x3b7/0x700
This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit
adds additional NULL check in xfrm_update_ae_params to fix the NPD.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d8647b79c3b7e223ac051439d165bc8e7bbb832f Version: d8647b79c3b7e223ac051439d165bc8e7bbb832f Version: d8647b79c3b7e223ac051439d165bc8e7bbb832f Version: d8647b79c3b7e223ac051439d165bc8e7bbb832f Version: d8647b79c3b7e223ac051439d165bc8e7bbb832f Version: d8647b79c3b7e223ac051439d165bc8e7bbb832f Version: d8647b79c3b7e223ac051439d165bc8e7bbb832f Version: d8647b79c3b7e223ac051439d165bc8e7bbb832f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed1cba039309c80b49719fcff3e3d7cdddb73d96",
"status": "affected",
"version": "d8647b79c3b7e223ac051439d165bc8e7bbb832f",
"versionType": "git"
},
{
"lessThan": "44f69c96f8a147413c23c68cda4d6fb5e23137cd",
"status": "affected",
"version": "d8647b79c3b7e223ac051439d165bc8e7bbb832f",
"versionType": "git"
},
{
"lessThan": "8046beb890ebc83c5820188c650073e1c6066e67",
"status": "affected",
"version": "d8647b79c3b7e223ac051439d165bc8e7bbb832f",
"versionType": "git"
},
{
"lessThan": "bd30aa9c7febb6e709670cd5154194189ca3b7b5",
"status": "affected",
"version": "d8647b79c3b7e223ac051439d165bc8e7bbb832f",
"versionType": "git"
},
{
"lessThan": "075448a2eb753f813fe873cfa52853e9fef8eedb",
"status": "affected",
"version": "d8647b79c3b7e223ac051439d165bc8e7bbb832f",
"versionType": "git"
},
{
"lessThan": "87b655f4936b6fc01f3658aa88a22c923b379ebd",
"status": "affected",
"version": "d8647b79c3b7e223ac051439d165bc8e7bbb832f",
"versionType": "git"
},
{
"lessThan": "53df4be4f5221e90dc7aa9ce745a9a21bb7024f4",
"status": "affected",
"version": "d8647b79c3b7e223ac051439d165bc8e7bbb832f",
"versionType": "git"
},
{
"lessThan": "00374d9b6d9f932802b55181be9831aa948e5b7c",
"status": "affected",
"version": "d8647b79c3b7e223ac051439d165bc8e7bbb832f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: add NULL check in xfrm_update_ae_params\n\nNormally, x-\u003ereplay_esn and x-\u003epreplay_esn should be allocated at\nxfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the\nxfrm_update_ae_params(...) is okay to update them. However, the current\nimplementation of xfrm_new_ae(...) allows a malicious user to directly\ndereference a NULL pointer and crash the kernel like below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0\nOops: 0002 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4\nRIP: 0010:memcpy_orig+0xad/0x140\nCode: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c\nRSP: 0018:ffff888008f57658 EFLAGS: 00000202\nRAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571\nRDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818\nR13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000\nFS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x1f/0x70\n ? page_fault_oops+0x1e8/0x500\n ? __pfx_is_prefetch.constprop.0+0x10/0x10\n ? __pfx_page_fault_oops+0x10/0x10\n ? _raw_spin_unlock_irqrestore+0x11/0x40\n ? fixup_exception+0x36/0x460\n ? _raw_spin_unlock_irqrestore+0x11/0x40\n ? exc_page_fault+0x5e/0xc0\n ? asm_exc_page_fault+0x26/0x30\n ? xfrm_update_ae_params+0xd1/0x260\n ? memcpy_orig+0xad/0x140\n ? __pfx__raw_spin_lock_bh+0x10/0x10\n xfrm_update_ae_params+0xe7/0x260\n xfrm_new_ae+0x298/0x4e0\n ? __pfx_xfrm_new_ae+0x10/0x10\n ? __pfx_xfrm_new_ae+0x10/0x10\n xfrm_user_rcv_msg+0x25a/0x410\n ? __pfx_xfrm_user_rcv_msg+0x10/0x10\n ? __alloc_skb+0xcf/0x210\n ? stack_trace_save+0x90/0xd0\n ? filter_irq_stacks+0x1c/0x70\n ? __stack_depot_save+0x39/0x4e0\n ? __kasan_slab_free+0x10a/0x190\n ? kmem_cache_free+0x9c/0x340\n ? netlink_recvmsg+0x23c/0x660\n ? sock_recvmsg+0xeb/0xf0\n ? __sys_recvfrom+0x13c/0x1f0\n ? __x64_sys_recvfrom+0x71/0x90\n ? do_syscall_64+0x3f/0x90\n ? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n ? copyout+0x3e/0x50\n netlink_rcv_skb+0xd6/0x210\n ? __pfx_xfrm_user_rcv_msg+0x10/0x10\n ? __pfx_netlink_rcv_skb+0x10/0x10\n ? __pfx_sock_has_perm+0x10/0x10\n ? mutex_lock+0x8d/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n xfrm_netlink_rcv+0x44/0x50\n netlink_unicast+0x36f/0x4c0\n ? __pfx_netlink_unicast+0x10/0x10\n ? netlink_recvmsg+0x500/0x660\n netlink_sendmsg+0x3b7/0x700\n\nThis Null-ptr-deref bug is assigned CVE-2023-3772. And this commit\nadds additional NULL check in xfrm_update_ae_params to fix the NPD."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:03:08.937Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed1cba039309c80b49719fcff3e3d7cdddb73d96"
},
{
"url": "https://git.kernel.org/stable/c/44f69c96f8a147413c23c68cda4d6fb5e23137cd"
},
{
"url": "https://git.kernel.org/stable/c/8046beb890ebc83c5820188c650073e1c6066e67"
},
{
"url": "https://git.kernel.org/stable/c/bd30aa9c7febb6e709670cd5154194189ca3b7b5"
},
{
"url": "https://git.kernel.org/stable/c/075448a2eb753f813fe873cfa52853e9fef8eedb"
},
{
"url": "https://git.kernel.org/stable/c/87b655f4936b6fc01f3658aa88a22c923b379ebd"
},
{
"url": "https://git.kernel.org/stable/c/53df4be4f5221e90dc7aa9ce745a9a21bb7024f4"
},
{
"url": "https://git.kernel.org/stable/c/00374d9b6d9f932802b55181be9831aa948e5b7c"
}
],
"title": "xfrm: add NULL check in xfrm_update_ae_params",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53147",
"datePublished": "2025-09-15T14:03:08.937Z",
"dateReserved": "2025-05-02T15:51:43.565Z",
"dateUpdated": "2025-09-15T14:03:08.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53210 (GCVE-0-2023-53210)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()
r5l_flush_stripe_to_raid() will check if the list 'flushing_ios' is
empty, and then submit 'flush_bio', however, r5l_log_flush_endio()
is clearing the list first and then clear the bio, which will cause
null-ptr-deref:
T1: submit flush io
raid5d
handle_active_stripes
r5l_flush_stripe_to_raid
// list is empty
// add 'io_end_ios' to the list
bio_init
submit_bio
// io1
T2: io1 is done
r5l_log_flush_endio
list_splice_tail_init
// clear the list
T3: submit new flush io
...
r5l_flush_stripe_to_raid
// list is empty
// add 'io_end_ios' to the list
bio_init
bio_uninit
// clear bio->bi_blkg
submit_bio
// null-ptr-deref
Fix this problem by clearing bio before clearing the list in
r5l_log_flush_endio().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5-cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "711fb92606208a8626b785da4f9f23d648a5b6c8",
"status": "affected",
"version": "0dd00cba99c352dc9afd62979f350d808c215cb9",
"versionType": "git"
},
{
"lessThan": "7a8b6d93991bf4b72b3f959baea35397c6c8e521",
"status": "affected",
"version": "0dd00cba99c352dc9afd62979f350d808c215cb9",
"versionType": "git"
},
{
"lessThan": "e46b2e7be8059d156af8c011dd8d665229b65886",
"status": "affected",
"version": "0dd00cba99c352dc9afd62979f350d808c215cb9",
"versionType": "git"
},
{
"lessThan": "0d0bd28c500173bfca78aa840f8f36d261ef1765",
"status": "affected",
"version": "0dd00cba99c352dc9afd62979f350d808c215cb9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5-cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()\n\nr5l_flush_stripe_to_raid() will check if the list \u0027flushing_ios\u0027 is\nempty, and then submit \u0027flush_bio\u0027, however, r5l_log_flush_endio()\nis clearing the list first and then clear the bio, which will cause\nnull-ptr-deref:\n\nT1: submit flush io\nraid5d\n handle_active_stripes\n r5l_flush_stripe_to_raid\n // list is empty\n // add \u0027io_end_ios\u0027 to the list\n bio_init\n submit_bio\n // io1\n\nT2: io1 is done\nr5l_log_flush_endio\n list_splice_tail_init\n // clear the list\n\t\t\tT3: submit new flush io\n\t\t\t...\n\t\t\tr5l_flush_stripe_to_raid\n\t\t\t // list is empty\n\t\t\t // add \u0027io_end_ios\u0027 to the list\n\t\t\t bio_init\n bio_uninit\n // clear bio-\u003ebi_blkg\n\t\t\t submit_bio\n\t\t\t // null-ptr-deref\n\nFix this problem by clearing bio before clearing the list in\nr5l_log_flush_endio()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:38.534Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/711fb92606208a8626b785da4f9f23d648a5b6c8"
},
{
"url": "https://git.kernel.org/stable/c/7a8b6d93991bf4b72b3f959baea35397c6c8e521"
},
{
"url": "https://git.kernel.org/stable/c/e46b2e7be8059d156af8c011dd8d665229b65886"
},
{
"url": "https://git.kernel.org/stable/c/0d0bd28c500173bfca78aa840f8f36d261ef1765"
}
],
"title": "md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53210",
"datePublished": "2025-09-15T14:21:38.534Z",
"dateReserved": "2025-09-15T13:59:19.069Z",
"dateUpdated": "2025-09-15T14:21:38.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50564 (GCVE-0-2022-50564)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/netiucv: Fix return type of netiucv_tx()
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/s390/net/netiucv.c:1854:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = netiucv_tx,
^~~~~~~~~~
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of netiucv_tx() to
match the prototype's to resolve the warning and potential CFI failure,
should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
Additionally, while in the area, remove a comment block that is no
longer relevant.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/netiucv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f13d870fce90f01cf930bfaffecc8185ae0be21c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eccc88c0efe407e579291792ad07a7dedc0f63f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "85d392710275355425df8618ccbebbc336f5acc5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4bee3c75d5bf7c2b5dc0b520410eb40449e5da31",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ac0217ca9186c2f9af9a0113a331a42aa847894",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dfbf0122ea1b9b3e73fa22c8ff6bd888935c54fc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e7a849f740e3576e79cba403697e916f4c3a6f12",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d034fa43af92fc46a81d882f46d9cc3e4ffdbbcc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "88d86d18d7cf7e9137c95f9d212bb9fff8a1b4be",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/netiucv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/netiucv: Fix return type of netiucv_tx()\n\nWith clang\u0027s kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed. A\nproposed warning in clang aims to catch these at compile time, which\nreveals:\n\n drivers/s390/net/netiucv.c:1854:21: error: incompatible function pointer types initializing \u0027netdev_tx_t (*)(struct sk_buff *, struct net_device *)\u0027 (aka \u0027enum netdev_tx (*)(struct sk_buff *, struct net_device *)\u0027) with an expression of type \u0027int (struct sk_buff *, struct net_device *)\u0027 [-Werror,-Wincompatible-function-pointer-types-strict]\n .ndo_start_xmit = netiucv_tx,\n ^~~~~~~~~~\n\n-\u003endo_start_xmit() in \u0027struct net_device_ops\u0027 expects a return type of\n\u0027netdev_tx_t\u0027, not \u0027int\u0027. Adjust the return type of netiucv_tx() to\nmatch the prototype\u0027s to resolve the warning and potential CFI failure,\nshould s390 select ARCH_SUPPORTS_CFI_CLANG in the future.\n\nAdditionally, while in the area, remove a comment block that is no\nlonger relevant."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:22.703Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f13d870fce90f01cf930bfaffecc8185ae0be21c"
},
{
"url": "https://git.kernel.org/stable/c/eccc88c0efe407e579291792ad07a7dedc0f63f0"
},
{
"url": "https://git.kernel.org/stable/c/85d392710275355425df8618ccbebbc336f5acc5"
},
{
"url": "https://git.kernel.org/stable/c/4bee3c75d5bf7c2b5dc0b520410eb40449e5da31"
},
{
"url": "https://git.kernel.org/stable/c/3ac0217ca9186c2f9af9a0113a331a42aa847894"
},
{
"url": "https://git.kernel.org/stable/c/dfbf0122ea1b9b3e73fa22c8ff6bd888935c54fc"
},
{
"url": "https://git.kernel.org/stable/c/e7a849f740e3576e79cba403697e916f4c3a6f12"
},
{
"url": "https://git.kernel.org/stable/c/d034fa43af92fc46a81d882f46d9cc3e4ffdbbcc"
},
{
"url": "https://git.kernel.org/stable/c/88d86d18d7cf7e9137c95f9d212bb9fff8a1b4be"
}
],
"title": "s390/netiucv: Fix return type of netiucv_tx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50564",
"datePublished": "2025-10-22T13:23:22.703Z",
"dateReserved": "2025-10-22T13:20:23.759Z",
"dateUpdated": "2025-10-22T13:23:22.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39853 (GCVE-0-2025-39853)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix potential invalid access when MAC list is empty
list_first_entry() never returns NULL - if the list is empty, it still
returns a pointer to an invalid object, leading to potential invalid
memory access when dereferenced.
Fix this by using list_first_entry_or_null instead of list_first_entry.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e3219ce6a775468368fb270fae3eb82a6787b436 Version: e3219ce6a775468368fb270fae3eb82a6787b436 Version: e3219ce6a775468368fb270fae3eb82a6787b436 Version: e3219ce6a775468368fb270fae3eb82a6787b436 Version: e3219ce6a775468368fb270fae3eb82a6787b436 Version: e3219ce6a775468368fb270fae3eb82a6787b436 Version: e3219ce6a775468368fb270fae3eb82a6787b436 Version: e3219ce6a775468368fb270fae3eb82a6787b436 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:09.789Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "971feafe157afac443027acdc235badc6838560b",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "3c6fb929afa313d9d11f780451d113f73922fe5d",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "1eadabcf5623f1237a539b16586b4ed8ac8dffcd",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "e2a5e74879f9b494bbd66fa93f355feacde450c7",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "fb216d980fae6561c7c70af8ef826faf059c6515",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "66e7cdbda74ee823ec2bf7b830ebd235c54f5ddf",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "9c21fc4cebd44dd21016c61261a683af390343f8",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
},
{
"lessThan": "a556f06338e1d5a85af0e32ecb46e365547f92b9",
"status": "affected",
"version": "e3219ce6a775468368fb270fae3eb82a6787b436",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix potential invalid access when MAC list is empty\n\nlist_first_entry() never returns NULL - if the list is empty, it still\nreturns a pointer to an invalid object, leading to potential invalid\nmemory access when dereferenced.\n\nFix this by using list_first_entry_or_null instead of list_first_entry."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:05.844Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/971feafe157afac443027acdc235badc6838560b"
},
{
"url": "https://git.kernel.org/stable/c/3c6fb929afa313d9d11f780451d113f73922fe5d"
},
{
"url": "https://git.kernel.org/stable/c/1eadabcf5623f1237a539b16586b4ed8ac8dffcd"
},
{
"url": "https://git.kernel.org/stable/c/e2a5e74879f9b494bbd66fa93f355feacde450c7"
},
{
"url": "https://git.kernel.org/stable/c/fb216d980fae6561c7c70af8ef826faf059c6515"
},
{
"url": "https://git.kernel.org/stable/c/66e7cdbda74ee823ec2bf7b830ebd235c54f5ddf"
},
{
"url": "https://git.kernel.org/stable/c/9c21fc4cebd44dd21016c61261a683af390343f8"
},
{
"url": "https://git.kernel.org/stable/c/a556f06338e1d5a85af0e32ecb46e365547f92b9"
}
],
"title": "i40e: Fix potential invalid access when MAC list is empty",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39853",
"datePublished": "2025-09-19T15:26:25.101Z",
"dateReserved": "2025-04-16T07:20:57.142Z",
"dateUpdated": "2025-11-03T17:44:09.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53303 (GCVE-0-2023-53303)
Vulnerability from cvelistv5
Published
2025-09-16 08:11
Modified
2025-09-16 08:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: microchip: vcap api: Fix possible memory leak for vcap_dup_rule()
Inject fault When select CONFIG_VCAP_KUNIT_TEST, the below memory leak
occurs. If kzalloc() for duprule succeeds, but the following
kmemdup() fails, the duprule, ckf and caf memory will be leaked. So kfree
them in the error path.
unreferenced object 0xffff122744c50600 (size 192):
comm "kunit_try_catch", pid 346, jiffies 4294896122 (age 911.812s)
hex dump (first 32 bytes):
10 27 00 00 04 00 00 00 1e 00 00 00 2c 01 00 00 .'..........,...
00 00 00 00 00 00 00 00 18 06 c5 44 27 12 ff ff ...........D'...
backtrace:
[<00000000394b0db8>] __kmem_cache_alloc_node+0x274/0x2f8
[<0000000001bedc67>] kmalloc_trace+0x38/0x88
[<00000000b0612f98>] vcap_dup_rule+0x50/0x460
[<000000005d2d3aca>] vcap_add_rule+0x8cc/0x1038
[<00000000eef9d0f8>] test_vcap_xn_rule_creator.constprop.0.isra.0+0x238/0x494
[<00000000cbda607b>] vcap_api_rule_remove_in_front_test+0x1ac/0x698
[<00000000c8766299>] kunit_try_run_case+0xe0/0x20c
[<00000000c4fe9186>] kunit_generic_run_threadfn_adapter+0x50/0x94
[<00000000f6864acf>] kthread+0x2e8/0x374
[<0000000022e639b3>] ret_from_fork+0x10/0x20
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/vcap/vcap_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a26ba60413b2c8f95daf0ee0152cf82abd7bfbe4",
"status": "affected",
"version": "814e7693207f1bd936d600f9b5467f133e3d6e40",
"versionType": "git"
},
{
"lessThan": "281f65d29d6da1a9b6907fb0b145aaf34f4e4822",
"status": "affected",
"version": "814e7693207f1bd936d600f9b5467f133e3d6e40",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/vcap/vcap_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: microchip: vcap api: Fix possible memory leak for vcap_dup_rule()\n\nInject fault When select CONFIG_VCAP_KUNIT_TEST, the below memory leak\noccurs. If kzalloc() for duprule succeeds, but the following\nkmemdup() fails, the duprule, ckf and caf memory will be leaked. So kfree\nthem in the error path.\n\nunreferenced object 0xffff122744c50600 (size 192):\n comm \"kunit_try_catch\", pid 346, jiffies 4294896122 (age 911.812s)\n hex dump (first 32 bytes):\n 10 27 00 00 04 00 00 00 1e 00 00 00 2c 01 00 00 .\u0027..........,...\n 00 00 00 00 00 00 00 00 18 06 c5 44 27 12 ff ff ...........D\u0027...\n backtrace:\n [\u003c00000000394b0db8\u003e] __kmem_cache_alloc_node+0x274/0x2f8\n [\u003c0000000001bedc67\u003e] kmalloc_trace+0x38/0x88\n [\u003c00000000b0612f98\u003e] vcap_dup_rule+0x50/0x460\n [\u003c000000005d2d3aca\u003e] vcap_add_rule+0x8cc/0x1038\n [\u003c00000000eef9d0f8\u003e] test_vcap_xn_rule_creator.constprop.0.isra.0+0x238/0x494\n [\u003c00000000cbda607b\u003e] vcap_api_rule_remove_in_front_test+0x1ac/0x698\n [\u003c00000000c8766299\u003e] kunit_try_run_case+0xe0/0x20c\n [\u003c00000000c4fe9186\u003e] kunit_generic_run_threadfn_adapter+0x50/0x94\n [\u003c00000000f6864acf\u003e] kthread+0x2e8/0x374\n [\u003c0000000022e639b3\u003e] ret_from_fork+0x10/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:33.842Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a26ba60413b2c8f95daf0ee0152cf82abd7bfbe4"
},
{
"url": "https://git.kernel.org/stable/c/281f65d29d6da1a9b6907fb0b145aaf34f4e4822"
}
],
"title": "net: microchip: vcap api: Fix possible memory leak for vcap_dup_rule()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53303",
"datePublished": "2025-09-16T08:11:33.842Z",
"dateReserved": "2025-09-16T08:09:37.994Z",
"dateUpdated": "2025-09-16T08:11:33.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53488 (GCVE-0-2023-53488)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix possible panic during hotplug remove
During hotplug remove it is possible that the update counters work
might be pending, and may run after memory has been freed.
Cancel the update counters work before freeing memory.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/chip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e72f33ddfdb69cb21c1b59d31bbd3498d31b14a",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "bfd727ad8411995218f336ead9f2becfde7f3a89",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "c2145b18740c7e697748e4005ce93a5c683c86a8",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "33c677d1e087e437c7dcaad8d73402cf6add282e",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "918c1e6843b7e81d0e5cf7994f41f28dc34c98b0",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "ac6640f4193d0f5b44269a7f08372909f9a18e5c",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "d32a5e9b825d40c08a43dfbcba007159fed41a5d",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "4fdfaef71fced490835145631a795497646f4555",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/chip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix possible panic during hotplug remove\n\nDuring hotplug remove it is possible that the update counters work\nmight be pending, and may run after memory has been freed.\nCancel the update counters work before freeing memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:40.546Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e72f33ddfdb69cb21c1b59d31bbd3498d31b14a"
},
{
"url": "https://git.kernel.org/stable/c/bfd727ad8411995218f336ead9f2becfde7f3a89"
},
{
"url": "https://git.kernel.org/stable/c/c2145b18740c7e697748e4005ce93a5c683c86a8"
},
{
"url": "https://git.kernel.org/stable/c/33c677d1e087e437c7dcaad8d73402cf6add282e"
},
{
"url": "https://git.kernel.org/stable/c/918c1e6843b7e81d0e5cf7994f41f28dc34c98b0"
},
{
"url": "https://git.kernel.org/stable/c/ac6640f4193d0f5b44269a7f08372909f9a18e5c"
},
{
"url": "https://git.kernel.org/stable/c/d32a5e9b825d40c08a43dfbcba007159fed41a5d"
},
{
"url": "https://git.kernel.org/stable/c/4fdfaef71fced490835145631a795497646f4555"
}
],
"title": "IB/hfi1: Fix possible panic during hotplug remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53488",
"datePublished": "2025-10-01T11:45:40.546Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:45:40.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53709 (GCVE-0-2023-53709)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Handle race between rb_move_tail and rb_check_pages
It seems a data race between ring_buffer writing and integrity check.
That is, RB_FLAG of head_page is been updating, while at same time
RB_FLAG was cleared when doing integrity check rb_check_pages():
rb_check_pages() rb_handle_head_page():
-------- --------
rb_head_page_deactivate()
rb_head_page_set_normal()
rb_head_page_activate()
We do intergrity test of the list to check if the list is corrupted and
it is still worth doing it. So, let's refactor rb_check_pages() such that
we no longer clear and set flag during the list sanity checking.
[1] and [2] are the test to reproduce and the crash report respectively.
1:
``` read_trace.sh
while true;
do
# the "trace" file is closed after read
head -1 /sys/kernel/tracing/trace > /dev/null
done
```
``` repro.sh
sysctl -w kernel.panic_on_warn=1
# function tracer will writing enough data into ring_buffer
echo function > /sys/kernel/tracing/current_tracer
./read_trace.sh &
./read_trace.sh &
./read_trace.sh &
./read_trace.sh &
./read_trace.sh &
./read_trace.sh &
./read_trace.sh &
./read_trace.sh &
```
2:
------------[ cut here ]------------
WARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653
rb_move_tail+0x450/0x470
Modules linked in:
CPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G W 6.2.0-rc6+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:rb_move_tail+0x450/0x470
Code: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24
83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 <0f> 0b 83
f8 02 0f 84 ce fb ff ff e9 db
RSP: 0018:ffffb5564089bd00 EFLAGS: 00000203
RAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18
RDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400
RBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2
R10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000
R13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108
FS: 0000000000000000(0000) GS:ffff9db3bdcc0000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0
Call Trace:
<TASK>
ring_buffer_lock_reserve+0x136/0x360
? __do_softirq+0x287/0x2df
? __pfx_rcu_softirq_qs+0x10/0x10
trace_function+0x21/0x110
? __pfx_rcu_softirq_qs+0x10/0x10
? __do_softirq+0x287/0x2df
function_trace_call+0xf6/0x120
0xffffffffc038f097
? rcu_softirq_qs+0x5/0x140
rcu_softirq_qs+0x5/0x140
__do_softirq+0x287/0x2df
run_ksoftirqd+0x2a/0x30
smpboot_thread_fn+0x188/0x220
? __pfx_smpboot_thread_fn+0x10/0x10
kthread+0xe7/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2c/0x50
</TASK>
---[ end trace 0000000000000000 ]---
[ crash report and test reproducer credit goes to Zheng Yejian]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e02a43acd0691791df79ce538f2dd497a6c9b76",
"status": "affected",
"version": "1039221cc2787dee51a7ffbf9b0e79d192dadf76",
"versionType": "git"
},
{
"lessThan": "d41db100bc386b9433a3fc87026f5e8b453653e3",
"status": "affected",
"version": "1039221cc2787dee51a7ffbf9b0e79d192dadf76",
"versionType": "git"
},
{
"lessThan": "9674390ac540ed06768e3fbc2dba553929fbd736",
"status": "affected",
"version": "1039221cc2787dee51a7ffbf9b0e79d192dadf76",
"versionType": "git"
},
{
"lessThan": "09b1bf25f7f7a8f2bf8cd4278bba9c3172db8013",
"status": "affected",
"version": "1039221cc2787dee51a7ffbf9b0e79d192dadf76",
"versionType": "git"
},
{
"lessThan": "8843e06f67b14f71c044bf6267b2387784c7e198",
"status": "affected",
"version": "1039221cc2787dee51a7ffbf9b0e79d192dadf76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Handle race between rb_move_tail and rb_check_pages\n\nIt seems a data race between ring_buffer writing and integrity check.\nThat is, RB_FLAG of head_page is been updating, while at same time\nRB_FLAG was cleared when doing integrity check rb_check_pages():\n\n rb_check_pages() rb_handle_head_page():\n -------- --------\n rb_head_page_deactivate()\n rb_head_page_set_normal()\n rb_head_page_activate()\n\nWe do intergrity test of the list to check if the list is corrupted and\nit is still worth doing it. So, let\u0027s refactor rb_check_pages() such that\nwe no longer clear and set flag during the list sanity checking.\n\n[1] and [2] are the test to reproduce and the crash report respectively.\n\n1:\n``` read_trace.sh\n while true;\n do\n # the \"trace\" file is closed after read\n head -1 /sys/kernel/tracing/trace \u003e /dev/null\n done\n```\n``` repro.sh\n sysctl -w kernel.panic_on_warn=1\n # function tracer will writing enough data into ring_buffer\n echo function \u003e /sys/kernel/tracing/current_tracer\n ./read_trace.sh \u0026\n ./read_trace.sh \u0026\n ./read_trace.sh \u0026\n ./read_trace.sh \u0026\n ./read_trace.sh \u0026\n ./read_trace.sh \u0026\n ./read_trace.sh \u0026\n ./read_trace.sh \u0026\n```\n\n2:\n------------[ cut here ]------------\nWARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653\nrb_move_tail+0x450/0x470\nModules linked in:\nCPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G W 6.2.0-rc6+\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:rb_move_tail+0x450/0x470\nCode: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24\n83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 \u003c0f\u003e 0b 83\nf8 02 0f 84 ce fb ff ff e9 db\nRSP: 0018:ffffb5564089bd00 EFLAGS: 00000203\nRAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18\nRDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400\nRBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2\nR10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000\nR13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108\nFS: 0000000000000000(0000) GS:ffff9db3bdcc0000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0\nCall Trace:\n \u003cTASK\u003e\n ring_buffer_lock_reserve+0x136/0x360\n ? __do_softirq+0x287/0x2df\n ? __pfx_rcu_softirq_qs+0x10/0x10\n trace_function+0x21/0x110\n ? __pfx_rcu_softirq_qs+0x10/0x10\n ? __do_softirq+0x287/0x2df\n function_trace_call+0xf6/0x120\n 0xffffffffc038f097\n ? rcu_softirq_qs+0x5/0x140\n rcu_softirq_qs+0x5/0x140\n __do_softirq+0x287/0x2df\n run_ksoftirqd+0x2a/0x30\n smpboot_thread_fn+0x188/0x220\n ? __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0xe7/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n \u003c/TASK\u003e\n---[ end trace 0000000000000000 ]---\n\n[ crash report and test reproducer credit goes to Zheng Yejian]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:45.155Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e02a43acd0691791df79ce538f2dd497a6c9b76"
},
{
"url": "https://git.kernel.org/stable/c/d41db100bc386b9433a3fc87026f5e8b453653e3"
},
{
"url": "https://git.kernel.org/stable/c/9674390ac540ed06768e3fbc2dba553929fbd736"
},
{
"url": "https://git.kernel.org/stable/c/09b1bf25f7f7a8f2bf8cd4278bba9c3172db8013"
},
{
"url": "https://git.kernel.org/stable/c/8843e06f67b14f71c044bf6267b2387784c7e198"
}
],
"title": "ring-buffer: Handle race between rb_move_tail and rb_check_pages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53709",
"datePublished": "2025-10-22T13:23:45.155Z",
"dateReserved": "2025-10-22T13:21:37.346Z",
"dateUpdated": "2025-10-22T13:23:45.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38725 (GCVE-0-2025-38725)
Vulnerability from cvelistv5
Published
2025-09-04 15:33
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix_devices: add phy_mask for ax88772 mdio bus
Without setting phy_mask for ax88772 mdio bus, current driver may create
at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.
DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy
device will bind to net phy driver. This is creating issue during system
suspend/resume since phy_polling_mode() in phy_state_machine() will
directly deference member of phydev->drv for non-main phy devices. Then
NULL pointer dereference issue will occur. Due to only external phy or
internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud
the issue.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e532a096be0e5e570b383e71d4560e7f04384e0f Version: e532a096be0e5e570b383e71d4560e7f04384e0f Version: e532a096be0e5e570b383e71d4560e7f04384e0f Version: e532a096be0e5e570b383e71d4560e7f04384e0f Version: e532a096be0e5e570b383e71d4560e7f04384e0f Version: e532a096be0e5e570b383e71d4560e7f04384e0f Version: e532a096be0e5e570b383e71d4560e7f04384e0f |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:54.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75947d3200de98a9ded9ad8972e02f1a177097fe",
"status": "affected",
"version": "e532a096be0e5e570b383e71d4560e7f04384e0f",
"versionType": "git"
},
{
"lessThan": "59ed6fbdb1bc03316e09493ffde7066f031c7524",
"status": "affected",
"version": "e532a096be0e5e570b383e71d4560e7f04384e0f",
"versionType": "git"
},
{
"lessThan": "ccef5ee4adf56472aa26bdd1f821a6d0cd06089a",
"status": "affected",
"version": "e532a096be0e5e570b383e71d4560e7f04384e0f",
"versionType": "git"
},
{
"lessThan": "ee2cd40b0bb46056949a2319084a729d95389386",
"status": "affected",
"version": "e532a096be0e5e570b383e71d4560e7f04384e0f",
"versionType": "git"
},
{
"lessThan": "a754ab53993b1585132e871c5d811167ad3c52ff",
"status": "affected",
"version": "e532a096be0e5e570b383e71d4560e7f04384e0f",
"versionType": "git"
},
{
"lessThan": "ad1f8313aeec0115f9978bd2d002ef4a8d96c773",
"status": "affected",
"version": "e532a096be0e5e570b383e71d4560e7f04384e0f",
"versionType": "git"
},
{
"lessThan": "4faff70959d51078f9ee8372f8cff0d7045e4114",
"status": "affected",
"version": "e532a096be0e5e570b383e71d4560e7f04384e0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix_devices: add phy_mask for ax88772 mdio bus\n\nWithout setting phy_mask for ax88772 mdio bus, current driver may create\nat most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.\nDLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy\ndevice will bind to net phy driver. This is creating issue during system\nsuspend/resume since phy_polling_mode() in phy_state_machine() will\ndirectly deference member of phydev-\u003edrv for non-main phy devices. Then\nNULL pointer dereference issue will occur. Due to only external phy or\ninternal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud\nthe issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:51.162Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75947d3200de98a9ded9ad8972e02f1a177097fe"
},
{
"url": "https://git.kernel.org/stable/c/59ed6fbdb1bc03316e09493ffde7066f031c7524"
},
{
"url": "https://git.kernel.org/stable/c/ccef5ee4adf56472aa26bdd1f821a6d0cd06089a"
},
{
"url": "https://git.kernel.org/stable/c/ee2cd40b0bb46056949a2319084a729d95389386"
},
{
"url": "https://git.kernel.org/stable/c/a754ab53993b1585132e871c5d811167ad3c52ff"
},
{
"url": "https://git.kernel.org/stable/c/ad1f8313aeec0115f9978bd2d002ef4a8d96c773"
},
{
"url": "https://git.kernel.org/stable/c/4faff70959d51078f9ee8372f8cff0d7045e4114"
}
],
"title": "net: usb: asix_devices: add phy_mask for ax88772 mdio bus",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38725",
"datePublished": "2025-09-04T15:33:23.468Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:54.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40005 (GCVE-0-2025-40005)
Vulnerability from cvelistv5
Published
2025-10-20 15:26
Modified
2025-10-20 15:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: cadence-quadspi: Implement refcount to handle unbind during busy
driver support indirect read and indirect write operation with
assumption no force device removal(unbind) operation. However
force device removal(removal) is still available to root superuser.
Unbinding driver during operation causes kernel crash. This changes
ensure driver able to handle such operation for indirect read and
indirect write by implementing refcount to track attached devices
to the controller and gracefully wait and until attached devices
remove operation completed before proceed with removal operation.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-cadence-quadspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7ec8a2b094a33d0464958c2cbf75b8f229098b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7446284023e8ef694fb392348185349c773eefb3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-cadence-quadspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-quadspi: Implement refcount to handle unbind during busy\n\ndriver support indirect read and indirect write operation with\nassumption no force device removal(unbind) operation. However\nforce device removal(removal) is still available to root superuser.\n\nUnbinding driver during operation causes kernel crash. This changes\nensure driver able to handle such operation for indirect read and\nindirect write by implementing refcount to track attached devices\nto the controller and gracefully wait and until attached devices\nremove operation completed before proceed with removal operation."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:52.315Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7ec8a2b094a33d0464958c2cbf75b8f229098b0"
},
{
"url": "https://git.kernel.org/stable/c/7446284023e8ef694fb392348185349c773eefb3"
}
],
"title": "spi: cadence-quadspi: Implement refcount to handle unbind during busy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40005",
"datePublished": "2025-10-20T15:26:52.315Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:52.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53364 (GCVE-0-2023-53364)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: da9063: better fix null deref with partial DT
Two versions of the original patch were sent but V1 was merged instead
of V2 due to a mistake.
So update to V2.
The advantage of V2 is that it completely avoids dereferencing the pointer,
even just to take the address, which may fix problems with some compilers.
Both versions work on my gcc 9.4 but use the safer one.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/da9063-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa402a3b553bd4829f4504058d53b0351c66c9d4",
"status": "affected",
"version": "04a025b17d83d07924e5e32508c72536ab8f42d9",
"versionType": "git"
},
{
"lessThan": "30c694fd4a99fbbc4115d180156ca01b60953371",
"status": "affected",
"version": "98e2dd5f7a8be5cb2501a897e96910393a49f0ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/da9063-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.4.12",
"status": "affected",
"version": "6.4.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9063: better fix null deref with partial DT\n\nTwo versions of the original patch were sent but V1 was merged instead\nof V2 due to a mistake.\n\nSo update to V2.\n\nThe advantage of V2 is that it completely avoids dereferencing the pointer,\neven just to take the address, which may fix problems with some compilers.\nBoth versions work on my gcc 9.4 but use the safer one."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:53.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa402a3b553bd4829f4504058d53b0351c66c9d4"
},
{
"url": "https://git.kernel.org/stable/c/30c694fd4a99fbbc4115d180156ca01b60953371"
}
],
"title": "regulator: da9063: better fix null deref with partial DT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53364",
"datePublished": "2025-09-17T14:56:53.120Z",
"dateReserved": "2025-09-17T14:54:09.733Z",
"dateUpdated": "2025-09-17T14:56:53.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38177 (GCVE-0-2025-38177)
Vulnerability from cvelistv5
Published
2025-07-04 12:47
Modified
2025-11-03 19:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sch_hfsc: make hfsc_qlen_notify() idempotent
hfsc_qlen_notify() is not idempotent either and not friendly
to its callers, like fq_codel_dequeue(). Let's make it idempotent
to ease qdisc_tree_reduce_backlog() callers' life:
1. update_vf() decreases cl->cl_nactive, so we can check whether it is
non-zero before calling it.
2. eltree_remove() always removes RB node cl->el_node, but we can use
RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:58:30.487Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a5fd5c2f4d4afdd5e405083ee53e0789ce76956",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "72c61ffbeeb8c50f6d4d70c65d3283aa1bac57a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a5efc95a33bd4fcb879250852828cc58c7862970",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0475c85426b18eccdcb7f9fb58d8f8e9c6c58c87",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9030a91235ae4845ec71902c3e0cecfc9ed1f2df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d06476714d2819b550e0cc39222347e2c8941c9d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c1175c4ad01dbc9c979d099861fa90a754f72059",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "51eb3b65544c9efd6a1026889ee5fb5aa62da3bb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.138",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: make hfsc_qlen_notify() idempotent\n\nhfsc_qlen_notify() is not idempotent either and not friendly\nto its callers, like fq_codel_dequeue(). Let\u0027s make it idempotent\nto ease qdisc_tree_reduce_backlog() callers\u0027 life:\n\n1. update_vf() decreases cl-\u003ecl_nactive, so we can check whether it is\nnon-zero before calling it.\n\n2. eltree_remove() always removes RB node cl-\u003eel_node, but we can use\n RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:42:59.040Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a5fd5c2f4d4afdd5e405083ee53e0789ce76956"
},
{
"url": "https://git.kernel.org/stable/c/72c61ffbeeb8c50f6d4d70c65d3283aa1bac57a7"
},
{
"url": "https://git.kernel.org/stable/c/a5efc95a33bd4fcb879250852828cc58c7862970"
},
{
"url": "https://git.kernel.org/stable/c/0475c85426b18eccdcb7f9fb58d8f8e9c6c58c87"
},
{
"url": "https://git.kernel.org/stable/c/9030a91235ae4845ec71902c3e0cecfc9ed1f2df"
},
{
"url": "https://git.kernel.org/stable/c/d06476714d2819b550e0cc39222347e2c8941c9d"
},
{
"url": "https://git.kernel.org/stable/c/c1175c4ad01dbc9c979d099861fa90a754f72059"
},
{
"url": "https://git.kernel.org/stable/c/51eb3b65544c9efd6a1026889ee5fb5aa62da3bb"
}
],
"title": "sch_hfsc: make hfsc_qlen_notify() idempotent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38177",
"datePublished": "2025-07-04T12:47:09.127Z",
"dateReserved": "2025-04-16T04:51:23.992Z",
"dateUpdated": "2025-11-03T19:58:30.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50512 (GCVE-0-2022-50512)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix potential memory leak in ext4_fc_record_regions()
As krealloc may return NULL, in this case 'state->fc_regions' may not be
freed by krealloc, but 'state->fc_regions' already set NULL. Then will
lead to 'state->fc_regions' memory leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cfb769d60a2a57eb3566765428b6131cd16dcfe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "417b0455a0b6d0f60a2930592731d1f8340e24be",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a4058b869e6c5e517c79e30532a350d0f3115c3e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "518566e71ad86b7c2f1bf6d9caee9588bb7ac158",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7069d105c1f15c442b68af43f7fde784f3126739",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix potential memory leak in ext4_fc_record_regions()\n\nAs krealloc may return NULL, in this case \u0027state-\u003efc_regions\u0027 may not be\nfreed by krealloc, but \u0027state-\u003efc_regions\u0027 already set NULL. Then will\nlead to \u0027state-\u003efc_regions\u0027 memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:08.854Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cfb769d60a2a57eb3566765428b6131cd16dcfe"
},
{
"url": "https://git.kernel.org/stable/c/417b0455a0b6d0f60a2930592731d1f8340e24be"
},
{
"url": "https://git.kernel.org/stable/c/a4058b869e6c5e517c79e30532a350d0f3115c3e"
},
{
"url": "https://git.kernel.org/stable/c/518566e71ad86b7c2f1bf6d9caee9588bb7ac158"
},
{
"url": "https://git.kernel.org/stable/c/7069d105c1f15c442b68af43f7fde784f3126739"
}
],
"title": "ext4: fix potential memory leak in ext4_fc_record_regions()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50512",
"datePublished": "2025-10-07T15:19:08.854Z",
"dateReserved": "2025-10-07T15:14:58.491Z",
"dateUpdated": "2025-10-07T15:19:08.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50566 (GCVE-0-2022-50566)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: Fix device name leak when register device failed in add_mtd_device()
There is a kmemleak when register device failed:
unreferenced object 0xffff888101aab550 (size 8):
comm "insmod", pid 3922, jiffies 4295277753 (age 925.408s)
hex dump (first 8 bytes):
6d 74 64 30 00 88 ff ff mtd0....
backtrace:
[<00000000bde26724>] __kmalloc_node_track_caller+0x4e/0x150
[<000000003c32b416>] kvasprintf+0xb0/0x130
[<000000001f7a8f15>] kobject_set_name_vargs+0x2f/0xb0
[<000000006e781163>] dev_set_name+0xab/0xe0
[<00000000e30d0c78>] add_mtd_device+0x4bb/0x700
[<00000000f3d34de7>] mtd_device_parse_register+0x2ac/0x3f0
[<00000000c0d88488>] 0xffffffffa0238457
[<00000000b40d0922>] 0xffffffffa02a008f
[<0000000023d17b9d>] do_one_initcall+0x87/0x2a0
[<00000000770f6ca6>] do_init_module+0xdf/0x320
[<000000007b6768fe>] load_module+0x2f98/0x3330
[<00000000346bed5a>] __do_sys_finit_module+0x113/0x1b0
[<00000000674c2290>] do_syscall_64+0x35/0x80
[<000000004c6a8d97>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
If register device failed, should call put_device() to give up the
reference.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1f24b5a8ecbb2a3c7080f418974d40e3ffedb221 Version: 1f24b5a8ecbb2a3c7080f418974d40e3ffedb221 Version: 1f24b5a8ecbb2a3c7080f418974d40e3ffedb221 Version: 1f24b5a8ecbb2a3c7080f418974d40e3ffedb221 Version: 1f24b5a8ecbb2a3c7080f418974d40e3ffedb221 Version: 1f24b5a8ecbb2a3c7080f418974d40e3ffedb221 Version: 1f24b5a8ecbb2a3c7080f418974d40e3ffedb221 Version: 1f24b5a8ecbb2a3c7080f418974d40e3ffedb221 Version: 1f24b5a8ecbb2a3c7080f418974d40e3ffedb221 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdcore.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a75f45afa932bfb24a2603ebcea5efd2e7cdcfd6",
"status": "affected",
"version": "1f24b5a8ecbb2a3c7080f418974d40e3ffedb221",
"versionType": "git"
},
{
"lessThan": "2302e2dc42b1f84f951c725ce742fc21c5a1e151",
"status": "affected",
"version": "1f24b5a8ecbb2a3c7080f418974d40e3ffedb221",
"versionType": "git"
},
{
"lessThan": "db07fe76df01f40cb897d6e9066b84e46957beb3",
"status": "affected",
"version": "1f24b5a8ecbb2a3c7080f418974d40e3ffedb221",
"versionType": "git"
},
{
"lessThan": "fa0d32ab8407d7481450c664fd0de64f2dae9489",
"status": "affected",
"version": "1f24b5a8ecbb2a3c7080f418974d40e3ffedb221",
"versionType": "git"
},
{
"lessThan": "330bc5533e8a8ed69cb951d5a8edce9bddb9db21",
"status": "affected",
"version": "1f24b5a8ecbb2a3c7080f418974d40e3ffedb221",
"versionType": "git"
},
{
"lessThan": "71212d73184845c944ef1b43f092e643e5bde003",
"status": "affected",
"version": "1f24b5a8ecbb2a3c7080f418974d40e3ffedb221",
"versionType": "git"
},
{
"lessThan": "1b172fb05d6315ecec082fd7544a3390e96f0d7e",
"status": "affected",
"version": "1f24b5a8ecbb2a3c7080f418974d40e3ffedb221",
"versionType": "git"
},
{
"lessThan": "bcabe1dc2a344adbb3382930a23e273ba9382277",
"status": "affected",
"version": "1f24b5a8ecbb2a3c7080f418974d40e3ffedb221",
"versionType": "git"
},
{
"lessThan": "895d68a39481a75c680aa421546931fb11942fa6",
"status": "affected",
"version": "1f24b5a8ecbb2a3c7080f418974d40e3ffedb221",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdcore.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Fix device name leak when register device failed in add_mtd_device()\n\nThere is a kmemleak when register device failed:\n unreferenced object 0xffff888101aab550 (size 8):\n comm \"insmod\", pid 3922, jiffies 4295277753 (age 925.408s)\n hex dump (first 8 bytes):\n 6d 74 64 30 00 88 ff ff mtd0....\n backtrace:\n [\u003c00000000bde26724\u003e] __kmalloc_node_track_caller+0x4e/0x150\n [\u003c000000003c32b416\u003e] kvasprintf+0xb0/0x130\n [\u003c000000001f7a8f15\u003e] kobject_set_name_vargs+0x2f/0xb0\n [\u003c000000006e781163\u003e] dev_set_name+0xab/0xe0\n [\u003c00000000e30d0c78\u003e] add_mtd_device+0x4bb/0x700\n [\u003c00000000f3d34de7\u003e] mtd_device_parse_register+0x2ac/0x3f0\n [\u003c00000000c0d88488\u003e] 0xffffffffa0238457\n [\u003c00000000b40d0922\u003e] 0xffffffffa02a008f\n [\u003c0000000023d17b9d\u003e] do_one_initcall+0x87/0x2a0\n [\u003c00000000770f6ca6\u003e] do_init_module+0xdf/0x320\n [\u003c000000007b6768fe\u003e] load_module+0x2f98/0x3330\n [\u003c00000000346bed5a\u003e] __do_sys_finit_module+0x113/0x1b0\n [\u003c00000000674c2290\u003e] do_syscall_64+0x35/0x80\n [\u003c000000004c6a8d97\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nIf register device failed, should call put_device() to give up the\nreference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:23.917Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a75f45afa932bfb24a2603ebcea5efd2e7cdcfd6"
},
{
"url": "https://git.kernel.org/stable/c/2302e2dc42b1f84f951c725ce742fc21c5a1e151"
},
{
"url": "https://git.kernel.org/stable/c/db07fe76df01f40cb897d6e9066b84e46957beb3"
},
{
"url": "https://git.kernel.org/stable/c/fa0d32ab8407d7481450c664fd0de64f2dae9489"
},
{
"url": "https://git.kernel.org/stable/c/330bc5533e8a8ed69cb951d5a8edce9bddb9db21"
},
{
"url": "https://git.kernel.org/stable/c/71212d73184845c944ef1b43f092e643e5bde003"
},
{
"url": "https://git.kernel.org/stable/c/1b172fb05d6315ecec082fd7544a3390e96f0d7e"
},
{
"url": "https://git.kernel.org/stable/c/bcabe1dc2a344adbb3382930a23e273ba9382277"
},
{
"url": "https://git.kernel.org/stable/c/895d68a39481a75c680aa421546931fb11942fa6"
}
],
"title": "mtd: Fix device name leak when register device failed in add_mtd_device()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50566",
"datePublished": "2025-10-22T13:23:23.917Z",
"dateReserved": "2025-10-22T13:20:23.760Z",
"dateUpdated": "2025-10-22T13:23:23.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50581 (GCVE-0-2022-50581)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: fix OOB Read in __hfs_brec_find
Syzbot reported a OOB read bug:
==================================================================
BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190
fs/hfs/string.c:84
Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11
CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted
6.1.0-rc6-syzkaller-00308-g644e9524388a #0
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report+0xcd/0x100 mm/kasan/report.c:495
hfs_strcmp+0x117/0x190 fs/hfs/string.c:84
__hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75
hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138
hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462
write_inode fs/fs-writeback.c:1440 [inline]
If the input inode of hfs_write_inode() is incorrect:
struct inode
struct hfs_inode_info
struct hfs_cat_key
struct hfs_name
u8 len # len is greater than HFS_NAMELEN(31) which is the
maximum length of an HFS filename
OOB read occurred:
hfs_write_inode()
hfs_brec_find()
__hfs_brec_find()
hfs_cat_keycmp()
hfs_strcmp() # OOB read occurred due to len is too large
Fix this by adding a Check on len in hfs_write_inode() before calling
hfs_brec_find().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c40f2dbae603ef0bd21e87c63f54ec59fd88256",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c886c10a6eddb99923b315f42bf63f448883ef9a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2344f17c0a89c181ab1a9fef57fd8c3bddfd6e30",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "90103ccb6e60aa4efe48993d23d6a528472f2233",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4fd3a11804c8877ff11fec59c5c53f1635331e3e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "367296925c7625c3969d2a78d7a3e1dee161beb5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e9e692917c6e10a7066c7a6d092dcdc3d4e329f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bfc9d8f27f89717431a6aecce42ae230b437433f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d824e69d9f3fa3121b2dda25053bae71e2460d2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix OOB Read in __hfs_brec_find\n\nSyzbot reported a OOB read bug:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190\nfs/hfs/string.c:84\nRead of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11\nCPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted\n6.1.0-rc6-syzkaller-00308-g644e9524388a #0\nWorkqueue: writeback wb_workfn (flush-7:0)\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:284\n print_report+0x107/0x1f0 mm/kasan/report.c:395\n kasan_report+0xcd/0x100 mm/kasan/report.c:495\n hfs_strcmp+0x117/0x190 fs/hfs/string.c:84\n __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75\n hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138\n hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462\n write_inode fs/fs-writeback.c:1440 [inline]\n\nIf the input inode of hfs_write_inode() is incorrect:\nstruct inode\n struct hfs_inode_info\n struct hfs_cat_key\n struct hfs_name\n u8 len # len is greater than HFS_NAMELEN(31) which is the\nmaximum length of an HFS filename\n\nOOB read occurred:\nhfs_write_inode()\n hfs_brec_find()\n __hfs_brec_find()\n hfs_cat_keycmp()\n hfs_strcmp() # OOB read occurred due to len is too large\n\nFix this by adding a Check on len in hfs_write_inode() before calling\nhfs_brec_find()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:33.421Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c40f2dbae603ef0bd21e87c63f54ec59fd88256"
},
{
"url": "https://git.kernel.org/stable/c/c886c10a6eddb99923b315f42bf63f448883ef9a"
},
{
"url": "https://git.kernel.org/stable/c/2344f17c0a89c181ab1a9fef57fd8c3bddfd6e30"
},
{
"url": "https://git.kernel.org/stable/c/90103ccb6e60aa4efe48993d23d6a528472f2233"
},
{
"url": "https://git.kernel.org/stable/c/4fd3a11804c8877ff11fec59c5c53f1635331e3e"
},
{
"url": "https://git.kernel.org/stable/c/367296925c7625c3969d2a78d7a3e1dee161beb5"
},
{
"url": "https://git.kernel.org/stable/c/e9e692917c6e10a7066c7a6d092dcdc3d4e329f3"
},
{
"url": "https://git.kernel.org/stable/c/bfc9d8f27f89717431a6aecce42ae230b437433f"
},
{
"url": "https://git.kernel.org/stable/c/8d824e69d9f3fa3121b2dda25053bae71e2460d2"
}
],
"title": "hfs: fix OOB Read in __hfs_brec_find",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50581",
"datePublished": "2025-10-22T13:23:33.421Z",
"dateReserved": "2025-10-22T13:20:23.762Z",
"dateUpdated": "2025-10-22T13:23:33.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53187 (GCVE-0-2023-53187)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-15 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free of new block group that became unused
If a task creates a new block group and that block group becomes unused
before we finish its creation, at btrfs_create_pending_block_groups(),
then when btrfs_mark_bg_unused() is called against the block group, we
assume that the block group is currently in the list of block groups to
reclaim, and we move it out of the list of new block groups and into the
list of unused block groups. This has two consequences:
1) We move it out of the list of new block groups associated to the
current transaction. So the block group creation is not finished and
if we attempt to delete the bg because it's unused, we will not find
the block group item in the extent tree (or the new block group tree),
its device extent items in the device tree etc, resulting in the
deletion to fail due to the missing items;
2) We don't increment the reference count on the block group when we
move it to the list of unused block groups, because we assumed the
block group was on the list of block groups to reclaim, and in that
case it already has the correct reference count. However the block
group was on the list of new block groups, in which case no extra
reference was taken because it's local to the current task. This
later results in doing an extra reference count decrement when
removing the block group from the unused list, eventually leading the
reference count to 0.
This second case was caught when running generic/297 from fstests, which
produced the following assertion failure and stack trace:
[589.559] assertion failed: refcount_read(&block_group->refs) == 1, in fs/btrfs/block-group.c:4299
[589.559] ------------[ cut here ]------------
[589.559] kernel BUG at fs/btrfs/block-group.c:4299!
[589.560] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[589.560] CPU: 8 PID: 2819134 Comm: umount Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
[589.560] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[589.560] RIP: 0010:btrfs_free_block_groups+0x449/0x4a0 [btrfs]
[589.561] Code: 68 62 da c0 (...)
[589.561] RSP: 0018:ffffa55a8c3b3d98 EFLAGS: 00010246
[589.561] RAX: 0000000000000058 RBX: ffff8f030d7f2000 RCX: 0000000000000000
[589.562] RDX: 0000000000000000 RSI: ffffffff953f0878 RDI: 00000000ffffffff
[589.562] RBP: ffff8f030d7f2088 R08: 0000000000000000 R09: ffffa55a8c3b3c50
[589.562] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8f05850b4c00
[589.562] R13: ffff8f030d7f2090 R14: ffff8f05850b4cd8 R15: dead000000000100
[589.563] FS: 00007f497fd2e840(0000) GS:ffff8f09dfc00000(0000) knlGS:0000000000000000
[589.563] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[589.563] CR2: 00007f497ff8ec10 CR3: 0000000271472006 CR4: 0000000000370ee0
[589.563] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[589.564] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[589.564] Call Trace:
[589.564] <TASK>
[589.565] ? __die_body+0x1b/0x60
[589.565] ? die+0x39/0x60
[589.565] ? do_trap+0xeb/0x110
[589.565] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]
[589.566] ? do_error_trap+0x6a/0x90
[589.566] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]
[589.566] ? exc_invalid_op+0x4e/0x70
[589.566] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]
[589.567] ? asm_exc_invalid_op+0x16/0x20
[589.567] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]
[589.567] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]
[589.567] close_ctree+0x35d/0x560 [btrfs]
[589.568] ? fsnotify_sb_delete+0x13e/0x1d0
[589.568] ? dispose_list+0x3a/0x50
[589.568] ? evict_inodes+0x151/0x1a0
[589.568] generic_shutdown_super+0x73/0x1a0
[589.569] kill_anon_super+0x14/0x30
[589.569] btrfs_kill_super+0x12/0x20 [btrfs]
[589.569] deactivate_locked
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c",
"fs/btrfs/block-group.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6297644db23f77c02ae7961cc542d162629ae2c4",
"status": "affected",
"version": "01eca70ef8cf499d0cb6d1bbd691558e7792cf17",
"versionType": "git"
},
{
"lessThan": "7569c4294ba6ff9f194635b14876198f8a687c4a",
"status": "affected",
"version": "5d19abcffd8404078dfa7d7118cec357b5e7bc58",
"versionType": "git"
},
{
"lessThan": "0657b20c5a76c938612f8409735a8830d257866e",
"status": "affected",
"version": "a9f189716cf15913c453299d72f69c51a9b0f86b",
"versionType": "git"
},
{
"status": "affected",
"version": "edf3b5aadb2515c808200b904baa5b70a727f0ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c",
"fs/btrfs/block-group.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.128",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free of new block group that became unused\n\nIf a task creates a new block group and that block group becomes unused\nbefore we finish its creation, at btrfs_create_pending_block_groups(),\nthen when btrfs_mark_bg_unused() is called against the block group, we\nassume that the block group is currently in the list of block groups to\nreclaim, and we move it out of the list of new block groups and into the\nlist of unused block groups. This has two consequences:\n\n1) We move it out of the list of new block groups associated to the\n current transaction. So the block group creation is not finished and\n if we attempt to delete the bg because it\u0027s unused, we will not find\n the block group item in the extent tree (or the new block group tree),\n its device extent items in the device tree etc, resulting in the\n deletion to fail due to the missing items;\n\n2) We don\u0027t increment the reference count on the block group when we\n move it to the list of unused block groups, because we assumed the\n block group was on the list of block groups to reclaim, and in that\n case it already has the correct reference count. However the block\n group was on the list of new block groups, in which case no extra\n reference was taken because it\u0027s local to the current task. This\n later results in doing an extra reference count decrement when\n removing the block group from the unused list, eventually leading the\n reference count to 0.\n\nThis second case was caught when running generic/297 from fstests, which\nproduced the following assertion failure and stack trace:\n\n [589.559] assertion failed: refcount_read(\u0026block_group-\u003erefs) == 1, in fs/btrfs/block-group.c:4299\n [589.559] ------------[ cut here ]------------\n [589.559] kernel BUG at fs/btrfs/block-group.c:4299!\n [589.560] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n [589.560] CPU: 8 PID: 2819134 Comm: umount Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [589.560] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [589.560] RIP: 0010:btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.561] Code: 68 62 da c0 (...)\n [589.561] RSP: 0018:ffffa55a8c3b3d98 EFLAGS: 00010246\n [589.561] RAX: 0000000000000058 RBX: ffff8f030d7f2000 RCX: 0000000000000000\n [589.562] RDX: 0000000000000000 RSI: ffffffff953f0878 RDI: 00000000ffffffff\n [589.562] RBP: ffff8f030d7f2088 R08: 0000000000000000 R09: ffffa55a8c3b3c50\n [589.562] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8f05850b4c00\n [589.562] R13: ffff8f030d7f2090 R14: ffff8f05850b4cd8 R15: dead000000000100\n [589.563] FS: 00007f497fd2e840(0000) GS:ffff8f09dfc00000(0000) knlGS:0000000000000000\n [589.563] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [589.563] CR2: 00007f497ff8ec10 CR3: 0000000271472006 CR4: 0000000000370ee0\n [589.563] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [589.564] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [589.564] Call Trace:\n [589.564] \u003cTASK\u003e\n [589.565] ? __die_body+0x1b/0x60\n [589.565] ? die+0x39/0x60\n [589.565] ? do_trap+0xeb/0x110\n [589.565] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.566] ? do_error_trap+0x6a/0x90\n [589.566] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.566] ? exc_invalid_op+0x4e/0x70\n [589.566] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.567] ? asm_exc_invalid_op+0x16/0x20\n [589.567] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.567] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.567] close_ctree+0x35d/0x560 [btrfs]\n [589.568] ? fsnotify_sb_delete+0x13e/0x1d0\n [589.568] ? dispose_list+0x3a/0x50\n [589.568] ? evict_inodes+0x151/0x1a0\n [589.568] generic_shutdown_super+0x73/0x1a0\n [589.569] kill_anon_super+0x14/0x30\n [589.569] btrfs_kill_super+0x12/0x20 [btrfs]\n [589.569] deactivate_locked\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:04:40.019Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6297644db23f77c02ae7961cc542d162629ae2c4"
},
{
"url": "https://git.kernel.org/stable/c/7569c4294ba6ff9f194635b14876198f8a687c4a"
},
{
"url": "https://git.kernel.org/stable/c/0657b20c5a76c938612f8409735a8830d257866e"
}
],
"title": "btrfs: fix use-after-free of new block group that became unused",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53187",
"datePublished": "2025-09-15T14:04:40.019Z",
"dateReserved": "2025-09-15T13:59:19.066Z",
"dateUpdated": "2025-09-15T14:04:40.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50529 (GCVE-0-2022-50529)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
test_firmware: fix memory leak in test_firmware_init()
When misc_register() failed in test_firmware_init(), the memory pointed
by test_fw_config->name is not released. The memory leak information is
as follows:
unreferenced object 0xffff88810a34cb00 (size 32):
comm "insmod", pid 7952, jiffies 4294948236 (age 49.060s)
hex dump (first 32 bytes):
74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi
6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............
backtrace:
[<ffffffff81b21fcb>] __kmalloc_node_track_caller+0x4b/0xc0
[<ffffffff81affb96>] kstrndup+0x46/0xc0
[<ffffffffa0403a49>] __test_firmware_config_init+0x29/0x380 [test_firmware]
[<ffffffffa040f068>] 0xffffffffa040f068
[<ffffffff81002c41>] do_one_initcall+0x141/0x780
[<ffffffff816a72c3>] do_init_module+0x1c3/0x630
[<ffffffff816adb9e>] load_module+0x623e/0x76a0
[<ffffffff816af471>] __do_sys_finit_module+0x181/0x240
[<ffffffff89978f99>] do_syscall_64+0x39/0xb0
[<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 Version: c92316bf8e94830a0225f2e904cbdbd173768419 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/test_firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed5cbafaf7ce8b86f19998c00eb020c8d49b017f",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "04dd47a2e169f2d4489636afa07ff0469aab49ab",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "628de998a3abfffb3f9677d2fb39a1d5dcb32fdb",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "0b5a89e8bce1ea43687742b4de8e216189ff94ac",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "357379d504c0c8b0834e206ad8c49e4b3c98ed4d",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "8d8c1d6a430f0aadb80036e2b1bc0a05f9fad247",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "6dd5fbd243f19f087dc79481acb7d69fb57fea2c",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
},
{
"lessThan": "7610615e8cdb3f6f5bbd9d8e7a5d8a63e3cabf2e",
"status": "affected",
"version": "c92316bf8e94830a0225f2e904cbdbd173768419",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/test_firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntest_firmware: fix memory leak in test_firmware_init()\n\nWhen misc_register() failed in test_firmware_init(), the memory pointed\nby test_fw_config-\u003ename is not released. The memory leak information is\nas follows:\nunreferenced object 0xffff88810a34cb00 (size 32):\n comm \"insmod\", pid 7952, jiffies 4294948236 (age 49.060s)\n hex dump (first 32 bytes):\n 74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi\n 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............\n backtrace:\n [\u003cffffffff81b21fcb\u003e] __kmalloc_node_track_caller+0x4b/0xc0\n [\u003cffffffff81affb96\u003e] kstrndup+0x46/0xc0\n [\u003cffffffffa0403a49\u003e] __test_firmware_config_init+0x29/0x380 [test_firmware]\n [\u003cffffffffa040f068\u003e] 0xffffffffa040f068\n [\u003cffffffff81002c41\u003e] do_one_initcall+0x141/0x780\n [\u003cffffffff816a72c3\u003e] do_init_module+0x1c3/0x630\n [\u003cffffffff816adb9e\u003e] load_module+0x623e/0x76a0\n [\u003cffffffff816af471\u003e] __do_sys_finit_module+0x181/0x240\n [\u003cffffffff89978f99\u003e] do_syscall_64+0x39/0xb0\n [\u003cffffffff89a0008b\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:20.581Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed5cbafaf7ce8b86f19998c00eb020c8d49b017f"
},
{
"url": "https://git.kernel.org/stable/c/04dd47a2e169f2d4489636afa07ff0469aab49ab"
},
{
"url": "https://git.kernel.org/stable/c/628de998a3abfffb3f9677d2fb39a1d5dcb32fdb"
},
{
"url": "https://git.kernel.org/stable/c/0b5a89e8bce1ea43687742b4de8e216189ff94ac"
},
{
"url": "https://git.kernel.org/stable/c/357379d504c0c8b0834e206ad8c49e4b3c98ed4d"
},
{
"url": "https://git.kernel.org/stable/c/8d8c1d6a430f0aadb80036e2b1bc0a05f9fad247"
},
{
"url": "https://git.kernel.org/stable/c/6dd5fbd243f19f087dc79481acb7d69fb57fea2c"
},
{
"url": "https://git.kernel.org/stable/c/7610615e8cdb3f6f5bbd9d8e7a5d8a63e3cabf2e"
}
],
"title": "test_firmware: fix memory leak in test_firmware_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50529",
"datePublished": "2025-10-07T15:19:20.581Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:20.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53585 (GCVE-0-2023-53585)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: reject unhashed sockets in bpf_sk_assign
The semantics for bpf_sk_assign are as follows:
sk = some_lookup_func()
bpf_sk_assign(skb, sk)
bpf_sk_release(sk)
That is, the sk is not consumed by bpf_sk_assign. The function
therefore needs to make sure that sk lives long enough to be
consumed from __inet_lookup_skb. The path through the stack for a
TCPv4 packet is roughly:
netif_receive_skb_core: takes RCU read lock
__netif_receive_skb_core:
sch_handle_ingress:
tcf_classify:
bpf_sk_assign()
deliver_ptype_list_skb:
deliver_skb:
ip_packet_type->func == ip_rcv:
ip_rcv_core:
ip_rcv_finish_core:
dst_input:
ip_local_deliver:
ip_local_deliver_finish:
ip_protocol_deliver_rcu:
tcp_v4_rcv:
__inet_lookup_skb:
skb_steal_sock
The existing helper takes advantage of the fact that everything
happens in the same RCU critical section: for sockets with
SOCK_RCU_FREE set bpf_sk_assign never takes a reference.
skb_steal_sock then checks SOCK_RCU_FREE again and does sock_put
if necessary.
This approach assumes that SOCK_RCU_FREE is never set on a sk
between bpf_sk_assign and skb_steal_sock, but this invariant is
violated by unhashed UDP sockets. A new UDP socket is created
in TCP_CLOSE state but without SOCK_RCU_FREE set. That flag is only
added in udp_lib_get_port() which happens when a socket is bound.
When bpf_sk_assign was added it wasn't possible to access unhashed
UDP sockets from BPF, so this wasn't a problem. This changed
in commit 0c48eefae712 ("sock_map: Lift socket state restriction
for datagram sockets"), but the helper wasn't adjusted accordingly.
The following sequence of events will therefore lead to a refcount
leak:
1. Add socket(AF_INET, SOCK_DGRAM) to a sockmap.
2. Pull socket out of sockmap and bpf_sk_assign it. Since
SOCK_RCU_FREE is not set we increment the refcount.
3. bind() or connect() the socket, setting SOCK_RCU_FREE.
4. skb_steal_sock will now set refcounted = false due to
SOCK_RCU_FREE.
5. tcp_v4_rcv() skips sock_put().
Fix the problem by rejecting unhashed sockets in bpf_sk_assign().
This matches the behaviour of __inet_lookup_skb which is ultimately
the goal of bpf_sk_assign().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449 Version: cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449 Version: cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449 Version: cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449 Version: cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449 Version: cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "791a12102e5191dcb6ce0b3a99d71b5a2802d12a",
"status": "affected",
"version": "cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449",
"versionType": "git"
},
{
"lessThan": "7dcbc0bb0e5cc1823923744befce59ac353135e6",
"status": "affected",
"version": "cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449",
"versionType": "git"
},
{
"lessThan": "c0ce0fb76610d5fad31f56f2ca8241a2a6717a1b",
"status": "affected",
"version": "cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449",
"versionType": "git"
},
{
"lessThan": "8aa43cfbb68b25119d2ced14ec717173e2901fa2",
"status": "affected",
"version": "cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449",
"versionType": "git"
},
{
"lessThan": "3d4522f59fb748a54446846522941a4f09da63e9",
"status": "affected",
"version": "cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449",
"versionType": "git"
},
{
"lessThan": "67312adc96b5a585970d03b62412847afe2c6b01",
"status": "affected",
"version": "cf7fbe660f2dbd738ab58aea8e9b0ca6ad232449",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: reject unhashed sockets in bpf_sk_assign\n\nThe semantics for bpf_sk_assign are as follows:\n\n sk = some_lookup_func()\n bpf_sk_assign(skb, sk)\n bpf_sk_release(sk)\n\nThat is, the sk is not consumed by bpf_sk_assign. The function\ntherefore needs to make sure that sk lives long enough to be\nconsumed from __inet_lookup_skb. The path through the stack for a\nTCPv4 packet is roughly:\n\n netif_receive_skb_core: takes RCU read lock\n __netif_receive_skb_core:\n sch_handle_ingress:\n tcf_classify:\n bpf_sk_assign()\n deliver_ptype_list_skb:\n deliver_skb:\n ip_packet_type-\u003efunc == ip_rcv:\n ip_rcv_core:\n ip_rcv_finish_core:\n dst_input:\n ip_local_deliver:\n ip_local_deliver_finish:\n ip_protocol_deliver_rcu:\n tcp_v4_rcv:\n __inet_lookup_skb:\n skb_steal_sock\n\nThe existing helper takes advantage of the fact that everything\nhappens in the same RCU critical section: for sockets with\nSOCK_RCU_FREE set bpf_sk_assign never takes a reference.\nskb_steal_sock then checks SOCK_RCU_FREE again and does sock_put\nif necessary.\n\nThis approach assumes that SOCK_RCU_FREE is never set on a sk\nbetween bpf_sk_assign and skb_steal_sock, but this invariant is\nviolated by unhashed UDP sockets. A new UDP socket is created\nin TCP_CLOSE state but without SOCK_RCU_FREE set. That flag is only\nadded in udp_lib_get_port() which happens when a socket is bound.\n\nWhen bpf_sk_assign was added it wasn\u0027t possible to access unhashed\nUDP sockets from BPF, so this wasn\u0027t a problem. This changed\nin commit 0c48eefae712 (\"sock_map: Lift socket state restriction\nfor datagram sockets\"), but the helper wasn\u0027t adjusted accordingly.\nThe following sequence of events will therefore lead to a refcount\nleak:\n\n1. Add socket(AF_INET, SOCK_DGRAM) to a sockmap.\n2. Pull socket out of sockmap and bpf_sk_assign it. Since\n SOCK_RCU_FREE is not set we increment the refcount.\n3. bind() or connect() the socket, setting SOCK_RCU_FREE.\n4. skb_steal_sock will now set refcounted = false due to\n SOCK_RCU_FREE.\n5. tcp_v4_rcv() skips sock_put().\n\nFix the problem by rejecting unhashed sockets in bpf_sk_assign().\nThis matches the behaviour of __inet_lookup_skb which is ultimately\nthe goal of bpf_sk_assign()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:01.022Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/791a12102e5191dcb6ce0b3a99d71b5a2802d12a"
},
{
"url": "https://git.kernel.org/stable/c/7dcbc0bb0e5cc1823923744befce59ac353135e6"
},
{
"url": "https://git.kernel.org/stable/c/c0ce0fb76610d5fad31f56f2ca8241a2a6717a1b"
},
{
"url": "https://git.kernel.org/stable/c/8aa43cfbb68b25119d2ced14ec717173e2901fa2"
},
{
"url": "https://git.kernel.org/stable/c/3d4522f59fb748a54446846522941a4f09da63e9"
},
{
"url": "https://git.kernel.org/stable/c/67312adc96b5a585970d03b62412847afe2c6b01"
}
],
"title": "bpf: reject unhashed sockets in bpf_sk_assign",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53585",
"datePublished": "2025-10-04T15:44:01.022Z",
"dateReserved": "2025-10-04T15:40:38.477Z",
"dateUpdated": "2025-10-04T15:44:01.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52923 (GCVE-0-2023-52923)
Vulnerability from cvelistv5
Published
2025-01-20 10:48
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: adapt set backend to use GC transaction API
Use the GC transaction API to replace the old and buggy gc API and the
busy mark approach.
No set elements are removed from async garbage collection anymore,
instead the _DEAD bit is set on so the set element is not visible from
lookup path anymore. Async GC enqueues transaction work that might be
aborted and retried later.
rbtree and pipapo set backends does not set on the _DEAD bit from the
sync GC path since this runs in control plane path where mutex is held.
In this case, set elements are deactivated, removed and then released
via RCU callback, sync GC never fails.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_set_hash.c",
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb4d00b563675ba8ff6ef94b077f58d816f68ba3",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "c357648929c8dff891502349769aafb8f0452bc2",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "146c76866795553dbc19998f36718d7986ad302b",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "479a2cf5259347d6a1f658b0f791d27a34908e91",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "df650d6a4bf47248261b61ef6b174d7c54034d15",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "f6c383b8c31a93752a52697f8430a71dcbc46adf",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_set_hash.c",
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.316",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.262",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.198",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.134",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.56",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: adapt set backend to use GC transaction API\n\nUse the GC transaction API to replace the old and buggy gc API and the\nbusy mark approach.\n\nNo set elements are removed from async garbage collection anymore,\ninstead the _DEAD bit is set on so the set element is not visible from\nlookup path anymore. Async GC enqueues transaction work that might be\naborted and retried later.\n\nrbtree and pipapo set backends does not set on the _DEAD bit from the\nsync GC path since this runs in control plane path where mutex is held.\nIn this case, set elements are deactivated, removed and then released\nvia RCU callback, sync GC never fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:05.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb4d00b563675ba8ff6ef94b077f58d816f68ba3"
},
{
"url": "https://git.kernel.org/stable/c/c357648929c8dff891502349769aafb8f0452bc2"
},
{
"url": "https://git.kernel.org/stable/c/146c76866795553dbc19998f36718d7986ad302b"
},
{
"url": "https://git.kernel.org/stable/c/479a2cf5259347d6a1f658b0f791d27a34908e91"
},
{
"url": "https://git.kernel.org/stable/c/df650d6a4bf47248261b61ef6b174d7c54034d15"
},
{
"url": "https://git.kernel.org/stable/c/e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681"
},
{
"url": "https://git.kernel.org/stable/c/f6c383b8c31a93752a52697f8430a71dcbc46adf"
}
],
"title": "netfilter: nf_tables: adapt set backend to use GC transaction API",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52923",
"datePublished": "2025-01-20T10:48:13.723Z",
"dateReserved": "2024-08-21T06:07:11.018Z",
"dateUpdated": "2025-05-04T07:46:05.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53201 (GCVE-0-2023-53201)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: wraparound mbox producer index
Driver is not handling the wraparound of the mbox producer index correctly.
Currently the wraparound happens once u32 max is reached.
Bit 31 of the producer index register is special and should be set
only once for the first command. Because the producer index overflow
setting bit31 after a long time, FW goes to initialization sequence
and this causes FW hang.
Fix is to wraparound the mbox producer index once it reaches u16 max.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8 Version: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8 Version: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8 Version: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8 Version: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8 Version: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/qplib_rcfw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9341501e2f7af29f5b5562c2840a7fde40eb7de4",
"status": "affected",
"version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
"versionType": "git"
},
{
"lessThan": "79226176cdd1b65a1e6a90e0e1a2b490f0a9df33",
"status": "affected",
"version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
"versionType": "git"
},
{
"lessThan": "c9be352be9bb15e6b83e40abc4df7f4776b435ba",
"status": "affected",
"version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
"versionType": "git"
},
{
"lessThan": "7bfa0303fbc265c94cfbd17505c55b99848aa4e3",
"status": "affected",
"version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
"versionType": "git"
},
{
"lessThan": "50d77c3739b2b15e9e1f1c9cbe50037d294800f8",
"status": "affected",
"version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
"versionType": "git"
},
{
"lessThan": "0af91306e17ef3d18e5f100aa58aa787869118af",
"status": "affected",
"version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/qplib_rcfw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: wraparound mbox producer index\n\nDriver is not handling the wraparound of the mbox producer index correctly.\nCurrently the wraparound happens once u32 max is reached.\n\nBit 31 of the producer index register is special and should be set\nonly once for the first command. Because the producer index overflow\nsetting bit31 after a long time, FW goes to initialization sequence\nand this causes FW hang.\n\nFix is to wraparound the mbox producer index once it reaches u16 max."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:29.476Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9341501e2f7af29f5b5562c2840a7fde40eb7de4"
},
{
"url": "https://git.kernel.org/stable/c/79226176cdd1b65a1e6a90e0e1a2b490f0a9df33"
},
{
"url": "https://git.kernel.org/stable/c/c9be352be9bb15e6b83e40abc4df7f4776b435ba"
},
{
"url": "https://git.kernel.org/stable/c/7bfa0303fbc265c94cfbd17505c55b99848aa4e3"
},
{
"url": "https://git.kernel.org/stable/c/50d77c3739b2b15e9e1f1c9cbe50037d294800f8"
},
{
"url": "https://git.kernel.org/stable/c/0af91306e17ef3d18e5f100aa58aa787869118af"
}
],
"title": "RDMA/bnxt_re: wraparound mbox producer index",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53201",
"datePublished": "2025-09-15T14:21:29.476Z",
"dateReserved": "2025-09-15T13:59:19.067Z",
"dateUpdated": "2025-09-15T14:21:29.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46818 (GCVE-0-2024-46818)
Vulnerability from cvelistv5
Published
2024-09-27 12:35
Modified
2025-11-03 22:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check gpio_id before used as array index
[WHY & HOW]
GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore
should be checked in advance.
This fixes 5 OVERRUN issues reported by Coverity.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46818",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T14:15:06.184629Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T14:15:15.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:19:05.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8520fdc8ecc38f240a8e9e7af89cca6739c3e790",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "40c2e8bc117cab8bca8814735f28a8b121654a84",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "0184cca30cad74d88f5c875d4e26999e26325700",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "276e3fd93e3beb5894eb1cc8480f9f417d51524d",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "08e7755f754e3d2cef7d3a7da538d33526bd6f7c",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "3d4198ab612ad48f73383ad3bb5663e6f0cdf406",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "2a5626eeb3b5eec7a36886f9556113dd93ec8ed6",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.226",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.284",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.226",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.167",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.109",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.50",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.9",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check gpio_id before used as array index\n\n[WHY \u0026 HOW]\nGPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore\nshould be checked in advance.\n\nThis fixes 5 OVERRUN issues reported by Coverity."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T17:20:43.164Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8520fdc8ecc38f240a8e9e7af89cca6739c3e790"
},
{
"url": "https://git.kernel.org/stable/c/40c2e8bc117cab8bca8814735f28a8b121654a84"
},
{
"url": "https://git.kernel.org/stable/c/0184cca30cad74d88f5c875d4e26999e26325700"
},
{
"url": "https://git.kernel.org/stable/c/276e3fd93e3beb5894eb1cc8480f9f417d51524d"
},
{
"url": "https://git.kernel.org/stable/c/08e7755f754e3d2cef7d3a7da538d33526bd6f7c"
},
{
"url": "https://git.kernel.org/stable/c/3d4198ab612ad48f73383ad3bb5663e6f0cdf406"
},
{
"url": "https://git.kernel.org/stable/c/2a5626eeb3b5eec7a36886f9556113dd93ec8ed6"
}
],
"title": "drm/amd/display: Check gpio_id before used as array index",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46818",
"datePublished": "2024-09-27T12:35:59.187Z",
"dateReserved": "2024-09-11T15:12:18.284Z",
"dateUpdated": "2025-11-03T22:19:05.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56601 (GCVE-0-2024-56601)
Vulnerability from cvelistv5
Published
2024-12-27 14:51
Modified
2025-11-03 20:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: inet: do not leave a dangling sk pointer in inet_create()
sock_init_data() attaches the allocated sk object to the provided sock
object. If inet_create() fails later, the sk object is freed, but the
sock object retains the dangling pointer, which may create use-after-free
later.
Clear the sk pointer in the sock object on error.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:42:25.967090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:24.011Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:50:40.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/af_inet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f8a3f255f7509a209292871715cda03779640c8d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2bc34d8c8898ae9fddf4612501aabb22d76c2b2c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e8258070b0f2aba66b3ef18883de229674fb288",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b4513cfd3a10c03c660d5d3d26c2e322efbfdd9b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "25447c6aaa7235f155292b0c58a067347e8ae891",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "691d6d816f93b2a1008c14178399061466e674ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9365fa510c6f82e3aa550a09d0c5c6b44dbc78ff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/af_inet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: inet: do not leave a dangling sk pointer in inet_create()\n\nsock_init_data() attaches the allocated sk object to the provided sock\nobject. If inet_create() fails later, the sk object is freed, but the\nsock object retains the dangling pointer, which may create use-after-free\nlater.\n\nClear the sk pointer in the sock object on error."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T09:13:42.168Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f8a3f255f7509a209292871715cda03779640c8d"
},
{
"url": "https://git.kernel.org/stable/c/2bc34d8c8898ae9fddf4612501aabb22d76c2b2c"
},
{
"url": "https://git.kernel.org/stable/c/3e8258070b0f2aba66b3ef18883de229674fb288"
},
{
"url": "https://git.kernel.org/stable/c/b4513cfd3a10c03c660d5d3d26c2e322efbfdd9b"
},
{
"url": "https://git.kernel.org/stable/c/25447c6aaa7235f155292b0c58a067347e8ae891"
},
{
"url": "https://git.kernel.org/stable/c/691d6d816f93b2a1008c14178399061466e674ef"
},
{
"url": "https://git.kernel.org/stable/c/9365fa510c6f82e3aa550a09d0c5c6b44dbc78ff"
}
],
"title": "net: inet: do not leave a dangling sk pointer in inet_create()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56601",
"datePublished": "2024-12-27T14:51:07.358Z",
"dateReserved": "2024-12-27T14:03:06.011Z",
"dateUpdated": "2025-11-03T20:50:40.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38694 (GCVE-0-2025-38694)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()
In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and
msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing
msg[0].buf[2] without sanity check, null pointer deref would happen. We add
check on msg[0].len to prevent crash. Similar issue occurs when access
msg[1].buf[0] and msg[1].buf[1].
Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:20.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/dib7000p.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc07cae4f36bb18d5b6a9ed835c1278ca44ec82e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce8b7c711b9c4f040b5419729d0972db8e374324",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "529fd5593b721e6f4370c591f5086649ed149ff6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c33280d6bd668dbdc5a5f07887cc63a52ab4789c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "09906650484a09b3a4d4b3d3065395856810becd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0bb32863426afe0badac25c28d59021f211d0f48",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a0f744d6cdde81d7382e183f77a4080a39b206cd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "19eb5d8e6aa1169d368a4d69aae5572950deb89d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce5cac69b2edac3e3246fee03e8f4c2a1075238b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/dib7000p.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()\n\nIn dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and\nmsg[0].len is zero, former checks on msg[0].buf would be passed. If accessing\nmsg[0].buf[2] without sanity check, null pointer deref would happen. We add\ncheck on msg[0].len to prevent crash. Similar issue occurs when access\nmsg[1].buf[0] and msg[1].buf[1].\n\nSimilar commit: commit 0ed554fd769a (\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:10.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc07cae4f36bb18d5b6a9ed835c1278ca44ec82e"
},
{
"url": "https://git.kernel.org/stable/c/ce8b7c711b9c4f040b5419729d0972db8e374324"
},
{
"url": "https://git.kernel.org/stable/c/529fd5593b721e6f4370c591f5086649ed149ff6"
},
{
"url": "https://git.kernel.org/stable/c/c33280d6bd668dbdc5a5f07887cc63a52ab4789c"
},
{
"url": "https://git.kernel.org/stable/c/09906650484a09b3a4d4b3d3065395856810becd"
},
{
"url": "https://git.kernel.org/stable/c/0bb32863426afe0badac25c28d59021f211d0f48"
},
{
"url": "https://git.kernel.org/stable/c/a0f744d6cdde81d7382e183f77a4080a39b206cd"
},
{
"url": "https://git.kernel.org/stable/c/19eb5d8e6aa1169d368a4d69aae5572950deb89d"
},
{
"url": "https://git.kernel.org/stable/c/ce5cac69b2edac3e3246fee03e8f4c2a1075238b"
}
],
"title": "media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38694",
"datePublished": "2025-09-04T15:32:47.449Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:20.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39801 (GCVE-0-2025-39801)
Vulnerability from cvelistv5
Published
2025-09-15 12:36
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Remove WARN_ON for device endpoint command timeouts
This commit addresses a rarely observed endpoint command timeout
which causes kernel panic due to warn when 'panic_on_warn' is enabled
and unnecessary call trace prints when 'panic_on_warn' is disabled.
It is seen during fast software-controlled connect/disconnect testcases.
The following is one such endpoint command timeout that we observed:
1. Connect
=======
->dwc3_thread_interrupt
->dwc3_ep0_interrupt
->configfs_composite_setup
->composite_setup
->usb_ep_queue
->dwc3_gadget_ep0_queue
->__dwc3_gadget_ep0_queue
->__dwc3_ep0_do_control_data
->dwc3_send_gadget_ep_cmd
2. Disconnect
==========
->dwc3_thread_interrupt
->dwc3_gadget_disconnect_interrupt
->dwc3_ep0_reset_state
->dwc3_ep0_end_control_data
->dwc3_send_gadget_ep_cmd
In the issue scenario, in Exynos platforms, we observed that control
transfers for the previous connect have not yet been completed and end
transfer command sent as a part of the disconnect sequence and
processing of USB_ENDPOINT_HALT feature request from the host timeout.
This maybe an expected scenario since the controller is processing EP
commands sent as a part of the previous connect. It maybe better to
remove WARN_ON in all places where device endpoint commands are sent to
avoid unnecessary kernel panic due to warn.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:31.805Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/ep0.c",
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfe40159eec6ca63b40133bfa783eee2e3ed829f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5a1a847d841505dba2bd85602daf5c218e1d85b8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "84c95dbf5bece56086cdb65a64162af35158bdd9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f49697dfba2915a9ff36f94604eb76fa61413929",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "db27482b9db340402e05d4e9b75352bbaca51af2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "45eae113dccaf8e502090ecf5b3d9e9b805add6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/ep0.c",
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Remove WARN_ON for device endpoint command timeouts\n\nThis commit addresses a rarely observed endpoint command timeout\nwhich causes kernel panic due to warn when \u0027panic_on_warn\u0027 is enabled\nand unnecessary call trace prints when \u0027panic_on_warn\u0027 is disabled.\nIt is seen during fast software-controlled connect/disconnect testcases.\nThe following is one such endpoint command timeout that we observed:\n\n1. Connect\n =======\n-\u003edwc3_thread_interrupt\n -\u003edwc3_ep0_interrupt\n -\u003econfigfs_composite_setup\n -\u003ecomposite_setup\n -\u003eusb_ep_queue\n -\u003edwc3_gadget_ep0_queue\n -\u003e__dwc3_gadget_ep0_queue\n -\u003e__dwc3_ep0_do_control_data\n -\u003edwc3_send_gadget_ep_cmd\n\n2. Disconnect\n ==========\n-\u003edwc3_thread_interrupt\n -\u003edwc3_gadget_disconnect_interrupt\n -\u003edwc3_ep0_reset_state\n -\u003edwc3_ep0_end_control_data\n -\u003edwc3_send_gadget_ep_cmd\n\nIn the issue scenario, in Exynos platforms, we observed that control\ntransfers for the previous connect have not yet been completed and end\ntransfer command sent as a part of the disconnect sequence and\nprocessing of USB_ENDPOINT_HALT feature request from the host timeout.\nThis maybe an expected scenario since the controller is processing EP\ncommands sent as a part of the previous connect. It maybe better to\nremove WARN_ON in all places where device endpoint commands are sent to\navoid unnecessary kernel panic due to warn."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:42.065Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfe40159eec6ca63b40133bfa783eee2e3ed829f"
},
{
"url": "https://git.kernel.org/stable/c/5a1a847d841505dba2bd85602daf5c218e1d85b8"
},
{
"url": "https://git.kernel.org/stable/c/84c95dbf5bece56086cdb65a64162af35158bdd9"
},
{
"url": "https://git.kernel.org/stable/c/f49697dfba2915a9ff36f94604eb76fa61413929"
},
{
"url": "https://git.kernel.org/stable/c/db27482b9db340402e05d4e9b75352bbaca51af2"
},
{
"url": "https://git.kernel.org/stable/c/45eae113dccaf8e502090ecf5b3d9e9b805add6f"
}
],
"title": "usb: dwc3: Remove WARN_ON for device endpoint command timeouts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39801",
"datePublished": "2025-09-15T12:36:43.936Z",
"dateReserved": "2025-04-16T07:20:57.134Z",
"dateUpdated": "2025-11-03T17:43:31.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-43945 (GCVE-0-2022-43945)
Vulnerability from cvelistv5
Published
2022-11-04 00:00
Modified
2025-05-01 19:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-131 - Incorrect Calculation of Buffer Size
Summary
The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| linux | linux_kernel |
Version: < 6.0.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f90497a16e434c2211c66e3de8e77b17868382b8"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221215-0006/"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171289/Kernel-Live-Patch-Security-Notice-LNS-0092-1.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43945",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T19:08:01.476613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T19:08:43.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "\u003c 6.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "CWE-131: Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-08T00:00:00.000Z",
"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"shortName": "SNPS"
},
"references": [
{
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f90497a16e434c2211c66e3de8e77b17868382b8"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221215-0006/"
},
{
"url": "http://packetstormsecurity.com/files/171289/Kernel-Live-Patch-Security-Notice-LNS-0092-1.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"assignerShortName": "SNPS",
"cveId": "CVE-2022-43945",
"datePublished": "2022-11-04T00:00:00.000Z",
"dateReserved": "2022-10-26T00:00:00.000Z",
"dateUpdated": "2025-05-01T19:08:43.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53723 (GCVE-0-2023-53723)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend
sdma_v4_0_ip is shared on a few asics, but in sdma_v4_0_hw_fini,
driver unconditionally disables ecc_irq which is only enabled on
those asics enabling sdma ecc. This will introduce a warning in
suspend cycle on those chips with sdma ip v4.0, while without
sdma ecc. So this patch correct this.
[ 7283.166354] RIP: 0010:amdgpu_irq_put+0x45/0x70 [amdgpu]
[ 7283.167001] RSP: 0018:ffff9a5fc3967d08 EFLAGS: 00010246
[ 7283.167019] RAX: ffff98d88afd3770 RBX: 0000000000000001 RCX: 0000000000000000
[ 7283.167023] RDX: 0000000000000000 RSI: ffff98d89da30390 RDI: ffff98d89da20000
[ 7283.167025] RBP: ffff98d89da20000 R08: 0000000000036838 R09: 0000000000000006
[ 7283.167028] R10: ffffd5764243c008 R11: 0000000000000000 R12: ffff98d89da30390
[ 7283.167030] R13: ffff98d89da38978 R14: ffffffff999ae15a R15: ffff98d880130105
[ 7283.167032] FS: 0000000000000000(0000) GS:ffff98d996f00000(0000) knlGS:0000000000000000
[ 7283.167036] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7283.167039] CR2: 00000000f7a9d178 CR3: 00000001c42ea000 CR4: 00000000003506e0
[ 7283.167041] Call Trace:
[ 7283.167046] <TASK>
[ 7283.167048] sdma_v4_0_hw_fini+0x38/0xa0 [amdgpu]
[ 7283.167704] amdgpu_device_ip_suspend_phase2+0x101/0x1a0 [amdgpu]
[ 7283.168296] amdgpu_device_suspend+0x103/0x180 [amdgpu]
[ 7283.168875] amdgpu_pmops_freeze+0x21/0x60 [amdgpu]
[ 7283.169464] pci_pm_freeze+0x54/0xc0
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3decf3a750a924362bf4e2680dd3b07242fe56e8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c1420276be7a98df0074584bb9c1709cbc1a9df5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "823787470e320f90372c3ef506769520026c571f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a179117a3b29e7136e4045c57090a05bb97f373",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "71e1f44077db83e205db70a684c1f2c5d2247174",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c5123c193696bf97fdf259c825ebfac517b54e44",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8b229ada2669b74fdae06c83fbfda5a5a99fc253",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend\n\nsdma_v4_0_ip is shared on a few asics, but in sdma_v4_0_hw_fini,\ndriver unconditionally disables ecc_irq which is only enabled on\nthose asics enabling sdma ecc. This will introduce a warning in\nsuspend cycle on those chips with sdma ip v4.0, while without\nsdma ecc. So this patch correct this.\n\n[ 7283.166354] RIP: 0010:amdgpu_irq_put+0x45/0x70 [amdgpu]\n[ 7283.167001] RSP: 0018:ffff9a5fc3967d08 EFLAGS: 00010246\n[ 7283.167019] RAX: ffff98d88afd3770 RBX: 0000000000000001 RCX: 0000000000000000\n[ 7283.167023] RDX: 0000000000000000 RSI: ffff98d89da30390 RDI: ffff98d89da20000\n[ 7283.167025] RBP: ffff98d89da20000 R08: 0000000000036838 R09: 0000000000000006\n[ 7283.167028] R10: ffffd5764243c008 R11: 0000000000000000 R12: ffff98d89da30390\n[ 7283.167030] R13: ffff98d89da38978 R14: ffffffff999ae15a R15: ffff98d880130105\n[ 7283.167032] FS: 0000000000000000(0000) GS:ffff98d996f00000(0000) knlGS:0000000000000000\n[ 7283.167036] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 7283.167039] CR2: 00000000f7a9d178 CR3: 00000001c42ea000 CR4: 00000000003506e0\n[ 7283.167041] Call Trace:\n[ 7283.167046] \u003cTASK\u003e\n[ 7283.167048] sdma_v4_0_hw_fini+0x38/0xa0 [amdgpu]\n[ 7283.167704] amdgpu_device_ip_suspend_phase2+0x101/0x1a0 [amdgpu]\n[ 7283.168296] amdgpu_device_suspend+0x103/0x180 [amdgpu]\n[ 7283.168875] amdgpu_pmops_freeze+0x21/0x60 [amdgpu]\n[ 7283.169464] pci_pm_freeze+0x54/0xc0"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:53.900Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3decf3a750a924362bf4e2680dd3b07242fe56e8"
},
{
"url": "https://git.kernel.org/stable/c/c1420276be7a98df0074584bb9c1709cbc1a9df5"
},
{
"url": "https://git.kernel.org/stable/c/823787470e320f90372c3ef506769520026c571f"
},
{
"url": "https://git.kernel.org/stable/c/2a179117a3b29e7136e4045c57090a05bb97f373"
},
{
"url": "https://git.kernel.org/stable/c/71e1f44077db83e205db70a684c1f2c5d2247174"
},
{
"url": "https://git.kernel.org/stable/c/c5123c193696bf97fdf259c825ebfac517b54e44"
},
{
"url": "https://git.kernel.org/stable/c/8b229ada2669b74fdae06c83fbfda5a5a99fc253"
}
],
"title": "drm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53723",
"datePublished": "2025-10-22T13:23:53.900Z",
"dateReserved": "2025-10-22T13:21:37.348Z",
"dateUpdated": "2025-10-22T13:23:53.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53217 (GCVE-0-2023-53217)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nubus: Partially revert proc_create_single_data() conversion
The conversion to proc_create_single_data() introduced a regression
whereby reading a file in /proc/bus/nubus results in a seg fault:
# grep -r . /proc/bus/nubus/e/
Data read fault at 0x00000020 in Super Data (pc=0x1074c2)
BAD KERNEL BUSERR
Oops: 00000000
Modules linked in:
PC: [<001074c2>] PDE_DATA+0xc/0x16
SR: 2010 SP: 38284958 a2: 01152370
d0: 00000001 d1: 01013000 d2: 01002790 d3: 00000000
d4: 00000001 d5: 0008ce2e a0: 00000000 a1: 00222a40
Process grep (pid: 45, task=142f8727)
Frame format=B ssw=074d isc=2008 isb=4e5e daddr=00000020 dobuf=01199e70
baddr=001074c8 dibuf=ffffffff ver=f
Stack from 01199e48:
01199e70 00222a58 01002790 00000000 011a3000 01199eb0 015000c0 00000000
00000000 01199ec0 01199ec0 000d551a 011a3000 00000001 00000000 00018000
d003f000 00000003 00000001 0002800d 01052840 01199fa8 c01f8000 00000000
00000029 0b532b80 00000000 00000000 00000029 0b532b80 01199ee4 00103640
011198c0 d003f000 00018000 01199fa8 00000000 011198c0 00000000 01199f4c
000b3344 011198c0 d003f000 00018000 01199fa8 00000000 00018000 011198c0
Call Trace: [<00222a58>] nubus_proc_rsrc_show+0x18/0xa0
[<000d551a>] seq_read+0xc4/0x510
[<00018000>] fp_fcos+0x2/0x82
[<0002800d>] __sys_setreuid+0x115/0x1c6
[<00103640>] proc_reg_read+0x5c/0xb0
[<00018000>] fp_fcos+0x2/0x82
[<000b3344>] __vfs_read+0x2c/0x13c
[<00018000>] fp_fcos+0x2/0x82
[<00018000>] fp_fcos+0x2/0x82
[<000b8aa2>] sys_statx+0x60/0x7e
[<000b34b6>] vfs_read+0x62/0x12a
[<00018000>] fp_fcos+0x2/0x82
[<00018000>] fp_fcos+0x2/0x82
[<000b39c2>] ksys_read+0x48/0xbe
[<00018000>] fp_fcos+0x2/0x82
[<000b3a4e>] sys_read+0x16/0x1a
[<00018000>] fp_fcos+0x2/0x82
[<00002b84>] syscall+0x8/0xc
[<00018000>] fp_fcos+0x2/0x82
[<0000c016>] not_ext+0xa/0x18
Code: 4e5e 4e75 4e56 0000 206e 0008 2068 ffe8 <2068> 0020 2008 4e5e 4e75 4e56 0000 2f0b 206e 0008 2068 0004 2668 0020 206b ffe8
Disabling lock debugging due to kernel taint
Segmentation fault
The proc_create_single_data() conversion does not work because
single_open(file, nubus_proc_rsrc_show, PDE_DATA(inode)) is not
equivalent to the original code.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3f3942aca6da351a12543aa776467791b63b3a78 Version: 3f3942aca6da351a12543aa776467791b63b3a78 Version: 3f3942aca6da351a12543aa776467791b63b3a78 Version: 3f3942aca6da351a12543aa776467791b63b3a78 Version: 3f3942aca6da351a12543aa776467791b63b3a78 Version: 3f3942aca6da351a12543aa776467791b63b3a78 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nubus/proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f70407e8e0272e00d133c5e039168ff1bae6bcac",
"status": "affected",
"version": "3f3942aca6da351a12543aa776467791b63b3a78",
"versionType": "git"
},
{
"lessThan": "c06edf13f4cf7f9e8ff4bc6f7e951e4f074dc105",
"status": "affected",
"version": "3f3942aca6da351a12543aa776467791b63b3a78",
"versionType": "git"
},
{
"lessThan": "67e3b5230cefed1eca470c460a2035f02986cebb",
"status": "affected",
"version": "3f3942aca6da351a12543aa776467791b63b3a78",
"versionType": "git"
},
{
"lessThan": "9877533e1401dbbb2c7da8badda05d196aa07623",
"status": "affected",
"version": "3f3942aca6da351a12543aa776467791b63b3a78",
"versionType": "git"
},
{
"lessThan": "a03f2f4bd49030f57849227be9ba38a3eb1edb61",
"status": "affected",
"version": "3f3942aca6da351a12543aa776467791b63b3a78",
"versionType": "git"
},
{
"lessThan": "0e96647cff9224db564a1cee6efccb13dbe11ee2",
"status": "affected",
"version": "3f3942aca6da351a12543aa776467791b63b3a78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nubus/proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.38",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.38",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.12",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.2",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnubus: Partially revert proc_create_single_data() conversion\n\nThe conversion to proc_create_single_data() introduced a regression\nwhereby reading a file in /proc/bus/nubus results in a seg fault:\n\n # grep -r . /proc/bus/nubus/e/\n Data read fault at 0x00000020 in Super Data (pc=0x1074c2)\n BAD KERNEL BUSERR\n Oops: 00000000\n Modules linked in:\n PC: [\u003c001074c2\u003e] PDE_DATA+0xc/0x16\n SR: 2010 SP: 38284958 a2: 01152370\n d0: 00000001 d1: 01013000 d2: 01002790 d3: 00000000\n d4: 00000001 d5: 0008ce2e a0: 00000000 a1: 00222a40\n Process grep (pid: 45, task=142f8727)\n Frame format=B ssw=074d isc=2008 isb=4e5e daddr=00000020 dobuf=01199e70\n baddr=001074c8 dibuf=ffffffff ver=f\n Stack from 01199e48:\n\t 01199e70 00222a58 01002790 00000000 011a3000 01199eb0 015000c0 00000000\n\t 00000000 01199ec0 01199ec0 000d551a 011a3000 00000001 00000000 00018000\n\t d003f000 00000003 00000001 0002800d 01052840 01199fa8 c01f8000 00000000\n\t 00000029 0b532b80 00000000 00000000 00000029 0b532b80 01199ee4 00103640\n\t 011198c0 d003f000 00018000 01199fa8 00000000 011198c0 00000000 01199f4c\n\t 000b3344 011198c0 d003f000 00018000 01199fa8 00000000 00018000 011198c0\n Call Trace: [\u003c00222a58\u003e] nubus_proc_rsrc_show+0x18/0xa0\n [\u003c000d551a\u003e] seq_read+0xc4/0x510\n [\u003c00018000\u003e] fp_fcos+0x2/0x82\n [\u003c0002800d\u003e] __sys_setreuid+0x115/0x1c6\n [\u003c00103640\u003e] proc_reg_read+0x5c/0xb0\n [\u003c00018000\u003e] fp_fcos+0x2/0x82\n [\u003c000b3344\u003e] __vfs_read+0x2c/0x13c\n [\u003c00018000\u003e] fp_fcos+0x2/0x82\n [\u003c00018000\u003e] fp_fcos+0x2/0x82\n [\u003c000b8aa2\u003e] sys_statx+0x60/0x7e\n [\u003c000b34b6\u003e] vfs_read+0x62/0x12a\n [\u003c00018000\u003e] fp_fcos+0x2/0x82\n [\u003c00018000\u003e] fp_fcos+0x2/0x82\n [\u003c000b39c2\u003e] ksys_read+0x48/0xbe\n [\u003c00018000\u003e] fp_fcos+0x2/0x82\n [\u003c000b3a4e\u003e] sys_read+0x16/0x1a\n [\u003c00018000\u003e] fp_fcos+0x2/0x82\n [\u003c00002b84\u003e] syscall+0x8/0xc\n [\u003c00018000\u003e] fp_fcos+0x2/0x82\n [\u003c0000c016\u003e] not_ext+0xa/0x18\n Code: 4e5e 4e75 4e56 0000 206e 0008 2068 ffe8 \u003c2068\u003e 0020 2008 4e5e 4e75 4e56 0000 2f0b 206e 0008 2068 0004 2668 0020 206b ffe8\n Disabling lock debugging due to kernel taint\n\n Segmentation fault\n\nThe proc_create_single_data() conversion does not work because\nsingle_open(file, nubus_proc_rsrc_show, PDE_DATA(inode)) is not\nequivalent to the original code."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:44.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f70407e8e0272e00d133c5e039168ff1bae6bcac"
},
{
"url": "https://git.kernel.org/stable/c/c06edf13f4cf7f9e8ff4bc6f7e951e4f074dc105"
},
{
"url": "https://git.kernel.org/stable/c/67e3b5230cefed1eca470c460a2035f02986cebb"
},
{
"url": "https://git.kernel.org/stable/c/9877533e1401dbbb2c7da8badda05d196aa07623"
},
{
"url": "https://git.kernel.org/stable/c/a03f2f4bd49030f57849227be9ba38a3eb1edb61"
},
{
"url": "https://git.kernel.org/stable/c/0e96647cff9224db564a1cee6efccb13dbe11ee2"
}
],
"title": "nubus: Partially revert proc_create_single_data() conversion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53217",
"datePublished": "2025-09-15T14:21:44.831Z",
"dateReserved": "2025-09-15T14:19:21.845Z",
"dateUpdated": "2025-09-15T14:21:44.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50493 (GCVE-0-2022-50493)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix crash when I/O abort times out
While performing CPU hotplug, a crash with the following stack was seen:
Call Trace:
qla24xx_process_response_queue+0x42a/0x970 [qla2xxx]
qla2x00_start_nvme_mq+0x3a2/0x4b0 [qla2xxx]
qla_nvme_post_cmd+0x166/0x240 [qla2xxx]
nvme_fc_start_fcp_op.part.0+0x119/0x2e0 [nvme_fc]
blk_mq_dispatch_rq_list+0x17b/0x610
__blk_mq_sched_dispatch_requests+0xb0/0x140
blk_mq_sched_dispatch_requests+0x30/0x60
__blk_mq_run_hw_queue+0x35/0x90
__blk_mq_delay_run_hw_queue+0x161/0x180
blk_execute_rq+0xbe/0x160
__nvme_submit_sync_cmd+0x16f/0x220 [nvme_core]
nvmf_connect_admin_queue+0x11a/0x170 [nvme_fabrics]
nvme_fc_create_association.cold+0x50/0x3dc [nvme_fc]
nvme_fc_connect_ctrl_work+0x19/0x30 [nvme_fc]
process_one_work+0x1e8/0x3c0
On abort timeout, completion was called without checking if the I/O was
already completed.
Verify that I/O and abort request are indeed outstanding before attempting
completion.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12 Version: 71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12 Version: 71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12 Version: 71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12 Version: 457173c8b43ecd3ac48c8ace8d4437a50f7ad77b Version: b7abcc7df5e131c0b4bf89cb2411c5301ee83d26 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3871af13aa03fbbe7fbb812eaf140501229a72e",
"status": "affected",
"version": "71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12",
"versionType": "git"
},
{
"lessThan": "cb4dff498468b62e8c520568559b3a9007e104d7",
"status": "affected",
"version": "71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12",
"versionType": "git"
},
{
"lessThan": "05382ed9142cf8a8a3fb662224477eecc415778b",
"status": "affected",
"version": "71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12",
"versionType": "git"
},
{
"lessThan": "68ad83188d782b2ecef2e41ac245d27e0710fe8e",
"status": "affected",
"version": "71c80b75ce8f08c0978ce9a9816b81b5c3ce5e12",
"versionType": "git"
},
{
"status": "affected",
"version": "457173c8b43ecd3ac48c8ace8d4437a50f7ad77b",
"versionType": "git"
},
{
"status": "affected",
"version": "b7abcc7df5e131c0b4bf89cb2411c5301ee83d26",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix crash when I/O abort times out\n\nWhile performing CPU hotplug, a crash with the following stack was seen:\n\nCall Trace:\n qla24xx_process_response_queue+0x42a/0x970 [qla2xxx]\n qla2x00_start_nvme_mq+0x3a2/0x4b0 [qla2xxx]\n qla_nvme_post_cmd+0x166/0x240 [qla2xxx]\n nvme_fc_start_fcp_op.part.0+0x119/0x2e0 [nvme_fc]\n blk_mq_dispatch_rq_list+0x17b/0x610\n __blk_mq_sched_dispatch_requests+0xb0/0x140\n blk_mq_sched_dispatch_requests+0x30/0x60\n __blk_mq_run_hw_queue+0x35/0x90\n __blk_mq_delay_run_hw_queue+0x161/0x180\n blk_execute_rq+0xbe/0x160\n __nvme_submit_sync_cmd+0x16f/0x220 [nvme_core]\n nvmf_connect_admin_queue+0x11a/0x170 [nvme_fabrics]\n nvme_fc_create_association.cold+0x50/0x3dc [nvme_fc]\n nvme_fc_connect_ctrl_work+0x19/0x30 [nvme_fc]\n process_one_work+0x1e8/0x3c0\n\nOn abort timeout, completion was called without checking if the I/O was\nalready completed.\n\nVerify that I/O and abort request are indeed outstanding before attempting\ncompletion."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:45.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3871af13aa03fbbe7fbb812eaf140501229a72e"
},
{
"url": "https://git.kernel.org/stable/c/cb4dff498468b62e8c520568559b3a9007e104d7"
},
{
"url": "https://git.kernel.org/stable/c/05382ed9142cf8a8a3fb662224477eecc415778b"
},
{
"url": "https://git.kernel.org/stable/c/68ad83188d782b2ecef2e41ac245d27e0710fe8e"
}
],
"title": "scsi: qla2xxx: Fix crash when I/O abort times out",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50493",
"datePublished": "2025-10-04T15:43:45.895Z",
"dateReserved": "2025-10-04T15:39:19.464Z",
"dateUpdated": "2025-10-04T15:43:45.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39758 (GCVE-0-2025-39758)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-09-29 05:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages
Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"),
we have been doing this:
static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset,
size_t size)
[...]
/* Calculate the number of bytes we need to push, for this page
* specifically */
size_t bytes = min_t(size_t, PAGE_SIZE - offset, size);
/* If we can't splice it, then copy it in, as normal */
if (!sendpage_ok(page[i]))
msg.msg_flags &= ~MSG_SPLICE_PAGES;
/* Set the bvec pointing to the page, with len $bytes */
bvec_set_page(&bvec, page[i], bytes, offset);
/* Set the iter to $size, aka the size of the whole sendpages (!!!) */
iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size);
try_page_again:
lock_sock(sk);
/* Sendmsg with $size size (!!!) */
rv = tcp_sendmsg_locked(sk, &msg, size);
This means we've been sending oversized iov_iters and tcp_sendmsg calls
for a while. This has a been a benign bug because sendpage_ok() always
returned true. With the recent slab allocator changes being slowly
introduced into next (that disallow sendpage on large kmalloc
allocations), we have recently hit out-of-bounds crashes, due to slight
differences in iov_iter behavior between the MSG_SPLICE_PAGES and
"regular" copy paths:
(MSG_SPLICE_PAGES)
skb_splice_from_iter
iov_iter_extract_pages
iov_iter_extract_bvec_pages
uses i->nr_segs to correctly stop in its tracks before OoB'ing everywhere
skb_splice_from_iter gets a "short" read
(!MSG_SPLICE_PAGES)
skb_copy_to_page_nocache copy=iov_iter_count
[...]
copy_from_iter
/* this doesn't help */
if (unlikely(iter->count < len))
len = iter->count;
iterate_bvec
... and we run off the bvecs
Fix this by properly setting the iov_iter's byte count, plus sending the
correct byte count to tcp_sendmsg_locked.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/siw/siw_qp_tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5661fdd218c2799001b88c17acd19f4395e4488e",
"status": "affected",
"version": "c2ff29e99a764769eb2ce3a1a5585013633ee9a6",
"versionType": "git"
},
{
"lessThan": "673cf582fd788af12cdacfb62a6a593083542481",
"status": "affected",
"version": "c2ff29e99a764769eb2ce3a1a5585013633ee9a6",
"versionType": "git"
},
{
"lessThan": "42ebc16d9d2563f1a1ce0f05b643ee68d54fabf8",
"status": "affected",
"version": "c2ff29e99a764769eb2ce3a1a5585013633ee9a6",
"versionType": "git"
},
{
"lessThan": "edf82bc8150570167a33a7d54627d66614cbf841",
"status": "affected",
"version": "c2ff29e99a764769eb2ce3a1a5585013633ee9a6",
"versionType": "git"
},
{
"lessThan": "c18646248fed07683d4cee8a8af933fc4fe83c0d",
"status": "affected",
"version": "c2ff29e99a764769eb2ce3a1a5585013633ee9a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/siw/siw_qp_tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages\n\nEver since commit c2ff29e99a76 (\"siw: Inline do_tcp_sendpages()\"),\nwe have been doing this:\n\nstatic int siw_tcp_sendpages(struct socket *s, struct page **page, int offset,\n size_t size)\n[...]\n /* Calculate the number of bytes we need to push, for this page\n * specifically */\n size_t bytes = min_t(size_t, PAGE_SIZE - offset, size);\n /* If we can\u0027t splice it, then copy it in, as normal */\n if (!sendpage_ok(page[i]))\n msg.msg_flags \u0026= ~MSG_SPLICE_PAGES;\n /* Set the bvec pointing to the page, with len $bytes */\n bvec_set_page(\u0026bvec, page[i], bytes, offset);\n /* Set the iter to $size, aka the size of the whole sendpages (!!!) */\n iov_iter_bvec(\u0026msg.msg_iter, ITER_SOURCE, \u0026bvec, 1, size);\ntry_page_again:\n lock_sock(sk);\n /* Sendmsg with $size size (!!!) */\n rv = tcp_sendmsg_locked(sk, \u0026msg, size);\n\nThis means we\u0027ve been sending oversized iov_iters and tcp_sendmsg calls\nfor a while. This has a been a benign bug because sendpage_ok() always\nreturned true. With the recent slab allocator changes being slowly\nintroduced into next (that disallow sendpage on large kmalloc\nallocations), we have recently hit out-of-bounds crashes, due to slight\ndifferences in iov_iter behavior between the MSG_SPLICE_PAGES and\n\"regular\" copy paths:\n\n(MSG_SPLICE_PAGES)\nskb_splice_from_iter\n iov_iter_extract_pages\n iov_iter_extract_bvec_pages\n uses i-\u003enr_segs to correctly stop in its tracks before OoB\u0027ing everywhere\n skb_splice_from_iter gets a \"short\" read\n\n(!MSG_SPLICE_PAGES)\nskb_copy_to_page_nocache copy=iov_iter_count\n [...]\n copy_from_iter\n /* this doesn\u0027t help */\n if (unlikely(iter-\u003ecount \u003c len))\n len = iter-\u003ecount;\n iterate_bvec\n ... and we run off the bvecs\n\nFix this by properly setting the iov_iter\u0027s byte count, plus sending the\ncorrect byte count to tcp_sendmsg_locked."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:48.839Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5661fdd218c2799001b88c17acd19f4395e4488e"
},
{
"url": "https://git.kernel.org/stable/c/673cf582fd788af12cdacfb62a6a593083542481"
},
{
"url": "https://git.kernel.org/stable/c/42ebc16d9d2563f1a1ce0f05b643ee68d54fabf8"
},
{
"url": "https://git.kernel.org/stable/c/edf82bc8150570167a33a7d54627d66614cbf841"
},
{
"url": "https://git.kernel.org/stable/c/c18646248fed07683d4cee8a8af933fc4fe83c0d"
}
],
"title": "RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39758",
"datePublished": "2025-09-11T16:52:27.598Z",
"dateReserved": "2025-04-16T07:20:57.125Z",
"dateUpdated": "2025-09-29T05:58:48.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53325 (GCVE-0-2023-53325)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-17 11:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer()
Change logging from drm_{err,info}() to dev_{err,info}() in functions
mtk_dp_aux_transfer() and mtk_dp_aux_do_transfer(): this will be
essential to avoid getting NULL pointer kernel panics if any kind
of error happens during AUX transfers happening before the bridge
is attached.
This may potentially start happening in a later commit implementing
aux-bus support, as AUX transfers will be triggered from the panel
driver (for EDID) before the mtk-dp bridge gets attached, and it's
done in preparation for the same.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c743c1dd2ee2a72951660b6798d4d7f7674f87b",
"status": "affected",
"version": "f70ac097a2cf5d4b67b2c1bbb73196c573ffcb7b",
"versionType": "git"
},
{
"lessThan": "7839f62294039959076dd06232e07aec7f7d5b2b",
"status": "affected",
"version": "f70ac097a2cf5d4b67b2c1bbb73196c573ffcb7b",
"versionType": "git"
},
{
"lessThan": "fd70e2019bfbcb0ed90c5e23839bf510ce6acf8f",
"status": "affected",
"version": "f70ac097a2cf5d4b67b2c1bbb73196c573ffcb7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer()\n\nChange logging from drm_{err,info}() to dev_{err,info}() in functions\nmtk_dp_aux_transfer() and mtk_dp_aux_do_transfer(): this will be\nessential to avoid getting NULL pointer kernel panics if any kind\nof error happens during AUX transfers happening before the bridge\nis attached.\n\nThis may potentially start happening in a later commit implementing\naux-bus support, as AUX transfers will be triggered from the panel\ndriver (for EDID) before the mtk-dp bridge gets attached, and it\u0027s\ndone in preparation for the same."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T11:02:54.521Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c743c1dd2ee2a72951660b6798d4d7f7674f87b"
},
{
"url": "https://git.kernel.org/stable/c/7839f62294039959076dd06232e07aec7f7d5b2b"
},
{
"url": "https://git.kernel.org/stable/c/fd70e2019bfbcb0ed90c5e23839bf510ce6acf8f"
}
],
"title": "drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53325",
"datePublished": "2025-09-16T16:12:00.595Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-17T11:02:54.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53608 (GCVE-0-2023-53608)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()
The finalization of nilfs_segctor_thread() can race with
nilfs_segctor_kill_thread() which terminates that thread, potentially
causing a use-after-free BUG as KASAN detected.
At the end of nilfs_segctor_thread(), it assigns NULL to "sc_task" member
of "struct nilfs_sc_info" to indicate the thread has finished, and then
notifies nilfs_segctor_kill_thread() of this using waitqueue
"sc_wait_task" on the struct nilfs_sc_info.
However, here, immediately after the NULL assignment to "sc_task", it is
possible that nilfs_segctor_kill_thread() will detect it and return to
continue the deallocation, freeing the nilfs_sc_info structure before the
thread does the notification.
This fixes the issue by protecting the NULL assignment to "sc_task" and
its notification, with spinlock "sc_state_lock" of the struct
nilfs_sc_info. Since nilfs_segctor_kill_thread() does a final check to
see if "sc_task" is NULL with "sc_state_lock" locked, this can eliminate
the race.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/segment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "034cce77d52ba013ce62b4f5258c29907eb1ada5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0dbf0e64b91ee8fcb278aea93eb06fc7d56ecbcc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "613bf23c070d11c525268f2945aa594704a9b764",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f32297dba338dc06d62286dedb3cdbd5175b1719",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "92684e02654c91a61a0b0561433b710bcece19fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bae009a2f1b7c2011d2e92d8c84868d315c0b97e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b4d80bd6370b81a1725b6b8f7894802c23a14e9f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6be49d100c22ffea3287a4b19d7639d259888e33",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/segment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.313",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()\n\nThe finalization of nilfs_segctor_thread() can race with\nnilfs_segctor_kill_thread() which terminates that thread, potentially\ncausing a use-after-free BUG as KASAN detected.\n\nAt the end of nilfs_segctor_thread(), it assigns NULL to \"sc_task\" member\nof \"struct nilfs_sc_info\" to indicate the thread has finished, and then\nnotifies nilfs_segctor_kill_thread() of this using waitqueue\n\"sc_wait_task\" on the struct nilfs_sc_info.\n\nHowever, here, immediately after the NULL assignment to \"sc_task\", it is\npossible that nilfs_segctor_kill_thread() will detect it and return to\ncontinue the deallocation, freeing the nilfs_sc_info structure before the\nthread does the notification.\n\nThis fixes the issue by protecting the NULL assignment to \"sc_task\" and\nits notification, with spinlock \"sc_state_lock\" of the struct\nnilfs_sc_info. Since nilfs_segctor_kill_thread() does a final check to\nsee if \"sc_task\" is NULL with \"sc_state_lock\" locked, this can eliminate\nthe race."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:17.302Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/034cce77d52ba013ce62b4f5258c29907eb1ada5"
},
{
"url": "https://git.kernel.org/stable/c/0dbf0e64b91ee8fcb278aea93eb06fc7d56ecbcc"
},
{
"url": "https://git.kernel.org/stable/c/613bf23c070d11c525268f2945aa594704a9b764"
},
{
"url": "https://git.kernel.org/stable/c/f32297dba338dc06d62286dedb3cdbd5175b1719"
},
{
"url": "https://git.kernel.org/stable/c/92684e02654c91a61a0b0561433b710bcece19fe"
},
{
"url": "https://git.kernel.org/stable/c/bae009a2f1b7c2011d2e92d8c84868d315c0b97e"
},
{
"url": "https://git.kernel.org/stable/c/b4d80bd6370b81a1725b6b8f7894802c23a14e9f"
},
{
"url": "https://git.kernel.org/stable/c/6be49d100c22ffea3287a4b19d7639d259888e33"
}
],
"title": "nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53608",
"datePublished": "2025-10-04T15:44:17.302Z",
"dateReserved": "2025-10-04T15:40:38.480Z",
"dateUpdated": "2025-10-04T15:44:17.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53324 (GCVE-0-2023-53324)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/mdp5: Don't leak some plane state
Apparently no one noticed that mdp5 plane states leak like a sieve
ever since we introduced plane_state->commit refcount a few years ago
in 21a01abbe32a ("drm/atomic: Fix freeing connector/plane state too
early by tracking commits, v3.")
Fix it by using the right helpers.
Patchwork: https://patchwork.freedesktop.org/patch/551236/
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7fc11a830b2eb07a0e3c6f917e5e636df6fc5d4c",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "b8a61df6f40448cf46611f7af05b00970d08d620",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "815e42029f6e1e762898079f85546d6a0391ab95",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "c0b1eee648702e04f1005d451f9689575b7f52ed",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "2965015006ef18ca96d2eab9ebe6bca884c63291",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "5b0dd3a102f64996598bd1e8d8388848a7c561bc",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "12dfd02cbd1a678fbd66be0c2f79d5299c4921a9",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "fd0ad3b2365c1c58aa5a761c18efc4817193beb6",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp5: Don\u0027t leak some plane state\n\nApparently no one noticed that mdp5 plane states leak like a sieve\never since we introduced plane_state-\u003ecommit refcount a few years ago\nin 21a01abbe32a (\"drm/atomic: Fix freeing connector/plane state too\nearly by tracking commits, v3.\")\n\nFix it by using the right helpers.\n\nPatchwork: https://patchwork.freedesktop.org/patch/551236/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:59.672Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7fc11a830b2eb07a0e3c6f917e5e636df6fc5d4c"
},
{
"url": "https://git.kernel.org/stable/c/b8a61df6f40448cf46611f7af05b00970d08d620"
},
{
"url": "https://git.kernel.org/stable/c/815e42029f6e1e762898079f85546d6a0391ab95"
},
{
"url": "https://git.kernel.org/stable/c/c0b1eee648702e04f1005d451f9689575b7f52ed"
},
{
"url": "https://git.kernel.org/stable/c/2965015006ef18ca96d2eab9ebe6bca884c63291"
},
{
"url": "https://git.kernel.org/stable/c/5b0dd3a102f64996598bd1e8d8388848a7c561bc"
},
{
"url": "https://git.kernel.org/stable/c/12dfd02cbd1a678fbd66be0c2f79d5299c4921a9"
},
{
"url": "https://git.kernel.org/stable/c/fd0ad3b2365c1c58aa5a761c18efc4817193beb6"
}
],
"title": "drm/msm/mdp5: Don\u0027t leak some plane state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53324",
"datePublished": "2025-09-16T16:11:59.672Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:59.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50252 (GCVE-0-2022-50252)
Vulnerability from cvelistv5
Published
2025-09-15 14:02
Modified
2025-09-15 14:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
igb: Do not free q_vector unless new one was allocated
Avoid potential use-after-free condition under memory pressure. If the
kzalloc() fails, q_vector will be freed but left in the original
adapter->q_vector[v_idx] array position.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igb/igb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64ca1969599857143e91aeec4440640656100803",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0200f0fbb11e359cc35af72ab10b2ec224e6f633",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "68e8adbcaf7a8743e473343b38b9dad66e2ac6f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f96bd8adc8adde25390965a8c1ee81b73cb62075",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3cb18dea11196fb4a06f78294cec5e61985e1aff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "314f7092b27749bdde44c14095b5533afa2a3bc8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e399577bd397a517df4b938601108c63769ce0a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "56483aecf6b22eb7dff6315b3a174688c6ad494c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0668716506ca66f90d395f36ccdaebc3e0e84801",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igb/igb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Do not free q_vector unless new one was allocated\n\nAvoid potential use-after-free condition under memory pressure. If the\nkzalloc() fails, q_vector will be freed but left in the original\nadapter-\u003eq_vector[v_idx] array position."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:02:30.980Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64ca1969599857143e91aeec4440640656100803"
},
{
"url": "https://git.kernel.org/stable/c/0200f0fbb11e359cc35af72ab10b2ec224e6f633"
},
{
"url": "https://git.kernel.org/stable/c/68e8adbcaf7a8743e473343b38b9dad66e2ac6f3"
},
{
"url": "https://git.kernel.org/stable/c/f96bd8adc8adde25390965a8c1ee81b73cb62075"
},
{
"url": "https://git.kernel.org/stable/c/3cb18dea11196fb4a06f78294cec5e61985e1aff"
},
{
"url": "https://git.kernel.org/stable/c/314f7092b27749bdde44c14095b5533afa2a3bc8"
},
{
"url": "https://git.kernel.org/stable/c/6e399577bd397a517df4b938601108c63769ce0a"
},
{
"url": "https://git.kernel.org/stable/c/56483aecf6b22eb7dff6315b3a174688c6ad494c"
},
{
"url": "https://git.kernel.org/stable/c/0668716506ca66f90d395f36ccdaebc3e0e84801"
}
],
"title": "igb: Do not free q_vector unless new one was allocated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50252",
"datePublished": "2025-09-15T14:02:30.980Z",
"dateReserved": "2025-09-15T13:58:00.973Z",
"dateUpdated": "2025-09-15T14:02:30.980Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53601 (GCVE-0-2023-53601)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: do not assume skb mac_header is set
Drivers must not assume in their ndo_start_xmit() that
skbs have their mac_header set. skb->data is all what is needed.
bonding seems to be one of the last offender as caught by syzbot:
WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 skb_mac_offset include/linux/skbuff.h:2913 [inline]
WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_xmit_hash drivers/net/bonding/bond_main.c:4170 [inline]
WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5149 [inline]
WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_3ad_xor_xmit drivers/net/bonding/bond_main.c:5186 [inline]
WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 __bond_start_xmit drivers/net/bonding/bond_main.c:5442 [inline]
WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_start_xmit+0x14ab/0x19d0 drivers/net/bonding/bond_main.c:5470
Modules linked in:
CPU: 1 PID: 12155 Comm: syz-executor.3 Not tainted 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
RIP: 0010:skb_mac_header include/linux/skbuff.h:2907 [inline]
RIP: 0010:skb_mac_offset include/linux/skbuff.h:2913 [inline]
RIP: 0010:bond_xmit_hash drivers/net/bonding/bond_main.c:4170 [inline]
RIP: 0010:bond_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5149 [inline]
RIP: 0010:bond_3ad_xor_xmit drivers/net/bonding/bond_main.c:5186 [inline]
RIP: 0010:__bond_start_xmit drivers/net/bonding/bond_main.c:5442 [inline]
RIP: 0010:bond_start_xmit+0x14ab/0x19d0 drivers/net/bonding/bond_main.c:5470
Code: 8b 7c 24 30 e8 76 dd 1a 01 48 85 c0 74 0d 48 89 c3 e8 29 67 2e fe e9 15 ef ff ff e8 1f 67 2e fe e9 10 ef ff ff e8 15 67 2e fe <0f> 0b e9 45 f8 ff ff e8 09 67 2e fe e9 dc fa ff ff e8 ff 66 2e fe
RSP: 0018:ffffc90002fff6e0 EFLAGS: 00010283
RAX: ffffffff835874db RBX: 000000000000ffff RCX: 0000000000040000
RDX: ffffc90004dcf000 RSI: 00000000000000b5 RDI: 00000000000000b6
RBP: ffffc90002fff8b8 R08: ffffffff83586d16 R09: ffffffff83586584
R10: 0000000000000007 R11: ffff8881599fc780 R12: ffff88811b6a7b7e
R13: 1ffff110236d4f6f R14: ffff88811b6a7ac0 R15: 1ffff110236d4f76
FS: 00007f2e9eb47700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e421000 CR3: 000000010e6d4000 CR4: 00000000003526e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
[<ffffffff8471a49f>] netdev_start_xmit include/linux/netdevice.h:4925 [inline]
[<ffffffff8471a49f>] __dev_direct_xmit+0x4ef/0x850 net/core/dev.c:4380
[<ffffffff851d845b>] dev_direct_xmit include/linux/netdevice.h:3043 [inline]
[<ffffffff851d845b>] packet_direct_xmit+0x18b/0x300 net/packet/af_packet.c:284
[<ffffffff851c7472>] packet_snd net/packet/af_packet.c:3112 [inline]
[<ffffffff851c7472>] packet_sendmsg+0x4a22/0x64d0 net/packet/af_packet.c:3143
[<ffffffff8467a4b2>] sock_sendmsg_nosec net/socket.c:716 [inline]
[<ffffffff8467a4b2>] sock_sendmsg net/socket.c:736 [inline]
[<ffffffff8467a4b2>] __sys_sendto+0x472/0x5f0 net/socket.c:2139
[<ffffffff8467a715>] __do_sys_sendto net/socket.c:2151 [inline]
[<ffffffff8467a715>] __se_sys_sendto net/socket.c:2147 [inline]
[<ffffffff8467a715>] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147
[<ffffffff8553071f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8553071f>] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
[<ffffffff85600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "029d892b05fc5e42a1b1c0665f62cb3e4b23e6dc",
"status": "affected",
"version": "7b8fc0103bb51d1d3e1fb5fd67958612e709f883",
"versionType": "git"
},
{
"lessThan": "37b6143376a578265add04f35161b257eeb84a5e",
"status": "affected",
"version": "7b8fc0103bb51d1d3e1fb5fd67958612e709f883",
"versionType": "git"
},
{
"lessThan": "c96cc3d9acaca53d9a81c884c23f1224b61c829b",
"status": "affected",
"version": "7b8fc0103bb51d1d3e1fb5fd67958612e709f883",
"versionType": "git"
},
{
"lessThan": "bc16fc63592c419357dd4c4d82d50762102a60ef",
"status": "affected",
"version": "7b8fc0103bb51d1d3e1fb5fd67958612e709f883",
"versionType": "git"
},
{
"lessThan": "6a940abdef3162e5723f1495b8a49859d1708f79",
"status": "affected",
"version": "7b8fc0103bb51d1d3e1fb5fd67958612e709f883",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: do not assume skb mac_header is set\n\nDrivers must not assume in their ndo_start_xmit() that\nskbs have their mac_header set. skb-\u003edata is all what is needed.\n\nbonding seems to be one of the last offender as caught by syzbot:\n\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 skb_mac_offset include/linux/skbuff.h:2913 [inline]\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_xmit_hash drivers/net/bonding/bond_main.c:4170 [inline]\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5149 [inline]\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_3ad_xor_xmit drivers/net/bonding/bond_main.c:5186 [inline]\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 __bond_start_xmit drivers/net/bonding/bond_main.c:5442 [inline]\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_start_xmit+0x14ab/0x19d0 drivers/net/bonding/bond_main.c:5470\nModules linked in:\nCPU: 1 PID: 12155 Comm: syz-executor.3 Not tainted 6.1.30-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023\nRIP: 0010:skb_mac_header include/linux/skbuff.h:2907 [inline]\nRIP: 0010:skb_mac_offset include/linux/skbuff.h:2913 [inline]\nRIP: 0010:bond_xmit_hash drivers/net/bonding/bond_main.c:4170 [inline]\nRIP: 0010:bond_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5149 [inline]\nRIP: 0010:bond_3ad_xor_xmit drivers/net/bonding/bond_main.c:5186 [inline]\nRIP: 0010:__bond_start_xmit drivers/net/bonding/bond_main.c:5442 [inline]\nRIP: 0010:bond_start_xmit+0x14ab/0x19d0 drivers/net/bonding/bond_main.c:5470\nCode: 8b 7c 24 30 e8 76 dd 1a 01 48 85 c0 74 0d 48 89 c3 e8 29 67 2e fe e9 15 ef ff ff e8 1f 67 2e fe e9 10 ef ff ff e8 15 67 2e fe \u003c0f\u003e 0b e9 45 f8 ff ff e8 09 67 2e fe e9 dc fa ff ff e8 ff 66 2e fe\nRSP: 0018:ffffc90002fff6e0 EFLAGS: 00010283\nRAX: ffffffff835874db RBX: 000000000000ffff RCX: 0000000000040000\nRDX: ffffc90004dcf000 RSI: 00000000000000b5 RDI: 00000000000000b6\nRBP: ffffc90002fff8b8 R08: ffffffff83586d16 R09: ffffffff83586584\nR10: 0000000000000007 R11: ffff8881599fc780 R12: ffff88811b6a7b7e\nR13: 1ffff110236d4f6f R14: ffff88811b6a7ac0 R15: 1ffff110236d4f76\nFS: 00007f2e9eb47700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b2e421000 CR3: 000000010e6d4000 CR4: 00000000003526e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n[\u003cffffffff8471a49f\u003e] netdev_start_xmit include/linux/netdevice.h:4925 [inline]\n[\u003cffffffff8471a49f\u003e] __dev_direct_xmit+0x4ef/0x850 net/core/dev.c:4380\n[\u003cffffffff851d845b\u003e] dev_direct_xmit include/linux/netdevice.h:3043 [inline]\n[\u003cffffffff851d845b\u003e] packet_direct_xmit+0x18b/0x300 net/packet/af_packet.c:284\n[\u003cffffffff851c7472\u003e] packet_snd net/packet/af_packet.c:3112 [inline]\n[\u003cffffffff851c7472\u003e] packet_sendmsg+0x4a22/0x64d0 net/packet/af_packet.c:3143\n[\u003cffffffff8467a4b2\u003e] sock_sendmsg_nosec net/socket.c:716 [inline]\n[\u003cffffffff8467a4b2\u003e] sock_sendmsg net/socket.c:736 [inline]\n[\u003cffffffff8467a4b2\u003e] __sys_sendto+0x472/0x5f0 net/socket.c:2139\n[\u003cffffffff8467a715\u003e] __do_sys_sendto net/socket.c:2151 [inline]\n[\u003cffffffff8467a715\u003e] __se_sys_sendto net/socket.c:2147 [inline]\n[\u003cffffffff8467a715\u003e] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147\n[\u003cffffffff8553071f\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[\u003cffffffff8553071f\u003e] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80\n[\u003cffffffff85600087\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:12.477Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/029d892b05fc5e42a1b1c0665f62cb3e4b23e6dc"
},
{
"url": "https://git.kernel.org/stable/c/37b6143376a578265add04f35161b257eeb84a5e"
},
{
"url": "https://git.kernel.org/stable/c/c96cc3d9acaca53d9a81c884c23f1224b61c829b"
},
{
"url": "https://git.kernel.org/stable/c/bc16fc63592c419357dd4c4d82d50762102a60ef"
},
{
"url": "https://git.kernel.org/stable/c/6a940abdef3162e5723f1495b8a49859d1708f79"
}
],
"title": "bonding: do not assume skb mac_header is set",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53601",
"datePublished": "2025-10-04T15:44:12.477Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-04T15:44:12.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53674 (GCVE-0-2023-53674)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: Fix memory leak in devm_clk_notifier_register()
devm_clk_notifier_register() allocates a devres resource for clk
notifier but didn't register that to the device, so the notifier didn't
get unregistered on device detach and the allocated resource was leaked.
Fix the issue by registering the resource through devres_add().
This issue was found with kmemleak on a Chromebook.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/clk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a326cf0107b197e649bbaa2a2b1355894826ce32",
"status": "affected",
"version": "6d30d50d037dfa092f9d5d1fffa348ab4abb7163",
"versionType": "git"
},
{
"lessThan": "49451db71b746df990888068961f1033f7c9b734",
"status": "affected",
"version": "6d30d50d037dfa092f9d5d1fffa348ab4abb7163",
"versionType": "git"
},
{
"lessThan": "cb1b04fd4283fc8f9acefe0ddc61ba072ed44877",
"status": "affected",
"version": "6d30d50d037dfa092f9d5d1fffa348ab4abb7163",
"versionType": "git"
},
{
"lessThan": "efbbda79b2881a04dcd0e8f28634933d79e17e49",
"status": "affected",
"version": "6d30d50d037dfa092f9d5d1fffa348ab4abb7163",
"versionType": "git"
},
{
"lessThan": "7fb933e56f77a57ef7cfc59fc34cbbf1b1fa31ff",
"status": "affected",
"version": "6d30d50d037dfa092f9d5d1fffa348ab4abb7163",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/clk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Fix memory leak in devm_clk_notifier_register()\n\ndevm_clk_notifier_register() allocates a devres resource for clk\nnotifier but didn\u0027t register that to the device, so the notifier didn\u0027t\nget unregistered on device detach and the allocated resource was leaked.\n\nFix the issue by registering the resource through devres_add().\n\nThis issue was found with kmemleak on a Chromebook."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:30.320Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a326cf0107b197e649bbaa2a2b1355894826ce32"
},
{
"url": "https://git.kernel.org/stable/c/49451db71b746df990888068961f1033f7c9b734"
},
{
"url": "https://git.kernel.org/stable/c/cb1b04fd4283fc8f9acefe0ddc61ba072ed44877"
},
{
"url": "https://git.kernel.org/stable/c/efbbda79b2881a04dcd0e8f28634933d79e17e49"
},
{
"url": "https://git.kernel.org/stable/c/7fb933e56f77a57ef7cfc59fc34cbbf1b1fa31ff"
}
],
"title": "clk: Fix memory leak in devm_clk_notifier_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53674",
"datePublished": "2025-10-07T15:21:30.320Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:30.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47674 (GCVE-0-2024-47674)
Vulnerability from cvelistv5
Published
2024-10-15 10:48
Modified
2025-11-03 22:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: avoid leaving partial pfn mappings around in error case
As Jann points out, PFN mappings are special, because unlike normal
memory mappings, there is no lifetime information associated with the
mapping - it is just a raw mapping of PFNs with no reference counting of
a 'struct page'.
That's all very much intentional, but it does mean that it's easy to
mess up the cleanup in case of errors. Yes, a failed mmap() will always
eventually clean up any partial mappings, but without any explicit
lifetime in the page table mapping itself, it's very easy to do the
error handling in the wrong order.
In particular, it's easy to mistakenly free the physical backing store
before the page tables are actually cleaned up and (temporarily) have
stale dangling PTE entries.
To make this situation less error-prone, just make sure that any partial
pfn mapping is torn down early, before any other error handling.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T12:44:14.464782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T12:44:33.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:20:42.071Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3213fdcab961026203dd587a4533600c70b3336b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "35770ca6180caa24a2b258c99a87bd437a1ee10f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b2c8b34f6d76bfbd1dd4936eb8a0fbfb9af3959",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "65d0db500d7c07f0f76fc24a4d837791c4862cd2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a95a24fcaee1b892e47d5e6dcc403f713874ee80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "954fd4c81f22c4b6ba65379a81fd252971bf4ef3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "79a61cc3fc0466ad2b7b89618a6157785f0293b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.286",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: avoid leaving partial pfn mappings around in error case\n\nAs Jann points out, PFN mappings are special, because unlike normal\nmemory mappings, there is no lifetime information associated with the\nmapping - it is just a raw mapping of PFNs with no reference counting of\na \u0027struct page\u0027.\n\nThat\u0027s all very much intentional, but it does mean that it\u0027s easy to\nmess up the cleanup in case of errors. Yes, a failed mmap() will always\neventually clean up any partial mappings, but without any explicit\nlifetime in the page table mapping itself, it\u0027s very easy to do the\nerror handling in the wrong order.\n\nIn particular, it\u0027s easy to mistakenly free the physical backing store\nbefore the page tables are actually cleaned up and (temporarily) have\nstale dangling PTE entries.\n\nTo make this situation less error-prone, just make sure that any partial\npfn mapping is torn down early, before any other error handling."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:36:57.350Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3213fdcab961026203dd587a4533600c70b3336b"
},
{
"url": "https://git.kernel.org/stable/c/35770ca6180caa24a2b258c99a87bd437a1ee10f"
},
{
"url": "https://git.kernel.org/stable/c/5b2c8b34f6d76bfbd1dd4936eb8a0fbfb9af3959"
},
{
"url": "https://git.kernel.org/stable/c/65d0db500d7c07f0f76fc24a4d837791c4862cd2"
},
{
"url": "https://git.kernel.org/stable/c/a95a24fcaee1b892e47d5e6dcc403f713874ee80"
},
{
"url": "https://git.kernel.org/stable/c/954fd4c81f22c4b6ba65379a81fd252971bf4ef3"
},
{
"url": "https://git.kernel.org/stable/c/79a61cc3fc0466ad2b7b89618a6157785f0293b3"
},
{
"url": "https://project-zero.issues.chromium.org/issues/366053091"
}
],
"title": "mm: avoid leaving partial pfn mappings around in error case",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47674",
"datePublished": "2024-10-15T10:48:33.481Z",
"dateReserved": "2024-09-30T16:00:12.937Z",
"dateUpdated": "2025-11-03T22:20:42.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39763 (GCVE-0-2025-39763)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-09-29 05:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered
If a synchronous error is detected as a result of user-space process
triggering a 2-bit uncorrected error, the CPU will take a synchronous
error exception such as Synchronous External Abort (SEA) on Arm64. The
kernel will queue a memory_failure() work which poisons the related
page, unmaps the page, and then sends a SIGBUS to the process, so that
a system wide panic can be avoided.
However, no memory_failure() work will be queued when abnormal
synchronous errors occur. These errors can include situations like
invalid PA, unexpected severity, no memory failure config support,
invalid GUID section, etc. In such a case, the user-space process will
trigger SEA again. This loop can potentially exceed the platform
firmware threshold or even trigger a kernel hard lockup, leading to a
system reboot.
Fix it by performing a force kill if no memory_failure() work is queued
for synchronous errors.
[ rjw: Changelog edits ]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/apei/ghes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "082735fbcdb6cd0cf20fbec94516ab2996f1cdd5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cfc9bc15bda6fd0c496cbe2c628564d4d7c332c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af089e41811a1ad6a7b2b80e839a73ec4c3cecdd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3cb4f18797247985b0f51d5300f8cb6c78f343ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "79a5ae3c4c5eb7e38e0ebe4d6bf602d296080060",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/apei/ghes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered\n\nIf a synchronous error is detected as a result of user-space process\ntriggering a 2-bit uncorrected error, the CPU will take a synchronous\nerror exception such as Synchronous External Abort (SEA) on Arm64. The\nkernel will queue a memory_failure() work which poisons the related\npage, unmaps the page, and then sends a SIGBUS to the process, so that\na system wide panic can be avoided.\n\nHowever, no memory_failure() work will be queued when abnormal\nsynchronous errors occur. These errors can include situations like\ninvalid PA, unexpected severity, no memory failure config support,\ninvalid GUID section, etc. In such a case, the user-space process will\ntrigger SEA again. This loop can potentially exceed the platform\nfirmware threshold or even trigger a kernel hard lockup, leading to a\nsystem reboot.\n\nFix it by performing a force kill if no memory_failure() work is queued\nfor synchronous errors.\n\n[ rjw: Changelog edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:55.211Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/082735fbcdb6cd0cf20fbec94516ab2996f1cdd5"
},
{
"url": "https://git.kernel.org/stable/c/cfc9bc15bda6fd0c496cbe2c628564d4d7c332c1"
},
{
"url": "https://git.kernel.org/stable/c/af089e41811a1ad6a7b2b80e839a73ec4c3cecdd"
},
{
"url": "https://git.kernel.org/stable/c/3cb4f18797247985b0f51d5300f8cb6c78f343ea"
},
{
"url": "https://git.kernel.org/stable/c/79a5ae3c4c5eb7e38e0ebe4d6bf602d296080060"
}
],
"title": "ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39763",
"datePublished": "2025-09-11T16:52:31.350Z",
"dateReserved": "2025-04-16T07:20:57.126Z",
"dateUpdated": "2025-09-29T05:58:55.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50472 (GCVE-0-2022-50472)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/mad: Don't call to function that might sleep while in atomic context
Tracepoints are not allowed to sleep, as such the following splat is
generated due to call to ib_query_pkey() in atomic context.
WARNING: CPU: 0 PID: 1888000 at kernel/trace/ring_buffer.c:2492 rb_commit+0xc1/0x220
CPU: 0 PID: 1888000 Comm: kworker/u9:0 Kdump: loaded Tainted: G OE --------- - - 4.18.0-305.3.1.el8.x86_64 #1
Hardware name: Red Hat KVM, BIOS 1.13.0-2.module_el8.3.0+555+a55c8938 04/01/2014
Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
RIP: 0010:rb_commit+0xc1/0x220
RSP: 0000:ffffa8ac80f9bca0 EFLAGS: 00010202
RAX: ffff8951c7c01300 RBX: ffff8951c7c14a00 RCX: 0000000000000246
RDX: ffff8951c707c000 RSI: ffff8951c707c57c RDI: ffff8951c7c14a00
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: ffff8951c7c01300 R11: 0000000000000001 R12: 0000000000000246
R13: 0000000000000000 R14: ffffffff964c70c0 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8951fbc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f20e8f39010 CR3: 000000002ca10005 CR4: 0000000000170ef0
Call Trace:
ring_buffer_unlock_commit+0x1d/0xa0
trace_buffer_unlock_commit_regs+0x3b/0x1b0
trace_event_buffer_commit+0x67/0x1d0
trace_event_raw_event_ib_mad_recv_done_handler+0x11c/0x160 [ib_core]
ib_mad_recv_done+0x48b/0xc10 [ib_core]
? trace_event_raw_event_cq_poll+0x6f/0xb0 [ib_core]
__ib_process_cq+0x91/0x1c0 [ib_core]
ib_cq_poll_work+0x26/0x80 [ib_core]
process_one_work+0x1a7/0x360
? create_worker+0x1a0/0x1a0
worker_thread+0x30/0x390
? create_worker+0x1a0/0x1a0
kthread+0x116/0x130
? kthread_flush_work_fn+0x10/0x10
ret_from_fork+0x35/0x40
---[ end trace 78ba8509d3830a16 ]---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/mad.c",
"include/trace/events/ib_mad.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47e31b86edff36f2d26cbc88ce695d98ff804178",
"status": "affected",
"version": "821bf1de45a1a084e2e11b1a2308777434194bfe",
"versionType": "git"
},
{
"lessThan": "cea70a572c0cb9728d728cfebe7d5bd485e97513",
"status": "affected",
"version": "821bf1de45a1a084e2e11b1a2308777434194bfe",
"versionType": "git"
},
{
"lessThan": "fa8a2f3be78e4585996bcf4c15e4504441a4c7a0",
"status": "affected",
"version": "821bf1de45a1a084e2e11b1a2308777434194bfe",
"versionType": "git"
},
{
"lessThan": "5c20311d76cbaeb7ed2ecf9c8b8322f8fc4a7ae3",
"status": "affected",
"version": "821bf1de45a1a084e2e11b1a2308777434194bfe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/mad.c",
"include/trace/events/ib_mad.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mad: Don\u0027t call to function that might sleep while in atomic context\n\nTracepoints are not allowed to sleep, as such the following splat is\ngenerated due to call to ib_query_pkey() in atomic context.\n\nWARNING: CPU: 0 PID: 1888000 at kernel/trace/ring_buffer.c:2492 rb_commit+0xc1/0x220\nCPU: 0 PID: 1888000 Comm: kworker/u9:0 Kdump: loaded Tainted: G OE --------- - - 4.18.0-305.3.1.el8.x86_64 #1\n Hardware name: Red Hat KVM, BIOS 1.13.0-2.module_el8.3.0+555+a55c8938 04/01/2014\n Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]\n RIP: 0010:rb_commit+0xc1/0x220\n RSP: 0000:ffffa8ac80f9bca0 EFLAGS: 00010202\n RAX: ffff8951c7c01300 RBX: ffff8951c7c14a00 RCX: 0000000000000246\n RDX: ffff8951c707c000 RSI: ffff8951c707c57c RDI: ffff8951c7c14a00\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff8951c7c01300 R11: 0000000000000001 R12: 0000000000000246\n R13: 0000000000000000 R14: ffffffff964c70c0 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8951fbc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f20e8f39010 CR3: 000000002ca10005 CR4: 0000000000170ef0\n Call Trace:\n ring_buffer_unlock_commit+0x1d/0xa0\n trace_buffer_unlock_commit_regs+0x3b/0x1b0\n trace_event_buffer_commit+0x67/0x1d0\n trace_event_raw_event_ib_mad_recv_done_handler+0x11c/0x160 [ib_core]\n ib_mad_recv_done+0x48b/0xc10 [ib_core]\n ? trace_event_raw_event_cq_poll+0x6f/0xb0 [ib_core]\n __ib_process_cq+0x91/0x1c0 [ib_core]\n ib_cq_poll_work+0x26/0x80 [ib_core]\n process_one_work+0x1a7/0x360\n ? create_worker+0x1a0/0x1a0\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x35/0x40\n ---[ end trace 78ba8509d3830a16 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:34.180Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47e31b86edff36f2d26cbc88ce695d98ff804178"
},
{
"url": "https://git.kernel.org/stable/c/cea70a572c0cb9728d728cfebe7d5bd485e97513"
},
{
"url": "https://git.kernel.org/stable/c/fa8a2f3be78e4585996bcf4c15e4504441a4c7a0"
},
{
"url": "https://git.kernel.org/stable/c/5c20311d76cbaeb7ed2ecf9c8b8322f8fc4a7ae3"
}
],
"title": "IB/mad: Don\u0027t call to function that might sleep while in atomic context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50472",
"datePublished": "2025-10-04T15:16:34.180Z",
"dateReserved": "2025-10-04T15:13:33.466Z",
"dateUpdated": "2025-10-04T15:16:34.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53189 (GCVE-0-2023-53189)
Vulnerability from cvelistv5
Published
2025-09-15 14:05
Modified
2025-09-15 14:05
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6/addrconf: fix a potential refcount underflow for idev
Now in addrconf_mod_rs_timer(), reference idev depends on whether
rs_timer is not pending. Then modify rs_timer timeout.
There is a time gap in [1], during which if the pending rs_timer
becomes not pending. It will miss to hold idev, but the rs_timer
is activated. Thus rs_timer callback function addrconf_rs_timer()
will be executed and put idev later without holding idev. A refcount
underflow issue for idev can be caused by this.
if (!timer_pending(&idev->rs_timer))
in6_dev_hold(idev);
<--------------[1]
mod_timer(&idev->rs_timer, jiffies + when);
To fix the issue, hold idev if mod_timer() return 0.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b7b1bfce0bb68bd8f6e62a28295922785cc63781 Version: b7b1bfce0bb68bd8f6e62a28295922785cc63781 Version: b7b1bfce0bb68bd8f6e62a28295922785cc63781 Version: b7b1bfce0bb68bd8f6e62a28295922785cc63781 Version: b7b1bfce0bb68bd8f6e62a28295922785cc63781 Version: b7b1bfce0bb68bd8f6e62a28295922785cc63781 Version: b7b1bfce0bb68bd8f6e62a28295922785cc63781 Version: b7b1bfce0bb68bd8f6e62a28295922785cc63781 Version: 973d5956f754cfc306f5e274d71503498f4b0324 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/addrconf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6395e32935d35e6f935e7caf1c2dac5a95943b4",
"status": "affected",
"version": "b7b1bfce0bb68bd8f6e62a28295922785cc63781",
"versionType": "git"
},
{
"lessThan": "df62fdcd004afa72ecbed0e862ebb983acd3aa57",
"status": "affected",
"version": "b7b1bfce0bb68bd8f6e62a28295922785cc63781",
"versionType": "git"
},
{
"lessThan": "c7eeba47058532f6077d6a658e38b6698f6ae71a",
"status": "affected",
"version": "b7b1bfce0bb68bd8f6e62a28295922785cc63781",
"versionType": "git"
},
{
"lessThan": "2ad31ce40e8182860b631e37209e93e543790b7c",
"status": "affected",
"version": "b7b1bfce0bb68bd8f6e62a28295922785cc63781",
"versionType": "git"
},
{
"lessThan": "82abd1c37d3bf2a2658b34772c17a25a6f9cca42",
"status": "affected",
"version": "b7b1bfce0bb68bd8f6e62a28295922785cc63781",
"versionType": "git"
},
{
"lessThan": "436b7cc7eae7851c184b671ed7a4a64c750b86f7",
"status": "affected",
"version": "b7b1bfce0bb68bd8f6e62a28295922785cc63781",
"versionType": "git"
},
{
"lessThan": "1f656e483eb4733d62f18dfb206a49b78f60f495",
"status": "affected",
"version": "b7b1bfce0bb68bd8f6e62a28295922785cc63781",
"versionType": "git"
},
{
"lessThan": "06a0716949c22e2aefb648526580671197151acc",
"status": "affected",
"version": "b7b1bfce0bb68bd8f6e62a28295922785cc63781",
"versionType": "git"
},
{
"status": "affected",
"version": "973d5956f754cfc306f5e274d71503498f4b0324",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/addrconf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.105",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6/addrconf: fix a potential refcount underflow for idev\n\nNow in addrconf_mod_rs_timer(), reference idev depends on whether\nrs_timer is not pending. Then modify rs_timer timeout.\n\nThere is a time gap in [1], during which if the pending rs_timer\nbecomes not pending. It will miss to hold idev, but the rs_timer\nis activated. Thus rs_timer callback function addrconf_rs_timer()\nwill be executed and put idev later without holding idev. A refcount\nunderflow issue for idev can be caused by this.\n\n\tif (!timer_pending(\u0026idev-\u003ers_timer))\n\t\tin6_dev_hold(idev);\n\t\t \u003c--------------[1]\n\tmod_timer(\u0026idev-\u003ers_timer, jiffies + when);\n\nTo fix the issue, hold idev if mod_timer() return 0."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:05:26.685Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6395e32935d35e6f935e7caf1c2dac5a95943b4"
},
{
"url": "https://git.kernel.org/stable/c/df62fdcd004afa72ecbed0e862ebb983acd3aa57"
},
{
"url": "https://git.kernel.org/stable/c/c7eeba47058532f6077d6a658e38b6698f6ae71a"
},
{
"url": "https://git.kernel.org/stable/c/2ad31ce40e8182860b631e37209e93e543790b7c"
},
{
"url": "https://git.kernel.org/stable/c/82abd1c37d3bf2a2658b34772c17a25a6f9cca42"
},
{
"url": "https://git.kernel.org/stable/c/436b7cc7eae7851c184b671ed7a4a64c750b86f7"
},
{
"url": "https://git.kernel.org/stable/c/1f656e483eb4733d62f18dfb206a49b78f60f495"
},
{
"url": "https://git.kernel.org/stable/c/06a0716949c22e2aefb648526580671197151acc"
}
],
"title": "ipv6/addrconf: fix a potential refcount underflow for idev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53189",
"datePublished": "2025-09-15T14:05:26.685Z",
"dateReserved": "2025-09-15T13:59:19.066Z",
"dateUpdated": "2025-09-15T14:05:26.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53275 (GCVE-0-2023-53275)
Vulnerability from cvelistv5
Published
2025-09-16 08:11
Modified
2025-09-16 08:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync()
The variable codec->regmap is often protected by the lock
codec->regmap_lock when is accessed. However, it is accessed without
holding the lock when is accessed in snd_hdac_regmap_sync():
if (codec->regmap)
In my opinion, this may be a harmful race, because if codec->regmap is
set to NULL right after the condition is checked, a null-pointer
dereference can occur in the called function regcache_sync():
map->lock(map->lock_arg); --> Line 360 in drivers/base/regmap/regcache.c
To fix this possible null-pointer dereference caused by data race, the
mutex_lock coverage is extended to protect the if statement as well as the
function call to regcache_sync().
[ Note: the lack of the regmap_lock itself is harmless for the current
codec driver implementations, as snd_hdac_regmap_sync() is only for
PM runtime resume that is prohibited during the codec probe.
But the change makes the whole code more consistent, so it's merged
as is -- tiwai ]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/hda/hdac_regmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "109f0aaa0b8838a88af9125b79579023539300a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f9eed451176ffcac6b5ba0f6dae1a6b4a1cb0eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8703b26387e1fa4f8749db98d24c67617b873acb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cdd412b528dee6e0851c4735d6676ec138da13a4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b32e40379e5b2814de0c4bc199edc2d82317dc07",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1f4a08fed450db87fbb5ff5105354158bdbe1a22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/hda/hdac_regmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync()\n\nThe variable codec-\u003eregmap is often protected by the lock\ncodec-\u003eregmap_lock when is accessed. However, it is accessed without\nholding the lock when is accessed in snd_hdac_regmap_sync():\n\n if (codec-\u003eregmap)\n\nIn my opinion, this may be a harmful race, because if codec-\u003eregmap is\nset to NULL right after the condition is checked, a null-pointer\ndereference can occur in the called function regcache_sync():\n\n map-\u003elock(map-\u003elock_arg); --\u003e Line 360 in drivers/base/regmap/regcache.c\n\nTo fix this possible null-pointer dereference caused by data race, the\nmutex_lock coverage is extended to protect the if statement as well as the\nfunction call to regcache_sync().\n\n[ Note: the lack of the regmap_lock itself is harmless for the current\n codec driver implementations, as snd_hdac_regmap_sync() is only for\n PM runtime resume that is prohibited during the codec probe.\n But the change makes the whole code more consistent, so it\u0027s merged\n as is -- tiwai ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:10.475Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/109f0aaa0b8838a88af9125b79579023539300a7"
},
{
"url": "https://git.kernel.org/stable/c/9f9eed451176ffcac6b5ba0f6dae1a6b4a1cb0eb"
},
{
"url": "https://git.kernel.org/stable/c/8703b26387e1fa4f8749db98d24c67617b873acb"
},
{
"url": "https://git.kernel.org/stable/c/cdd412b528dee6e0851c4735d6676ec138da13a4"
},
{
"url": "https://git.kernel.org/stable/c/b32e40379e5b2814de0c4bc199edc2d82317dc07"
},
{
"url": "https://git.kernel.org/stable/c/1f4a08fed450db87fbb5ff5105354158bdbe1a22"
}
],
"title": "ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53275",
"datePublished": "2025-09-16T08:11:10.475Z",
"dateReserved": "2025-09-16T08:09:37.990Z",
"dateUpdated": "2025-09-16T08:11:10.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53553 (GCVE-0-2023-53553)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: hyperv: avoid struct memcpy overrun warning
A previous patch addressed the fortified memcpy warning for most
builds, but I still see this one with gcc-9:
In file included from include/linux/string.h:254,
from drivers/hid/hid-hyperv.c:8:
In function 'fortify_memcpy_chk',
inlined from 'mousevsc_on_receive' at drivers/hid/hid-hyperv.c:272:3:
include/linux/fortify-string.h:583:4: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
583 | __write_overflow_field(p_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
My guess is that the WARN_ON() itself is what confuses gcc, so it no
longer sees that there is a correct range check. Rework the code in a
way that helps readability and avoids the warning.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-hyperv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7902cc5f5b9c95997017c8e309da760fb1deb6e",
"status": "affected",
"version": "542f25a94471570e2594be5b422b9ca572cf88a1",
"versionType": "git"
},
{
"lessThan": "5f151364b1da6bd217632fd4ee8cc24eaf66a497",
"status": "affected",
"version": "542f25a94471570e2594be5b422b9ca572cf88a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-hyperv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hyperv: avoid struct memcpy overrun warning\n\nA previous patch addressed the fortified memcpy warning for most\nbuilds, but I still see this one with gcc-9:\n\nIn file included from include/linux/string.h:254,\n from drivers/hid/hid-hyperv.c:8:\nIn function \u0027fortify_memcpy_chk\u0027,\n inlined from \u0027mousevsc_on_receive\u0027 at drivers/hid/hid-hyperv.c:272:3:\ninclude/linux/fortify-string.h:583:4: error: call to \u0027__write_overflow_field\u0027 declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]\n 583 | __write_overflow_field(p_size_field, size);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMy guess is that the WARN_ON() itself is what confuses gcc, so it no\nlonger sees that there is a correct range check. Rework the code in a\nway that helps readability and avoids the warning."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:59.091Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7902cc5f5b9c95997017c8e309da760fb1deb6e"
},
{
"url": "https://git.kernel.org/stable/c/5f151364b1da6bd217632fd4ee8cc24eaf66a497"
}
],
"title": "HID: hyperv: avoid struct memcpy overrun warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53553",
"datePublished": "2025-10-04T15:16:59.091Z",
"dateReserved": "2025-10-04T15:14:15.922Z",
"dateUpdated": "2025-10-04T15:16:59.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53461 (GCVE-0-2023-53461)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-02 07:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: wait interruptibly for request completions on exit
WHen the ring exits, cleanup is done and the final cancelation and
waiting on completions is done by io_ring_exit_work. That function is
invoked by kworker, which doesn't take any signals. Because of that, it
doesn't really matter if we wait for completions in TASK_INTERRUPTIBLE
or TASK_UNINTERRUPTIBLE state. However, it does matter to the hung task
detection checker!
Normally we expect cancelations and completions to happen rather
quickly. Some test cases, however, will exit the ring and park the
owning task stopped (eg via SIGSTOP). If the owning task needs to run
task_work to complete requests, then io_ring_exit_work won't make any
progress until the task is runnable again. Hence io_ring_exit_work can
trigger the hung task detection, which is particularly problematic if
panic-on-hung-task is enabled.
As the ring exit doesn't take signals to begin with, have it wait
interruptibly rather than uninterruptibly. io_uring has a separate
stuck-exit warning that triggers independently anyway, so we're not
really missing anything by making this switch.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "28e649dc9947e6525c95e32aa9a8e147925e3f56",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "8e29835366138389bfad3b31ea06960d0a77bf77",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "b50d6e06cca7b67a3d73ca660dda27662b76e6ea",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "58e80cb68b057e974768792c34708c6957810486",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "4826c59453b3b4677d6bf72814e7ababdea86949",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: wait interruptibly for request completions on exit\n\nWHen the ring exits, cleanup is done and the final cancelation and\nwaiting on completions is done by io_ring_exit_work. That function is\ninvoked by kworker, which doesn\u0027t take any signals. Because of that, it\ndoesn\u0027t really matter if we wait for completions in TASK_INTERRUPTIBLE\nor TASK_UNINTERRUPTIBLE state. However, it does matter to the hung task\ndetection checker!\n\nNormally we expect cancelations and completions to happen rather\nquickly. Some test cases, however, will exit the ring and park the\nowning task stopped (eg via SIGSTOP). If the owning task needs to run\ntask_work to complete requests, then io_ring_exit_work won\u0027t make any\nprogress until the task is runnable again. Hence io_ring_exit_work can\ntrigger the hung task detection, which is particularly problematic if\npanic-on-hung-task is enabled.\n\nAs the ring exit doesn\u0027t take signals to begin with, have it wait\ninterruptibly rather than uninterruptibly. io_uring has a separate\nstuck-exit warning that triggers independently anyway, so we\u0027re not\nreally missing anything by making this switch."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:22.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/28e649dc9947e6525c95e32aa9a8e147925e3f56"
},
{
"url": "https://git.kernel.org/stable/c/8e29835366138389bfad3b31ea06960d0a77bf77"
},
{
"url": "https://git.kernel.org/stable/c/b50d6e06cca7b67a3d73ca660dda27662b76e6ea"
},
{
"url": "https://git.kernel.org/stable/c/58e80cb68b057e974768792c34708c6957810486"
},
{
"url": "https://git.kernel.org/stable/c/4826c59453b3b4677d6bf72814e7ababdea86949"
}
],
"title": "io_uring: wait interruptibly for request completions on exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53461",
"datePublished": "2025-10-01T11:42:32.525Z",
"dateReserved": "2025-10-01T11:39:39.399Z",
"dateUpdated": "2025-10-02T07:04:22.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53622 (GCVE-0-2023-53622)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Fix possible data races in gfs2_show_options()
Some fields such as gt_logd_secs of the struct gfs2_tune are accessed
without holding the lock gt_spin in gfs2_show_options():
val = sdp->sd_tune.gt_logd_secs;
if (val != 30)
seq_printf(s, ",commit=%d", val);
And thus can cause data races when gfs2_show_options() and other functions
such as gfs2_reconfigure() are concurrently executed:
spin_lock(>->gt_spin);
gt->gt_logd_secs = newargs->ar_commit;
To fix these possible data races, the lock sdp->sd_tune.gt_spin is
acquired before accessing the fields of gfs2_tune and released after these
accesses.
Further changes by Andreas:
- Don't hold the spin lock over the seq_printf operations.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e5bbeb7eb813bb2568e1d5d02587df943272e57",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "235a5ae73cea29109a3e06f100493f17857e6a93",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b4a7ab57effbed42624842f2ab2a49b177c21a47",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c5b2649f6a37d45bfb7abf34c9b71d08677139f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "85e888150075cb221270b64bf772341fc6bd11d9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a4f71523ed2123d63b431cc0cea4e9f363a0f054",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "42077d4de49e4d9c773c97c42d5383b4899a8f9d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6fa0a72cbbe45db4ed967a51f9e6f4e3afe61d20",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix possible data races in gfs2_show_options()\n\nSome fields such as gt_logd_secs of the struct gfs2_tune are accessed\nwithout holding the lock gt_spin in gfs2_show_options():\n\n val = sdp-\u003esd_tune.gt_logd_secs;\n if (val != 30)\n seq_printf(s, \",commit=%d\", val);\n\nAnd thus can cause data races when gfs2_show_options() and other functions\nsuch as gfs2_reconfigure() are concurrently executed:\n\n spin_lock(\u0026gt-\u003egt_spin);\n gt-\u003egt_logd_secs = newargs-\u003ear_commit;\n\nTo fix these possible data races, the lock sdp-\u003esd_tune.gt_spin is\nacquired before accessing the fields of gfs2_tune and released after these\naccesses.\n\nFurther changes by Andreas:\n\n- Don\u0027t hold the spin lock over the seq_printf operations."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:28.146Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e5bbeb7eb813bb2568e1d5d02587df943272e57"
},
{
"url": "https://git.kernel.org/stable/c/235a5ae73cea29109a3e06f100493f17857e6a93"
},
{
"url": "https://git.kernel.org/stable/c/b4a7ab57effbed42624842f2ab2a49b177c21a47"
},
{
"url": "https://git.kernel.org/stable/c/7c5b2649f6a37d45bfb7abf34c9b71d08677139f"
},
{
"url": "https://git.kernel.org/stable/c/85e888150075cb221270b64bf772341fc6bd11d9"
},
{
"url": "https://git.kernel.org/stable/c/a4f71523ed2123d63b431cc0cea4e9f363a0f054"
},
{
"url": "https://git.kernel.org/stable/c/42077d4de49e4d9c773c97c42d5383b4899a8f9d"
},
{
"url": "https://git.kernel.org/stable/c/6fa0a72cbbe45db4ed967a51f9e6f4e3afe61d20"
}
],
"title": "gfs2: Fix possible data races in gfs2_show_options()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53622",
"datePublished": "2025-10-07T15:19:28.146Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:28.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53243 (GCVE-0-2023-53243)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-15 14:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile
Callers of `btrfs_reduce_alloc_profile` expect it to return exactly
one allocation profile flag, and failing to do so may ultimately
result in a WARN_ON and remount-ro when allocating new blocks, like
the below transaction abort on 6.1.
`btrfs_reduce_alloc_profile` has two ways of determining the profile,
first it checks if a conversion balance is currently running and
uses the profile we're converting to. If no balance is currently
running, it returns the max-redundancy profile which at least one
block in the selected block group has.
This works by simply checking each known allocation profile bit in
redundancy order. However, `btrfs_reduce_alloc_profile` has not been
updated as new flags have been added - first with the `DUP` profile
and later with the RAID1C34 profiles.
Because of the way it checks, if we have blocks with different
profiles and at least one is known, that profile will be selected.
However, if none are known we may return a flag set with multiple
allocation profiles set.
This is currently only possible when a balance from one of the three
unhandled profiles to another of the unhandled profiles is canceled
after allocating at least one block using the new profile.
In that case, a transaction abort like the below will occur and the
filesystem will need to be mounted with -o skip_balance to get it
mounted rw again (but the balance cannot be resumed without a
similar abort).
[770.648] ------------[ cut here ]------------
[770.648] BTRFS: Transaction aborted (error -22)
[770.648] WARNING: CPU: 43 PID: 1159593 at fs/btrfs/extent-tree.c:4122 find_free_extent+0x1d94/0x1e00 [btrfs]
[770.648] CPU: 43 PID: 1159593 Comm: btrfs Tainted: G W 6.1.0-0.deb11.7-powerpc64le #1 Debian 6.1.20-2~bpo11+1a~test
[770.648] Hardware name: T2P9D01 REV 1.00 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
[770.648] NIP: c00800000f6784fc LR: c00800000f6784f8 CTR: c000000000d746c0
[770.648] REGS: c000200089afe9a0 TRAP: 0700 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test)
[770.648] MSR: 9000000002029033 <SF,HV,VEC,EE,ME,IR,DR,RI,LE> CR: 28848282 XER: 20040000
[770.648] CFAR: c000000000135110 IRQMASK: 0
GPR00: c00800000f6784f8 c000200089afec40 c00800000f7ea800 0000000000000026
GPR04: 00000001004820c2 c000200089afea00 c000200089afe9f8 0000000000000027
GPR08: c000200ffbfe7f98 c000000002127f90 ffffffffffffffd8 0000000026d6a6e8
GPR12: 0000000028848282 c000200fff7f3800 5deadbeef0000122 c00000002269d000
GPR16: c0002008c7797c40 c000200089afef17 0000000000000000 0000000000000000
GPR20: 0000000000000000 0000000000000001 c000200008bc5a98 0000000000000001
GPR24: 0000000000000000 c0000003c73088d0 c000200089afef17 c000000016d3a800
GPR28: c0000003c7308800 c00000002269d000 ffffffffffffffea 0000000000000001
[770.648] NIP [c00800000f6784fc] find_free_extent+0x1d94/0x1e00 [btrfs]
[770.648] LR [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs]
[770.648] Call Trace:
[770.648] [c000200089afec40] [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] (unreliable)
[770.648] [c000200089afed30] [c00800000f681398] btrfs_reserve_extent+0x1a0/0x2f0 [btrfs]
[770.648] [c000200089afeea0] [c00800000f681bf0] btrfs_alloc_tree_block+0x108/0x670 [btrfs]
[770.648] [c000200089afeff0] [c00800000f66bd68] __btrfs_cow_block+0x170/0x850 [btrfs]
[770.648] [c000200089aff100] [c00800000f66c58c] btrfs_cow_block+0x144/0x288 [btrfs]
[770.648] [c000200089aff1b0] [c00800000f67113c] btrfs_search_slot+0x6b4/0xcb0 [btrfs]
[770.648] [c000200089aff2a0] [c00800000f679f60] lookup_inline_extent_backref+0x128/0x7c0 [btrfs]
[770.648] [c000200089aff3b0] [c00800000f67b338] lookup_extent_backref+0x70/0x190 [btrfs]
[770.648] [c000200089aff470] [c00800000f67b54c] __btrfs_free_extent+0xf4/0x1490 [btrfs]
[770.648] [
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3fbd156bd2cd16e3c64e250ebce33eb9f2ef612",
"status": "affected",
"version": "47e6f7423b9196ad6832d26cae52b7015f81ee7f",
"versionType": "git"
},
{
"lessThan": "12b6d68498982a053a4a7e561a04387e57ca6f1a",
"status": "affected",
"version": "47e6f7423b9196ad6832d26cae52b7015f81ee7f",
"versionType": "git"
},
{
"lessThan": "4fadf53fa95142f01f215012e97c384529759a72",
"status": "affected",
"version": "47e6f7423b9196ad6832d26cae52b7015f81ee7f",
"versionType": "git"
},
{
"lessThan": "1b532748ba00bd2a1d9b09e0d5e81280582c7770",
"status": "affected",
"version": "47e6f7423b9196ad6832d26cae52b7015f81ee7f",
"versionType": "git"
},
{
"lessThan": "160fe8f6fdb13da6111677be6263e5d65e875987",
"status": "affected",
"version": "47e6f7423b9196ad6832d26cae52b7015f81ee7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile\n\nCallers of `btrfs_reduce_alloc_profile` expect it to return exactly\none allocation profile flag, and failing to do so may ultimately\nresult in a WARN_ON and remount-ro when allocating new blocks, like\nthe below transaction abort on 6.1.\n\n`btrfs_reduce_alloc_profile` has two ways of determining the profile,\nfirst it checks if a conversion balance is currently running and\nuses the profile we\u0027re converting to. If no balance is currently\nrunning, it returns the max-redundancy profile which at least one\nblock in the selected block group has.\n\nThis works by simply checking each known allocation profile bit in\nredundancy order. However, `btrfs_reduce_alloc_profile` has not been\nupdated as new flags have been added - first with the `DUP` profile\nand later with the RAID1C34 profiles.\n\nBecause of the way it checks, if we have blocks with different\nprofiles and at least one is known, that profile will be selected.\nHowever, if none are known we may return a flag set with multiple\nallocation profiles set.\n\nThis is currently only possible when a balance from one of the three\nunhandled profiles to another of the unhandled profiles is canceled\nafter allocating at least one block using the new profile.\n\nIn that case, a transaction abort like the below will occur and the\nfilesystem will need to be mounted with -o skip_balance to get it\nmounted rw again (but the balance cannot be resumed without a\nsimilar abort).\n\n [770.648] ------------[ cut here ]------------\n [770.648] BTRFS: Transaction aborted (error -22)\n [770.648] WARNING: CPU: 43 PID: 1159593 at fs/btrfs/extent-tree.c:4122 find_free_extent+0x1d94/0x1e00 [btrfs]\n [770.648] CPU: 43 PID: 1159593 Comm: btrfs Tainted: G W 6.1.0-0.deb11.7-powerpc64le #1 Debian 6.1.20-2~bpo11+1a~test\n [770.648] Hardware name: T2P9D01 REV 1.00 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV\n [770.648] NIP: c00800000f6784fc LR: c00800000f6784f8 CTR: c000000000d746c0\n [770.648] REGS: c000200089afe9a0 TRAP: 0700 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test)\n [770.648] MSR: 9000000002029033 \u003cSF,HV,VEC,EE,ME,IR,DR,RI,LE\u003e CR: 28848282 XER: 20040000\n [770.648] CFAR: c000000000135110 IRQMASK: 0\n\t GPR00: c00800000f6784f8 c000200089afec40 c00800000f7ea800 0000000000000026\n\t GPR04: 00000001004820c2 c000200089afea00 c000200089afe9f8 0000000000000027\n\t GPR08: c000200ffbfe7f98 c000000002127f90 ffffffffffffffd8 0000000026d6a6e8\n\t GPR12: 0000000028848282 c000200fff7f3800 5deadbeef0000122 c00000002269d000\n\t GPR16: c0002008c7797c40 c000200089afef17 0000000000000000 0000000000000000\n\t GPR20: 0000000000000000 0000000000000001 c000200008bc5a98 0000000000000001\n\t GPR24: 0000000000000000 c0000003c73088d0 c000200089afef17 c000000016d3a800\n\t GPR28: c0000003c7308800 c00000002269d000 ffffffffffffffea 0000000000000001\n [770.648] NIP [c00800000f6784fc] find_free_extent+0x1d94/0x1e00 [btrfs]\n [770.648] LR [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs]\n [770.648] Call Trace:\n [770.648] [c000200089afec40] [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] (unreliable)\n [770.648] [c000200089afed30] [c00800000f681398] btrfs_reserve_extent+0x1a0/0x2f0 [btrfs]\n [770.648] [c000200089afeea0] [c00800000f681bf0] btrfs_alloc_tree_block+0x108/0x670 [btrfs]\n [770.648] [c000200089afeff0] [c00800000f66bd68] __btrfs_cow_block+0x170/0x850 [btrfs]\n [770.648] [c000200089aff100] [c00800000f66c58c] btrfs_cow_block+0x144/0x288 [btrfs]\n [770.648] [c000200089aff1b0] [c00800000f67113c] btrfs_search_slot+0x6b4/0xcb0 [btrfs]\n [770.648] [c000200089aff2a0] [c00800000f679f60] lookup_inline_extent_backref+0x128/0x7c0 [btrfs]\n [770.648] [c000200089aff3b0] [c00800000f67b338] lookup_extent_backref+0x70/0x190 [btrfs]\n [770.648] [c000200089aff470] [c00800000f67b54c] __btrfs_free_extent+0xf4/0x1490 [btrfs]\n [770.648] [\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:11.637Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3fbd156bd2cd16e3c64e250ebce33eb9f2ef612"
},
{
"url": "https://git.kernel.org/stable/c/12b6d68498982a053a4a7e561a04387e57ca6f1a"
},
{
"url": "https://git.kernel.org/stable/c/4fadf53fa95142f01f215012e97c384529759a72"
},
{
"url": "https://git.kernel.org/stable/c/1b532748ba00bd2a1d9b09e0d5e81280582c7770"
},
{
"url": "https://git.kernel.org/stable/c/160fe8f6fdb13da6111677be6263e5d65e875987"
}
],
"title": "btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53243",
"datePublished": "2025-09-15T14:46:11.637Z",
"dateReserved": "2025-09-15T14:19:21.848Z",
"dateUpdated": "2025-09-15T14:46:11.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38000 (GCVE-0-2025-38000)
Vulnerability from cvelistv5
Published
2025-06-06 13:03
Modified
2025-11-03 17:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the
child qdisc's peek() operation before incrementing sch->q.qlen and
sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may
trigger an immediate dequeue and potential packet drop. In such cases,
qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog
have not yet been updated, leading to inconsistent queue accounting. This
can leave an empty HFSC class in the active list, causing further
consequences like use-after-free.
This patch fixes the bug by moving the increment of sch->q.qlen and
sch->qstats.backlog before the call to the child qdisc's peek() operation.
This ensures that queue length and backlog are always accurate when packet
drops or dequeues are triggered during the peek.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 Version: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:32:58.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1034e3310752e8675e313f7271b348914008719a",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "f9f593e34d2fb67644372c8f7b033bdc622ad228",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "89c301e929a0db14ebd94b4d97764ce1d6981653",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "93c276942e75de0e5bc91576300d292e968f5a02",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "49b21795b8e5654a7df3d910a12e1060da4c04cf",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
},
{
"lessThan": "3f981138109f63232a5fb7165938d4c945cc1b9d",
"status": "affected",
"version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()\n\nWhen enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the\nchild qdisc\u0027s peek() operation before incrementing sch-\u003eq.qlen and\nsch-\u003eqstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may\ntrigger an immediate dequeue and potential packet drop. In such cases,\nqdisc_tree_reduce_backlog() is called, but the HFSC qdisc\u0027s qlen and backlog\nhave not yet been updated, leading to inconsistent queue accounting. This\ncan leave an empty HFSC class in the active list, causing further\nconsequences like use-after-free.\n\nThis patch fixes the bug by moving the increment of sch-\u003eq.qlen and\nsch-\u003eqstats.backlog before the call to the child qdisc\u0027s peek() operation.\nThis ensures that queue length and backlog are always accurate when packet\ndrops or dequeues are triggered during the peek."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T13:03:35.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1034e3310752e8675e313f7271b348914008719a"
},
{
"url": "https://git.kernel.org/stable/c/f9f593e34d2fb67644372c8f7b033bdc622ad228"
},
{
"url": "https://git.kernel.org/stable/c/89c301e929a0db14ebd94b4d97764ce1d6981653"
},
{
"url": "https://git.kernel.org/stable/c/f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4"
},
{
"url": "https://git.kernel.org/stable/c/93c276942e75de0e5bc91576300d292e968f5a02"
},
{
"url": "https://git.kernel.org/stable/c/49b21795b8e5654a7df3d910a12e1060da4c04cf"
},
{
"url": "https://git.kernel.org/stable/c/3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335"
},
{
"url": "https://git.kernel.org/stable/c/3f981138109f63232a5fb7165938d4c945cc1b9d"
}
],
"title": "sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38000",
"datePublished": "2025-06-06T13:03:35.405Z",
"dateReserved": "2025-04-16T04:51:23.976Z",
"dateUpdated": "2025-11-03T17:32:58.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38712 (GCVE-0-2025-38712)
Vulnerability from cvelistv5
Published
2025-09-04 15:33
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
When the volume header contains erroneous values that do not reflect
the actual state of the filesystem, hfsplus_fill_super() assumes that
the attributes file is not yet created, which later results in hitting
BUG_ON() when hfsplus_create_attributes_file() is called. Replace this
BUG_ON() with -EIO error with a message to suggest running fsck tool.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:42.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb0eea8e375677f586ad11c12e2525ed3fc698c2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9046566fa692f88954dac8c510f37ee17a15fdb7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "03cd1db1494cf930e2fa042c9c13e32bffdb4eba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dee5c668ad71ddbcb4b48d95e8a4f371314ad41d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b3359392b75395a31af739a761f48f4041148226",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bb8da27ff15e346d4bc9e248e819c9a88ebf9d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d768e3ed430e89a699bf89d3214dcbbf4648c939",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce5e387f396cbb5c061d9837abcac731e9e06f4d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c7c6363ca186747ebc2df10c8a1a51e66e0e32d9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: don\u0027t use BUG_ON() in hfsplus_create_attributes_file()\n\nWhen the volume header contains erroneous values that do not reflect\nthe actual state of the filesystem, hfsplus_fill_super() assumes that\nthe attributes file is not yet created, which later results in hitting\nBUG_ON() when hfsplus_create_attributes_file() is called. Replace this\nBUG_ON() with -EIO error with a message to suggest running fsck tool."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:34.453Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb0eea8e375677f586ad11c12e2525ed3fc698c2"
},
{
"url": "https://git.kernel.org/stable/c/9046566fa692f88954dac8c510f37ee17a15fdb7"
},
{
"url": "https://git.kernel.org/stable/c/03cd1db1494cf930e2fa042c9c13e32bffdb4eba"
},
{
"url": "https://git.kernel.org/stable/c/dee5c668ad71ddbcb4b48d95e8a4f371314ad41d"
},
{
"url": "https://git.kernel.org/stable/c/b3359392b75395a31af739a761f48f4041148226"
},
{
"url": "https://git.kernel.org/stable/c/1bb8da27ff15e346d4bc9e248e819c9a88ebf9d6"
},
{
"url": "https://git.kernel.org/stable/c/d768e3ed430e89a699bf89d3214dcbbf4648c939"
},
{
"url": "https://git.kernel.org/stable/c/ce5e387f396cbb5c061d9837abcac731e9e06f4d"
},
{
"url": "https://git.kernel.org/stable/c/c7c6363ca186747ebc2df10c8a1a51e66e0e32d9"
}
],
"title": "hfsplus: don\u0027t use BUG_ON() in hfsplus_create_attributes_file()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38712",
"datePublished": "2025-09-04T15:33:02.530Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:42.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39794 (GCVE-0-2025-39794)
Vulnerability from cvelistv5
Published
2025-09-12 15:59
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: tegra: Use I/O memcpy to write to IRAM
Kasan crashes the kernel trying to check boundaries when using the
normal memcpy.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:26.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-tegra/reset.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b28c1a14accc79ead1e87bbdae53309da60be1e7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "75a3bdfeed2f129a2c7d9fd7779382b78e35b014",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2499b0ac908eefbb8a217aae609b7a5b5174f330",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "387435f4833f97aabfd74434ee526e31e8a626ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "46b3a7a3a36d5833f14914d1b95c69d28c6a76d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9b0b3b5e5cae95e09bf0ae4a9bcb58d9b6d57f87",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "96d6605bf0561d6e568b1dd9265a0f73b5b94f51",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "30ef45b89a5961cdecf907ecff1ef3374d1de510",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-tegra/reset.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: tegra: Use I/O memcpy to write to IRAM\n\nKasan crashes the kernel trying to check boundaries when using the\nnormal memcpy."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:34.486Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b28c1a14accc79ead1e87bbdae53309da60be1e7"
},
{
"url": "https://git.kernel.org/stable/c/75a3bdfeed2f129a2c7d9fd7779382b78e35b014"
},
{
"url": "https://git.kernel.org/stable/c/2499b0ac908eefbb8a217aae609b7a5b5174f330"
},
{
"url": "https://git.kernel.org/stable/c/387435f4833f97aabfd74434ee526e31e8a626ea"
},
{
"url": "https://git.kernel.org/stable/c/46b3a7a3a36d5833f14914d1b95c69d28c6a76d6"
},
{
"url": "https://git.kernel.org/stable/c/9b0b3b5e5cae95e09bf0ae4a9bcb58d9b6d57f87"
},
{
"url": "https://git.kernel.org/stable/c/96d6605bf0561d6e568b1dd9265a0f73b5b94f51"
},
{
"url": "https://git.kernel.org/stable/c/30ef45b89a5961cdecf907ecff1ef3374d1de510"
},
{
"url": "https://git.kernel.org/stable/c/398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1"
}
],
"title": "ARM: tegra: Use I/O memcpy to write to IRAM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39794",
"datePublished": "2025-09-12T15:59:31.226Z",
"dateReserved": "2025-04-16T07:20:57.132Z",
"dateUpdated": "2025-11-03T17:43:26.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39881 (GCVE-0-2025-39881)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
kernfs: Fix UAF in polling when open file is released
A use-after-free (UAF) vulnerability was identified in the PSI (Pressure
Stall Information) monitoring mechanism:
BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140
Read of size 8 at addr ffff3de3d50bd308 by task systemd/1
psi_trigger_poll+0x3c/0x140
cgroup_pressure_poll+0x70/0xa0
cgroup_file_poll+0x8c/0x100
kernfs_fop_poll+0x11c/0x1c0
ep_item_poll.isra.0+0x188/0x2c0
Allocated by task 1:
cgroup_file_open+0x88/0x388
kernfs_fop_open+0x73c/0xaf0
do_dentry_open+0x5fc/0x1200
vfs_open+0xa0/0x3f0
do_open+0x7e8/0xd08
path_openat+0x2fc/0x6b0
do_filp_open+0x174/0x368
Freed by task 8462:
cgroup_file_release+0x130/0x1f8
kernfs_drain_open_files+0x17c/0x440
kernfs_drain+0x2dc/0x360
kernfs_show+0x1b8/0x288
cgroup_file_show+0x150/0x268
cgroup_pressure_write+0x1dc/0x340
cgroup_file_write+0x274/0x548
Reproduction Steps:
1. Open test/cpu.pressure and establish epoll monitoring
2. Disable monitoring: echo 0 > test/cgroup.pressure
3. Re-enable monitoring: echo 1 > test/cgroup.pressure
The race condition occurs because:
1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:
- Releases PSI triggers via cgroup_file_release()
- Frees of->priv through kernfs_drain_open_files()
2. While epoll still holds reference to the file and continues polling
3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv
epolling disable/enable cgroup.pressure
fd=open(cpu.pressure)
while(1)
...
epoll_wait
kernfs_fop_poll
kernfs_get_active = true echo 0 > cgroup.pressure
... cgroup_file_show
kernfs_show
// inactive kn
kernfs_drain_open_files
cft->release(of);
kfree(ctx);
...
kernfs_get_active = false
echo 1 > cgroup.pressure
kernfs_show
kernfs_activate_one(kn);
kernfs_fop_poll
kernfs_get_active = true
cgroup_file_poll
psi_trigger_poll
// UAF
...
end: close(fd)
To address this issue, introduce kernfs_get_active_of() for kernfs open
files to obtain active references. This function will fail if the open file
has been released. Replace kernfs_get_active() with kernfs_get_active_of()
to prevent further operations on released file descriptors.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:23.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/kernfs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34d9cafd469c69ad85e6a36b4303c78382cf5c79",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "854baafc00c433cccbe0ab4231b77aeb9b637b77",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "7e64474aba78d240f7804f48f2d454dcca78b15f",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "ac5cda4fae8818cf1963317bb699f7f2f85b60af",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/kernfs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Fix UAF in polling when open file is released\n\nA use-after-free (UAF) vulnerability was identified in the PSI (Pressure\nStall Information) monitoring mechanism:\n\nBUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140\nRead of size 8 at addr ffff3de3d50bd308 by task systemd/1\n\npsi_trigger_poll+0x3c/0x140\ncgroup_pressure_poll+0x70/0xa0\ncgroup_file_poll+0x8c/0x100\nkernfs_fop_poll+0x11c/0x1c0\nep_item_poll.isra.0+0x188/0x2c0\n\nAllocated by task 1:\ncgroup_file_open+0x88/0x388\nkernfs_fop_open+0x73c/0xaf0\ndo_dentry_open+0x5fc/0x1200\nvfs_open+0xa0/0x3f0\ndo_open+0x7e8/0xd08\npath_openat+0x2fc/0x6b0\ndo_filp_open+0x174/0x368\n\nFreed by task 8462:\ncgroup_file_release+0x130/0x1f8\nkernfs_drain_open_files+0x17c/0x440\nkernfs_drain+0x2dc/0x360\nkernfs_show+0x1b8/0x288\ncgroup_file_show+0x150/0x268\ncgroup_pressure_write+0x1dc/0x340\ncgroup_file_write+0x274/0x548\n\nReproduction Steps:\n1. Open test/cpu.pressure and establish epoll monitoring\n2. Disable monitoring: echo 0 \u003e test/cgroup.pressure\n3. Re-enable monitoring: echo 1 \u003e test/cgroup.pressure\n\nThe race condition occurs because:\n1. When cgroup.pressure is disabled (echo 0 \u003e cgroup.pressure), it:\n - Releases PSI triggers via cgroup_file_release()\n - Frees of-\u003epriv through kernfs_drain_open_files()\n2. While epoll still holds reference to the file and continues polling\n3. Re-enabling (echo 1 \u003e cgroup.pressure) accesses freed of-\u003epriv\n\nepolling\t\t\tdisable/enable cgroup.pressure\nfd=open(cpu.pressure)\nwhile(1)\n...\nepoll_wait\nkernfs_fop_poll\nkernfs_get_active = true\techo 0 \u003e cgroup.pressure\n...\t\t\t\tcgroup_file_show\n\t\t\t\tkernfs_show\n\t\t\t\t// inactive kn\n\t\t\t\tkernfs_drain_open_files\n\t\t\t\tcft-\u003erelease(of);\n\t\t\t\tkfree(ctx);\n\t\t\t\t...\nkernfs_get_active = false\n\t\t\t\techo 1 \u003e cgroup.pressure\n\t\t\t\tkernfs_show\n\t\t\t\tkernfs_activate_one(kn);\nkernfs_fop_poll\nkernfs_get_active = true\ncgroup_file_poll\npsi_trigger_poll\n// UAF\n...\nend: close(fd)\n\nTo address this issue, introduce kernfs_get_active_of() for kernfs open\nfiles to obtain active references. This function will fail if the open file\nhas been released. Replace kernfs_get_active() with kernfs_get_active_of()\nto prevent further operations on released file descriptors."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:40.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34d9cafd469c69ad85e6a36b4303c78382cf5c79"
},
{
"url": "https://git.kernel.org/stable/c/854baafc00c433cccbe0ab4231b77aeb9b637b77"
},
{
"url": "https://git.kernel.org/stable/c/7e64474aba78d240f7804f48f2d454dcca78b15f"
},
{
"url": "https://git.kernel.org/stable/c/ac5cda4fae8818cf1963317bb699f7f2f85b60af"
},
{
"url": "https://git.kernel.org/stable/c/3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f"
}
],
"title": "kernfs: Fix UAF in polling when open file is released",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39881",
"datePublished": "2025-09-23T06:00:50.496Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:23.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53291 (GCVE-0-2023-53291)
Vulnerability from cvelistv5
Published
2025-09-16 08:11
Modified
2025-09-16 08:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale
Running the 'kfree_rcu_test' test case [1] results in a splat [2].
The root cause is the kfree_scale_thread thread(s) continue running
after unloading the rcuscale module. This commit fixes that isue by
invoking kfree_scale_cleanup() from rcu_scale_cleanup() when removing
the rcuscale module.
[1] modprobe rcuscale kfree_rcu_test=1
// After some time
rmmod rcuscale
rmmod torture
[2] BUG: unable to handle page fault for address: ffffffffc0601a87
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 11de4f067 P4D 11de4f067 PUD 11de51067 PMD 112f4d067 PTE 0
Oops: 0010 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 1798 Comm: kfree_scale_thr Not tainted 6.3.0-rc1-rcu+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
RIP: 0010:0xffffffffc0601a87
Code: Unable to access opcode bytes at 0xffffffffc0601a5d.
RSP: 0018:ffffb25bc2e57e18 EFLAGS: 00010297
RAX: 0000000000000000 RBX: ffffffffc061f0b6 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff962fd0de RDI: ffffffff962fd0de
RBP: ffffb25bc2e57ea8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 000000000000000a R15: 00000000001c1dbe
FS: 0000000000000000(0000) GS:ffff921fa2200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffc0601a5d CR3: 000000011de4c006 CR4: 0000000000370ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? kvfree_call_rcu+0xf0/0x3a0
? kthread+0xf3/0x120
? kthread_complete_and_exit+0x20/0x20
? ret_from_fork+0x1f/0x30
</TASK>
Modules linked in: rfkill sunrpc ... [last unloaded: torture]
CR2: ffffffffc0601a87
---[ end trace 0000000000000000 ]---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e6e78b004fa7e0ab455d46d27f218bf6ce178a18 Version: e6e78b004fa7e0ab455d46d27f218bf6ce178a18 Version: e6e78b004fa7e0ab455d46d27f218bf6ce178a18 Version: e6e78b004fa7e0ab455d46d27f218bf6ce178a18 Version: e6e78b004fa7e0ab455d46d27f218bf6ce178a18 Version: e6e78b004fa7e0ab455d46d27f218bf6ce178a18 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/rcu/rcuscale.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "604d6a5ff718874904b0fe614878a42b42c0d699",
"status": "affected",
"version": "e6e78b004fa7e0ab455d46d27f218bf6ce178a18",
"versionType": "git"
},
{
"lessThan": "f766d45ab294871a3d588ee76c666852f151cad9",
"status": "affected",
"version": "e6e78b004fa7e0ab455d46d27f218bf6ce178a18",
"versionType": "git"
},
{
"lessThan": "b8a6ba524d41f4da102e65f90498d9a910839621",
"status": "affected",
"version": "e6e78b004fa7e0ab455d46d27f218bf6ce178a18",
"versionType": "git"
},
{
"lessThan": "1dd7547c7610723b2b6afe1a3c4ddb2bde63387c",
"status": "affected",
"version": "e6e78b004fa7e0ab455d46d27f218bf6ce178a18",
"versionType": "git"
},
{
"lessThan": "29b1da4f90fc42c91beb4e400d926194925ad31b",
"status": "affected",
"version": "e6e78b004fa7e0ab455d46d27f218bf6ce178a18",
"versionType": "git"
},
{
"lessThan": "23fc8df26dead16687ae6eb47b0561a4a832e2f6",
"status": "affected",
"version": "e6e78b004fa7e0ab455d46d27f218bf6ce178a18",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/rcu/rcuscale.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale\n\nRunning the \u0027kfree_rcu_test\u0027 test case [1] results in a splat [2].\nThe root cause is the kfree_scale_thread thread(s) continue running\nafter unloading the rcuscale module. This commit fixes that isue by\ninvoking kfree_scale_cleanup() from rcu_scale_cleanup() when removing\nthe rcuscale module.\n\n[1] modprobe rcuscale kfree_rcu_test=1\n // After some time\n rmmod rcuscale\n rmmod torture\n\n[2] BUG: unable to handle page fault for address: ffffffffc0601a87\n #PF: supervisor instruction fetch in kernel mode\n #PF: error_code(0x0010) - not-present page\n PGD 11de4f067 P4D 11de4f067 PUD 11de51067 PMD 112f4d067 PTE 0\n Oops: 0010 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 1798 Comm: kfree_scale_thr Not tainted 6.3.0-rc1-rcu+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n RIP: 0010:0xffffffffc0601a87\n Code: Unable to access opcode bytes at 0xffffffffc0601a5d.\n RSP: 0018:ffffb25bc2e57e18 EFLAGS: 00010297\n RAX: 0000000000000000 RBX: ffffffffc061f0b6 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffffffff962fd0de RDI: ffffffff962fd0de\n RBP: ffffb25bc2e57ea8 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\n R13: 0000000000000000 R14: 000000000000000a R15: 00000000001c1dbe\n FS: 0000000000000000(0000) GS:ffff921fa2200000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffffc0601a5d CR3: 000000011de4c006 CR4: 0000000000370ee0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n ? kvfree_call_rcu+0xf0/0x3a0\n ? kthread+0xf3/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ? ret_from_fork+0x1f/0x30\n \u003c/TASK\u003e\n Modules linked in: rfkill sunrpc ... [last unloaded: torture]\n CR2: ffffffffc0601a87\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:23.666Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/604d6a5ff718874904b0fe614878a42b42c0d699"
},
{
"url": "https://git.kernel.org/stable/c/f766d45ab294871a3d588ee76c666852f151cad9"
},
{
"url": "https://git.kernel.org/stable/c/b8a6ba524d41f4da102e65f90498d9a910839621"
},
{
"url": "https://git.kernel.org/stable/c/1dd7547c7610723b2b6afe1a3c4ddb2bde63387c"
},
{
"url": "https://git.kernel.org/stable/c/29b1da4f90fc42c91beb4e400d926194925ad31b"
},
{
"url": "https://git.kernel.org/stable/c/23fc8df26dead16687ae6eb47b0561a4a832e2f6"
}
],
"title": "rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53291",
"datePublished": "2025-09-16T08:11:23.666Z",
"dateReserved": "2025-09-16T08:09:37.992Z",
"dateUpdated": "2025-09-16T08:11:23.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53429 (GCVE-0-2023-53429)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't check PageError in __extent_writepage
__extent_writepage currenly sets PageError whenever any error happens,
and the also checks for PageError to decide if to call error handling.
This leads to very unclear responsibility for cleaning up on errors.
In the VM and generic writeback helpers the basic idea is that once
I/O is fired off all error handling responsibility is delegated to the
end I/O handler. But if that end I/O handler sets the PageError bit,
and the submitter checks it, the bit could in some cases leak into the
submission context for fast enough I/O.
Fix this by simply not checking PageError and just using the local
ret variable to check for submission errors. This also fundamentally
solves the long problem documented in a comment in __extent_writepage
by never leaking the error bit into the submission context.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d40be032ecd8ee1ca033bee43c7755d21fb4d72a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e92499e3b004baffb479d61e191b41b604ece9a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t check PageError in __extent_writepage\n\n__extent_writepage currenly sets PageError whenever any error happens,\nand the also checks for PageError to decide if to call error handling.\nThis leads to very unclear responsibility for cleaning up on errors.\nIn the VM and generic writeback helpers the basic idea is that once\nI/O is fired off all error handling responsibility is delegated to the\nend I/O handler. But if that end I/O handler sets the PageError bit,\nand the submitter checks it, the bit could in some cases leak into the\nsubmission context for fast enough I/O.\n\nFix this by simply not checking PageError and just using the local\nret variable to check for submission errors. This also fundamentally\nsolves the long problem documented in a comment in __extent_writepage\nby never leaking the error bit into the submission context."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:10.298Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d40be032ecd8ee1ca033bee43c7755d21fb4d72a"
},
{
"url": "https://git.kernel.org/stable/c/3e92499e3b004baffb479d61e191b41b604ece9a"
}
],
"title": "btrfs: don\u0027t check PageError in __extent_writepage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53429",
"datePublished": "2025-09-18T16:04:10.298Z",
"dateReserved": "2025-09-17T14:54:09.745Z",
"dateUpdated": "2025-09-18T16:04:10.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39971 (GCVE-0-2025-39971)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix idx validation in config queues msg
Ensure idx is within range of active/initialized TCs when iterating over
vf->ch[idx] in i40e_vc_config_queues_msg().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6ff2af78343eceb0f77ab1a2fe802183bc21648",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "f5f91d164af22e7147130ef8bebbdb28d8ecc6e2",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "1fa0aadade34481c567cdf4a897c0d4e4d548bd1",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "8b9c7719b0987b1c6c5fc910599f3618a558dbde",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "2cc26dac0518d2fa9b67ec813ee60e183480f98a",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "bfcc1dff429d4b99ba03e40ddacc68ea4be2b32b",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "5c1f96123113e0bdc6d8dc2b0830184c93da9f65",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "f1ad24c5abe1eaef69158bac1405a74b3c365115",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix idx validation in config queues msg\n\nEnsure idx is within range of active/initialized TCs when iterating over\nvf-\u003ech[idx] in i40e_vc_config_queues_msg()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:54.270Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6ff2af78343eceb0f77ab1a2fe802183bc21648"
},
{
"url": "https://git.kernel.org/stable/c/f5f91d164af22e7147130ef8bebbdb28d8ecc6e2"
},
{
"url": "https://git.kernel.org/stable/c/1fa0aadade34481c567cdf4a897c0d4e4d548bd1"
},
{
"url": "https://git.kernel.org/stable/c/8b9c7719b0987b1c6c5fc910599f3618a558dbde"
},
{
"url": "https://git.kernel.org/stable/c/2cc26dac0518d2fa9b67ec813ee60e183480f98a"
},
{
"url": "https://git.kernel.org/stable/c/bfcc1dff429d4b99ba03e40ddacc68ea4be2b32b"
},
{
"url": "https://git.kernel.org/stable/c/5c1f96123113e0bdc6d8dc2b0830184c93da9f65"
},
{
"url": "https://git.kernel.org/stable/c/f1ad24c5abe1eaef69158bac1405a74b3c365115"
}
],
"title": "i40e: fix idx validation in config queues msg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39971",
"datePublished": "2025-10-15T07:55:54.270Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:54.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39973 (GCVE-0-2025-39973)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: add validation for ring_len param
The `ring_len` parameter provided by the virtual function (VF)
is assigned directly to the hardware memory context (HMC) without
any validation.
To address this, introduce an upper boundary check for both Tx and Rx
queue lengths. The maximum number of descriptors supported by the
hardware is 8k-32.
Additionally, enforce alignment constraints: Tx rings must be a multiple
of 8, and Rx rings must be a multiple of 32.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0543d40d6513cdf1c7882811086e59a6455dfe97",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "7d749e38dd2b7e8a80da2ca30c93e09de95bfcf9",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "45a7527cd7da4cdcf3b06b5c0cb1cae30b5a5985",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "d3b0d3f8d11fa957171fbb186e53998361a88d4e",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "c0c83f4cd074b75cecef107bfc349be7d516c9c4",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "05fe81fb9db20464fa532a3835dc8300d68a2f84",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "afec12adab55d10708179a64d95d650741e60fe0",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "55d225670def06b01af2e7a5e0446fbe946289e8",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: add validation for ring_len param\n\nThe `ring_len` parameter provided by the virtual function (VF)\nis assigned directly to the hardware memory context (HMC) without\nany validation.\n\nTo address this, introduce an upper boundary check for both Tx and Rx\nqueue lengths. The maximum number of descriptors supported by the\nhardware is 8k-32.\nAdditionally, enforce alignment constraints: Tx rings must be a multiple\nof 8, and Rx rings must be a multiple of 32."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:55.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0543d40d6513cdf1c7882811086e59a6455dfe97"
},
{
"url": "https://git.kernel.org/stable/c/7d749e38dd2b7e8a80da2ca30c93e09de95bfcf9"
},
{
"url": "https://git.kernel.org/stable/c/45a7527cd7da4cdcf3b06b5c0cb1cae30b5a5985"
},
{
"url": "https://git.kernel.org/stable/c/d3b0d3f8d11fa957171fbb186e53998361a88d4e"
},
{
"url": "https://git.kernel.org/stable/c/c0c83f4cd074b75cecef107bfc349be7d516c9c4"
},
{
"url": "https://git.kernel.org/stable/c/05fe81fb9db20464fa532a3835dc8300d68a2f84"
},
{
"url": "https://git.kernel.org/stable/c/afec12adab55d10708179a64d95d650741e60fe0"
},
{
"url": "https://git.kernel.org/stable/c/55d225670def06b01af2e7a5e0446fbe946289e8"
}
],
"title": "i40e: add validation for ring_len param",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39973",
"datePublished": "2025-10-15T07:55:55.590Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:55.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39739 (GCVE-0-2025-39739)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-09-29 05:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/arm-smmu-qcom: Add SM6115 MDSS compatible
Add the SM6115 MDSS compatible to clients compatible list, as it also
needs that workaround.
Without this workaround, for example, QRB4210 RB2 which is based on
SM4250/SM6115 generates a lot of smmu unhandled context faults during
boot:
arm_smmu_context_fault: 116854 callbacks suppressed
arm-smmu c600000.iommu: Unhandled context fault: fsr=0x402,
iova=0x5c0ec600, fsynr=0x320021, cbfrsynra=0x420, cb=5
arm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420
arm-smmu c600000.iommu: FSYNR0 = 00320021 [S1CBNDX=50 PNU PLVL=1]
arm-smmu c600000.iommu: Unhandled context fault: fsr=0x402,
iova=0x5c0d7800, fsynr=0x320021, cbfrsynra=0x420, cb=5
arm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420
and also failed initialisation of lontium lt9611uxc, gpu and dpu is
observed:
(binding MDSS components triggered by lt9611uxc have failed)
------------[ cut here ]------------
!aspace
WARNING: CPU: 6 PID: 324 at drivers/gpu/drm/msm/msm_gem_vma.c:130 msm_gem_vma_init+0x150/0x18c [msm]
Modules linked in: ... (long list of modules)
CPU: 6 UID: 0 PID: 324 Comm: (udev-worker) Not tainted 6.15.0-03037-gaacc73ceeb8b #4 PREEMPT
Hardware name: Qualcomm Technologies, Inc. QRB4210 RB2 (DT)
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : msm_gem_vma_init+0x150/0x18c [msm]
lr : msm_gem_vma_init+0x150/0x18c [msm]
sp : ffff80008144b280
...
Call trace:
msm_gem_vma_init+0x150/0x18c [msm] (P)
get_vma_locked+0xc0/0x194 [msm]
msm_gem_get_and_pin_iova_range+0x4c/0xdc [msm]
msm_gem_kernel_new+0x48/0x160 [msm]
msm_gpu_init+0x34c/0x53c [msm]
adreno_gpu_init+0x1b0/0x2d8 [msm]
a6xx_gpu_init+0x1e8/0x9e0 [msm]
adreno_bind+0x2b8/0x348 [msm]
component_bind_all+0x100/0x230
msm_drm_bind+0x13c/0x3d0 [msm]
try_to_bring_up_aggregate_device+0x164/0x1d0
__component_add+0xa4/0x174
component_add+0x14/0x20
dsi_dev_attach+0x20/0x34 [msm]
dsi_host_attach+0x58/0x98 [msm]
devm_mipi_dsi_attach+0x34/0x90
lt9611uxc_attach_dsi.isra.0+0x94/0x124 [lontium_lt9611uxc]
lt9611uxc_probe+0x540/0x5fc [lontium_lt9611uxc]
i2c_device_probe+0x148/0x2a8
really_probe+0xbc/0x2c0
__driver_probe_device+0x78/0x120
driver_probe_device+0x3c/0x154
__driver_attach+0x90/0x1a0
bus_for_each_dev+0x68/0xb8
driver_attach+0x24/0x30
bus_add_driver+0xe4/0x208
driver_register+0x68/0x124
i2c_register_driver+0x48/0xcc
lt9611uxc_driver_init+0x20/0x1000 [lontium_lt9611uxc]
do_one_initcall+0x60/0x1d4
do_init_module+0x54/0x1fc
load_module+0x1748/0x1c8c
init_module_from_file+0x74/0xa0
__arm64_sys_finit_module+0x130/0x2f8
invoke_syscall+0x48/0x104
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x2c/0x80
el0t_64_sync_handler+0x10c/0x138
el0t_64_sync+0x198/0x19c
---[ end trace 0000000000000000 ]---
msm_dpu 5e01000.display-controller: [drm:msm_gpu_init [msm]] *ERROR* could not allocate memptrs: -22
msm_dpu 5e01000.display-controller: failed to load adreno gpu
platform a400000.remoteproc:glink-edge:apr:service@7:dais: Adding to iommu group 19
msm_dpu 5e01000.display-controller: failed to bind 5900000.gpu (ops a3xx_ops [msm]): -22
msm_dpu 5e01000.display-controller: adev bind failed: -22
lt9611uxc 0-002b: failed to attach dsi to host
lt9611uxc 0-002b: probe with driver lt9611uxc failed with error -22
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a11b6ee7cab87c4d75e95ac9e7443155f7cecb55",
"status": "affected",
"version": "3581b7062cec5a40b54acbd0dc28321d3aaa9fc7",
"versionType": "git"
},
{
"lessThan": "c62963370627f3aa22d991e0a3e93f5d61ad9b08",
"status": "affected",
"version": "3581b7062cec5a40b54acbd0dc28321d3aaa9fc7",
"versionType": "git"
},
{
"lessThan": "3d470cf40c9265092eb33c3d3d9dc8bad452bcc2",
"status": "affected",
"version": "3581b7062cec5a40b54acbd0dc28321d3aaa9fc7",
"versionType": "git"
},
{
"lessThan": "e52bbaa209ebff3bf7a10c17ba7d3e1d3cb0fe61",
"status": "affected",
"version": "3581b7062cec5a40b54acbd0dc28321d3aaa9fc7",
"versionType": "git"
},
{
"lessThan": "f7fa8520f30373ce99c436c4d57c76befdacbef3",
"status": "affected",
"version": "3581b7062cec5a40b54acbd0dc28321d3aaa9fc7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-qcom: Add SM6115 MDSS compatible\n\nAdd the SM6115 MDSS compatible to clients compatible list, as it also\nneeds that workaround.\nWithout this workaround, for example, QRB4210 RB2 which is based on\nSM4250/SM6115 generates a lot of smmu unhandled context faults during\nboot:\n\narm_smmu_context_fault: 116854 callbacks suppressed\narm-smmu c600000.iommu: Unhandled context fault: fsr=0x402,\niova=0x5c0ec600, fsynr=0x320021, cbfrsynra=0x420, cb=5\narm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420\narm-smmu c600000.iommu: FSYNR0 = 00320021 [S1CBNDX=50 PNU PLVL=1]\narm-smmu c600000.iommu: Unhandled context fault: fsr=0x402,\niova=0x5c0d7800, fsynr=0x320021, cbfrsynra=0x420, cb=5\narm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420\n\nand also failed initialisation of lontium lt9611uxc, gpu and dpu is\nobserved:\n(binding MDSS components triggered by lt9611uxc have failed)\n\n ------------[ cut here ]------------\n !aspace\n WARNING: CPU: 6 PID: 324 at drivers/gpu/drm/msm/msm_gem_vma.c:130 msm_gem_vma_init+0x150/0x18c [msm]\n Modules linked in: ... (long list of modules)\n CPU: 6 UID: 0 PID: 324 Comm: (udev-worker) Not tainted 6.15.0-03037-gaacc73ceeb8b #4 PREEMPT\n Hardware name: Qualcomm Technologies, Inc. QRB4210 RB2 (DT)\n pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : msm_gem_vma_init+0x150/0x18c [msm]\n lr : msm_gem_vma_init+0x150/0x18c [msm]\n sp : ffff80008144b280\n \t\t...\n Call trace:\n msm_gem_vma_init+0x150/0x18c [msm] (P)\n get_vma_locked+0xc0/0x194 [msm]\n msm_gem_get_and_pin_iova_range+0x4c/0xdc [msm]\n msm_gem_kernel_new+0x48/0x160 [msm]\n msm_gpu_init+0x34c/0x53c [msm]\n adreno_gpu_init+0x1b0/0x2d8 [msm]\n a6xx_gpu_init+0x1e8/0x9e0 [msm]\n adreno_bind+0x2b8/0x348 [msm]\n component_bind_all+0x100/0x230\n msm_drm_bind+0x13c/0x3d0 [msm]\n try_to_bring_up_aggregate_device+0x164/0x1d0\n __component_add+0xa4/0x174\n component_add+0x14/0x20\n dsi_dev_attach+0x20/0x34 [msm]\n dsi_host_attach+0x58/0x98 [msm]\n devm_mipi_dsi_attach+0x34/0x90\n lt9611uxc_attach_dsi.isra.0+0x94/0x124 [lontium_lt9611uxc]\n lt9611uxc_probe+0x540/0x5fc [lontium_lt9611uxc]\n i2c_device_probe+0x148/0x2a8\n really_probe+0xbc/0x2c0\n __driver_probe_device+0x78/0x120\n driver_probe_device+0x3c/0x154\n __driver_attach+0x90/0x1a0\n bus_for_each_dev+0x68/0xb8\n driver_attach+0x24/0x30\n bus_add_driver+0xe4/0x208\n driver_register+0x68/0x124\n i2c_register_driver+0x48/0xcc\n lt9611uxc_driver_init+0x20/0x1000 [lontium_lt9611uxc]\n do_one_initcall+0x60/0x1d4\n do_init_module+0x54/0x1fc\n load_module+0x1748/0x1c8c\n init_module_from_file+0x74/0xa0\n __arm64_sys_finit_module+0x130/0x2f8\n invoke_syscall+0x48/0x104\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x2c/0x80\n el0t_64_sync_handler+0x10c/0x138\n el0t_64_sync+0x198/0x19c\n ---[ end trace 0000000000000000 ]---\n msm_dpu 5e01000.display-controller: [drm:msm_gpu_init [msm]] *ERROR* could not allocate memptrs: -22\n msm_dpu 5e01000.display-controller: failed to load adreno gpu\n platform a400000.remoteproc:glink-edge:apr:service@7:dais: Adding to iommu group 19\n msm_dpu 5e01000.display-controller: failed to bind 5900000.gpu (ops a3xx_ops [msm]): -22\n msm_dpu 5e01000.display-controller: adev bind failed: -22\n lt9611uxc 0-002b: failed to attach dsi to host\n lt9611uxc 0-002b: probe with driver lt9611uxc failed with error -22"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:25.752Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a11b6ee7cab87c4d75e95ac9e7443155f7cecb55"
},
{
"url": "https://git.kernel.org/stable/c/c62963370627f3aa22d991e0a3e93f5d61ad9b08"
},
{
"url": "https://git.kernel.org/stable/c/3d470cf40c9265092eb33c3d3d9dc8bad452bcc2"
},
{
"url": "https://git.kernel.org/stable/c/e52bbaa209ebff3bf7a10c17ba7d3e1d3cb0fe61"
},
{
"url": "https://git.kernel.org/stable/c/f7fa8520f30373ce99c436c4d57c76befdacbef3"
}
],
"title": "iommu/arm-smmu-qcom: Add SM6115 MDSS compatible",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39739",
"datePublished": "2025-09-11T16:52:13.954Z",
"dateReserved": "2025-04-16T07:20:57.120Z",
"dateUpdated": "2025-09-29T05:58:25.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39891 (GCVE-0-2025-39891)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: Initialize the chan_stats array to zero
The adapter->chan_stats[] array is initialized in
mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out
memory. The array is filled in mwifiex_update_chan_statistics()
and then the user can query the data in mwifiex_cfg80211_dump_survey().
There are two potential issues here. What if the user calls
mwifiex_cfg80211_dump_survey() before the data has been filled in.
Also the mwifiex_update_chan_statistics() function doesn't necessarily
initialize the whole array. Since the array was not initialized at
the start that could result in an information leak.
Also this array is pretty small. It's a maximum of 900 bytes so it's
more appropriate to use kcalloc() instead vmalloc().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:27.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/cfg80211.c",
"drivers/net/wireless/marvell/mwifiex/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "05daef0442d28350a1a0d6d0e2cab4a7a91df475",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "acdf26a912190fc6746e2a890d7d0338190527b4",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "32c124c9c03aa755cbaf60ef7f76afd918d47659",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "9df29aa5637d94d24f7c5f054ef4feaa7b766111",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "06616410a3e5e6cd1de5b7cbc668f1a7edeedad9",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "5285b7009dc1e09d5bb9e05fae82e1a807882dbc",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "0e20450829ca3c1dbc2db536391537c57a40fe0b",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/cfg80211.c",
"drivers/net/wireless/marvell/mwifiex/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Initialize the chan_stats array to zero\n\nThe adapter-\u003echan_stats[] array is initialized in\nmwifiex_init_channel_scan_gap() with vmalloc(), which doesn\u0027t zero out\nmemory. The array is filled in mwifiex_update_chan_statistics()\nand then the user can query the data in mwifiex_cfg80211_dump_survey().\n\nThere are two potential issues here. What if the user calls\nmwifiex_cfg80211_dump_survey() before the data has been filled in.\nAlso the mwifiex_update_chan_statistics() function doesn\u0027t necessarily\ninitialize the whole array. Since the array was not initialized at\nthe start that could result in an information leak.\n\nAlso this array is pretty small. It\u0027s a maximum of 900 bytes so it\u0027s\nmore appropriate to use kcalloc() instead vmalloc()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:40.633Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65"
},
{
"url": "https://git.kernel.org/stable/c/05daef0442d28350a1a0d6d0e2cab4a7a91df475"
},
{
"url": "https://git.kernel.org/stable/c/acdf26a912190fc6746e2a890d7d0338190527b4"
},
{
"url": "https://git.kernel.org/stable/c/32c124c9c03aa755cbaf60ef7f76afd918d47659"
},
{
"url": "https://git.kernel.org/stable/c/9df29aa5637d94d24f7c5f054ef4feaa7b766111"
},
{
"url": "https://git.kernel.org/stable/c/06616410a3e5e6cd1de5b7cbc668f1a7edeedad9"
},
{
"url": "https://git.kernel.org/stable/c/5285b7009dc1e09d5bb9e05fae82e1a807882dbc"
},
{
"url": "https://git.kernel.org/stable/c/0e20450829ca3c1dbc2db536391537c57a40fe0b"
}
],
"title": "wifi: mwifiex: Initialize the chan_stats array to zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39891",
"datePublished": "2025-10-01T07:42:40.633Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-11-03T17:44:27.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53226 (GCVE-0-2023-53226)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: Fix OOB and integer underflow when rx packets
Make sure mwifiex_process_mgmt_packet,
mwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet,
mwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet
not out-of-bounds access the skb->data buffer.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2dbaf751b1dec3a603130a475f94cc4d3f404362 Version: 2dbaf751b1dec3a603130a475f94cc4d3f404362 Version: 2dbaf751b1dec3a603130a475f94cc4d3f404362 Version: 2dbaf751b1dec3a603130a475f94cc4d3f404362 Version: 2dbaf751b1dec3a603130a475f94cc4d3f404362 Version: 2dbaf751b1dec3a603130a475f94cc4d3f404362 Version: 2dbaf751b1dec3a603130a475f94cc4d3f404362 Version: 2dbaf751b1dec3a603130a475f94cc4d3f404362 Version: 2dbaf751b1dec3a603130a475f94cc4d3f404362 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/sta_rx.c",
"drivers/net/wireless/marvell/mwifiex/uap_txrx.c",
"drivers/net/wireless/marvell/mwifiex/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f517c97fc129995de77dd06aa5a74f909ebf568f",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "8824aa4ab62c800f75d96f48e1883a5f56ec5869",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "29eca8b7863d1d7de6c5b746b374e3487d14f154",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "3fe3923d092e22d87d1ed03e2729db444b8c1331",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "7c54b6fc39eb1aac51cf2945f8a25e2a47fdca02",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "3975e21d4d01efaf0296ded40d11c06589c49245",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "a7300e3800e9fd5405e88ce67709c1a97783b9c8",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "650d1bc02fba7b42f476d8b6643324abac5921ed",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
},
{
"lessThan": "11958528161731c58e105b501ed60b83a91ea941",
"status": "affected",
"version": "2dbaf751b1dec3a603130a475f94cc4d3f404362",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/sta_rx.c",
"drivers/net/wireless/marvell/mwifiex/uap_txrx.c",
"drivers/net/wireless/marvell/mwifiex/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix OOB and integer underflow when rx packets\n\nMake sure mwifiex_process_mgmt_packet,\nmwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet,\nmwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet\nnot out-of-bounds access the skb-\u003edata buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:55.884Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f517c97fc129995de77dd06aa5a74f909ebf568f"
},
{
"url": "https://git.kernel.org/stable/c/8824aa4ab62c800f75d96f48e1883a5f56ec5869"
},
{
"url": "https://git.kernel.org/stable/c/29eca8b7863d1d7de6c5b746b374e3487d14f154"
},
{
"url": "https://git.kernel.org/stable/c/3fe3923d092e22d87d1ed03e2729db444b8c1331"
},
{
"url": "https://git.kernel.org/stable/c/7c54b6fc39eb1aac51cf2945f8a25e2a47fdca02"
},
{
"url": "https://git.kernel.org/stable/c/3975e21d4d01efaf0296ded40d11c06589c49245"
},
{
"url": "https://git.kernel.org/stable/c/a7300e3800e9fd5405e88ce67709c1a97783b9c8"
},
{
"url": "https://git.kernel.org/stable/c/650d1bc02fba7b42f476d8b6643324abac5921ed"
},
{
"url": "https://git.kernel.org/stable/c/11958528161731c58e105b501ed60b83a91ea941"
}
],
"title": "wifi: mwifiex: Fix OOB and integer underflow when rx packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53226",
"datePublished": "2025-09-15T14:21:55.884Z",
"dateReserved": "2025-09-15T14:19:21.846Z",
"dateUpdated": "2025-09-15T14:21:55.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53555 (GCVE-0-2023-53555)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/core: initialize damo_filter->list from damos_new_filter()
damos_new_filter() is not initializing the list field of newly allocated
filter object. However, DAMON sysfs interface and DAMON_RECLAIM are not
initializing it after calling damos_new_filter(). As a result, accessing
uninitialized memory is possible. Actually, adding multiple DAMOS filters
via DAMON sysfs interface caused NULL pointer dereferencing. Initialize
the field just after the allocation from damos_new_filter().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da7beebb49c643cd03c54447ed66595936a7a1ce",
"status": "affected",
"version": "98def236f63c66629fb6b2d4b69cecffc5b46539",
"versionType": "git"
},
{
"lessThan": "5f1fc67f2cb8d3035d3acd273b48b97835af8afd",
"status": "affected",
"version": "98def236f63c66629fb6b2d4b69cecffc5b46539",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: initialize damo_filter-\u003elist from damos_new_filter()\n\ndamos_new_filter() is not initializing the list field of newly allocated\nfilter object. However, DAMON sysfs interface and DAMON_RECLAIM are not\ninitializing it after calling damos_new_filter(). As a result, accessing\nuninitialized memory is possible. Actually, adding multiple DAMOS filters\nvia DAMON sysfs interface caused NULL pointer dereferencing. Initialize\nthe field just after the allocation from damos_new_filter()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:00.514Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da7beebb49c643cd03c54447ed66595936a7a1ce"
},
{
"url": "https://git.kernel.org/stable/c/5f1fc67f2cb8d3035d3acd273b48b97835af8afd"
}
],
"title": "mm/damon/core: initialize damo_filter-\u003elist from damos_new_filter()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53555",
"datePublished": "2025-10-04T15:17:00.514Z",
"dateReserved": "2025-10-04T15:14:15.922Z",
"dateUpdated": "2025-10-04T15:17:00.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53463 (GCVE-0-2023-53463)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: Do not reset dql stats on NON_FATAL err
All ibmvnic resets, make a call to netdev_tx_reset_queue() when
re-opening the device. netdev_tx_reset_queue() resets the num_queued
and num_completed byte counters. These stats are used in Byte Queue
Limit (BQL) algorithms. The difference between these two stats tracks
the number of bytes currently sitting on the physical NIC. ibmvnic
increases the number of queued bytes though calls to
netdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports
that it is done transmitting bytes, the ibmvnic device increases the
number of completed bytes through calls to netdev_tx_completed_queue().
It is important to note that the driver batches its transmit calls and
num_queued is increased every time that an skb is added to the next
batch, not necessarily when the batch is sent to VIOS for transmission.
Unlike other reset types, a NON FATAL reset will not flush the sub crq
tx buffers. Therefore, it is possible for the batched skb array to be
partially full. So if there is call to netdev_tx_reset_queue() when
re-opening the device, the value of num_queued (0) would not account
for the skb's that are currently batched. Eventually, when the batch
is sent to VIOS, the call to netdev_tx_completed_queue() would increase
num_completed to a value greater than the num_queued. This causes a
BUG_ON crash:
ibmvnic 30000002: Firmware reports error, cause: adapter problem.
Starting recovery...
ibmvnic 30000002: tx error 600
ibmvnic 30000002: tx error 600
ibmvnic 30000002: tx error 600
ibmvnic 30000002: tx error 600
------------[ cut here ]------------
kernel BUG at lib/dynamic_queue_limits.c:27!
Oops: Exception in kernel mode, sig: 5
[....]
NIP dql_completed+0x28/0x1c0
LR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic]
Call Trace:
ibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable)
ibmvnic_interrupt_tx+0x40/0x70 [ibmvnic]
__handle_irq_event_percpu+0x98/0x270
---[ end trace ]---
Therefore, do not reset the dql stats when performing a NON_FATAL reset.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8aedf29db1280c83191fc9579ae605791faf97f",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
},
{
"lessThan": "f67ef8f9f6776e2b2073cad7c5cf29de850f83d7",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
},
{
"lessThan": "91a0632e73070928aafeb36b3cc676843c716931",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
},
{
"lessThan": "48538ccb825b05544ec308a509e2cc9c013402db",
"status": "affected",
"version": "0d973388185d49add56b81ca82fa5e4348019df8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Do not reset dql stats on NON_FATAL err\n\nAll ibmvnic resets, make a call to netdev_tx_reset_queue() when\nre-opening the device. netdev_tx_reset_queue() resets the num_queued\nand num_completed byte counters. These stats are used in Byte Queue\nLimit (BQL) algorithms. The difference between these two stats tracks\nthe number of bytes currently sitting on the physical NIC. ibmvnic\nincreases the number of queued bytes though calls to\nnetdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports\nthat it is done transmitting bytes, the ibmvnic device increases the\nnumber of completed bytes through calls to netdev_tx_completed_queue().\nIt is important to note that the driver batches its transmit calls and\nnum_queued is increased every time that an skb is added to the next\nbatch, not necessarily when the batch is sent to VIOS for transmission.\n\nUnlike other reset types, a NON FATAL reset will not flush the sub crq\ntx buffers. Therefore, it is possible for the batched skb array to be\npartially full. So if there is call to netdev_tx_reset_queue() when\nre-opening the device, the value of num_queued (0) would not account\nfor the skb\u0027s that are currently batched. Eventually, when the batch\nis sent to VIOS, the call to netdev_tx_completed_queue() would increase\nnum_completed to a value greater than the num_queued. This causes a\nBUG_ON crash:\n\nibmvnic 30000002: Firmware reports error, cause: adapter problem.\nStarting recovery...\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\n------------[ cut here ]------------\nkernel BUG at lib/dynamic_queue_limits.c:27!\nOops: Exception in kernel mode, sig: 5\n[....]\nNIP dql_completed+0x28/0x1c0\nLR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic]\nCall Trace:\nibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable)\nibmvnic_interrupt_tx+0x40/0x70 [ibmvnic]\n__handle_irq_event_percpu+0x98/0x270\n---[ end trace ]---\n\nTherefore, do not reset the dql stats when performing a NON_FATAL reset."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:34.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8aedf29db1280c83191fc9579ae605791faf97f"
},
{
"url": "https://git.kernel.org/stable/c/f67ef8f9f6776e2b2073cad7c5cf29de850f83d7"
},
{
"url": "https://git.kernel.org/stable/c/91a0632e73070928aafeb36b3cc676843c716931"
},
{
"url": "https://git.kernel.org/stable/c/48538ccb825b05544ec308a509e2cc9c013402db"
}
],
"title": "ibmvnic: Do not reset dql stats on NON_FATAL err",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53463",
"datePublished": "2025-10-01T11:42:34.308Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:34.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50579 (GCVE-0-2022-50579)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: ftrace: fix module PLTs with mcount
Li Huafei reports that mcount-based ftrace with module PLTs was broken
by commit:
a6253579977e4c6f ("arm64: ftrace: consistently handle PLTs.")
When a module PLTs are used and a module is loaded sufficiently far away
from the kernel, we'll create PLTs for any branches which are
out-of-range. These are separate from the special ftrace trampoline
PLTs, which the module PLT code doesn't directly manipulate.
When mcount is in use this is a problem, as each mcount callsite in a
module will be initialized to point to a module PLT, but since commit
a6253579977e4c6f ftrace_make_nop() will assume that the callsite has
been initialized to point to the special ftrace trampoline PLT, and
ftrace_find_callable_addr() rejects other cases.
This means that when ftrace tries to initialize a callsite via
ftrace_make_nop(), the call to ftrace_find_callable_addr() will find
that the `_mcount` stub is out-of-range and is not handled by the ftrace
PLT, resulting in a splat:
| ftrace_test: loading out-of-tree module taints kernel.
| ftrace: no module PLT for _mcount
| ------------[ ftrace bug ]------------
| ftrace failed to modify
| [<ffff800029180014>] 0xffff800029180014
| actual: 44:00:00:94
| Initializing ftrace call sites
| ftrace record flags: 2000000
| (0)
| expected tramp: ffff80000802eb3c
| ------------[ cut here ]------------
| WARNING: CPU: 3 PID: 157 at kernel/trace/ftrace.c:2120 ftrace_bug+0x94/0x270
| Modules linked in:
| CPU: 3 PID: 157 Comm: insmod Tainted: G O 6.0.0-rc6-00151-gcd722513a189-dirty #22
| Hardware name: linux,dummy-virt (DT)
| pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : ftrace_bug+0x94/0x270
| lr : ftrace_bug+0x21c/0x270
| sp : ffff80000b2bbaf0
| x29: ffff80000b2bbaf0 x28: 0000000000000000 x27: ffff0000c4d38000
| x26: 0000000000000001 x25: ffff800009d7e000 x24: ffff0000c4d86e00
| x23: 0000000002000000 x22: ffff80000a62b000 x21: ffff8000098ebea8
| x20: ffff0000c4d38000 x19: ffff80000aa24158 x18: ffffffffffffffff
| x17: 0000000000000000 x16: 0a0d2d2d2d2d2d2d x15: ffff800009aa9118
| x14: 0000000000000000 x13: 6333626532303830 x12: 3030303866666666
| x11: 203a706d61727420 x10: 6465746365707865 x9 : 3362653230383030
| x8 : c0000000ffffefff x7 : 0000000000017fe8 x6 : 000000000000bff4
| x5 : 0000000000057fa8 x4 : 0000000000000000 x3 : 0000000000000001
| x2 : ad2cb14bb5438900 x1 : 0000000000000000 x0 : 0000000000000022
| Call trace:
| ftrace_bug+0x94/0x270
| ftrace_process_locs+0x308/0x430
| ftrace_module_init+0x44/0x60
| load_module+0x15b4/0x1ce8
| __do_sys_init_module+0x1ec/0x238
| __arm64_sys_init_module+0x24/0x30
| invoke_syscall+0x54/0x118
| el0_svc_common.constprop.4+0x84/0x100
| do_el0_svc+0x3c/0xd0
| el0_svc+0x1c/0x50
| el0t_64_sync_handler+0x90/0xb8
| el0t_64_sync+0x15c/0x160
| ---[ end trace 0000000000000000 ]---
| ---------test_init-----------
Fix this by reverting to the old behaviour of ignoring the old
instruction when initialising an mcount callsite in a module, which was
the behaviour prior to commit a6253579977e4c6f.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bc28fde90937a920f7714ec4408269cac744f796 Version: db73aa9466338ec821ed2a0b01721fe4d06876b1 Version: a6253579977e4c6f7818eeb05bf2bc65678a7187 Version: a6253579977e4c6f7818eeb05bf2bc65678a7187 Version: a6253579977e4c6f7818eeb05bf2bc65678a7187 Version: dcecc96ed16f73417de5550f384e348c9d56f279 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "657de36c72f57fa172a66b06f826b3f5bc56f42e",
"status": "affected",
"version": "bc28fde90937a920f7714ec4408269cac744f796",
"versionType": "git"
},
{
"lessThan": "6c93b683cedaef745884cb9d554d02ed6266b897",
"status": "affected",
"version": "db73aa9466338ec821ed2a0b01721fe4d06876b1",
"versionType": "git"
},
{
"lessThan": "0f77b6b2ba70d7c9d69ef39694e283ded9f8b5f2",
"status": "affected",
"version": "a6253579977e4c6f7818eeb05bf2bc65678a7187",
"versionType": "git"
},
{
"lessThan": "985432303cf7d4804fb2c2fdfbf0466a796d68c3",
"status": "affected",
"version": "a6253579977e4c6f7818eeb05bf2bc65678a7187",
"versionType": "git"
},
{
"lessThan": "8cfb08575c6d4585f1ce0deeb189e5c824776b04",
"status": "affected",
"version": "a6253579977e4c6f7818eeb05bf2bc65678a7187",
"versionType": "git"
},
{
"status": "affected",
"version": "dcecc96ed16f73417de5550f384e348c9d56f279",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.10.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.15.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ftrace: fix module PLTs with mcount\n\nLi Huafei reports that mcount-based ftrace with module PLTs was broken\nby commit:\n\n a6253579977e4c6f (\"arm64: ftrace: consistently handle PLTs.\")\n\nWhen a module PLTs are used and a module is loaded sufficiently far away\nfrom the kernel, we\u0027ll create PLTs for any branches which are\nout-of-range. These are separate from the special ftrace trampoline\nPLTs, which the module PLT code doesn\u0027t directly manipulate.\n\nWhen mcount is in use this is a problem, as each mcount callsite in a\nmodule will be initialized to point to a module PLT, but since commit\na6253579977e4c6f ftrace_make_nop() will assume that the callsite has\nbeen initialized to point to the special ftrace trampoline PLT, and\nftrace_find_callable_addr() rejects other cases.\n\nThis means that when ftrace tries to initialize a callsite via\nftrace_make_nop(), the call to ftrace_find_callable_addr() will find\nthat the `_mcount` stub is out-of-range and is not handled by the ftrace\nPLT, resulting in a splat:\n\n| ftrace_test: loading out-of-tree module taints kernel.\n| ftrace: no module PLT for _mcount\n| ------------[ ftrace bug ]------------\n| ftrace failed to modify\n| [\u003cffff800029180014\u003e] 0xffff800029180014\n| actual: 44:00:00:94\n| Initializing ftrace call sites\n| ftrace record flags: 2000000\n| (0)\n| expected tramp: ffff80000802eb3c\n| ------------[ cut here ]------------\n| WARNING: CPU: 3 PID: 157 at kernel/trace/ftrace.c:2120 ftrace_bug+0x94/0x270\n| Modules linked in:\n| CPU: 3 PID: 157 Comm: insmod Tainted: G O 6.0.0-rc6-00151-gcd722513a189-dirty #22\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : ftrace_bug+0x94/0x270\n| lr : ftrace_bug+0x21c/0x270\n| sp : ffff80000b2bbaf0\n| x29: ffff80000b2bbaf0 x28: 0000000000000000 x27: ffff0000c4d38000\n| x26: 0000000000000001 x25: ffff800009d7e000 x24: ffff0000c4d86e00\n| x23: 0000000002000000 x22: ffff80000a62b000 x21: ffff8000098ebea8\n| x20: ffff0000c4d38000 x19: ffff80000aa24158 x18: ffffffffffffffff\n| x17: 0000000000000000 x16: 0a0d2d2d2d2d2d2d x15: ffff800009aa9118\n| x14: 0000000000000000 x13: 6333626532303830 x12: 3030303866666666\n| x11: 203a706d61727420 x10: 6465746365707865 x9 : 3362653230383030\n| x8 : c0000000ffffefff x7 : 0000000000017fe8 x6 : 000000000000bff4\n| x5 : 0000000000057fa8 x4 : 0000000000000000 x3 : 0000000000000001\n| x2 : ad2cb14bb5438900 x1 : 0000000000000000 x0 : 0000000000000022\n| Call trace:\n| ftrace_bug+0x94/0x270\n| ftrace_process_locs+0x308/0x430\n| ftrace_module_init+0x44/0x60\n| load_module+0x15b4/0x1ce8\n| __do_sys_init_module+0x1ec/0x238\n| __arm64_sys_init_module+0x24/0x30\n| invoke_syscall+0x54/0x118\n| el0_svc_common.constprop.4+0x84/0x100\n| do_el0_svc+0x3c/0xd0\n| el0_svc+0x1c/0x50\n| el0t_64_sync_handler+0x90/0xb8\n| el0t_64_sync+0x15c/0x160\n| ---[ end trace 0000000000000000 ]---\n| ---------test_init-----------\n\nFix this by reverting to the old behaviour of ignoring the old\ninstruction when initialising an mcount callsite in a module, which was\nthe behaviour prior to commit a6253579977e4c6f."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:32.242Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/657de36c72f57fa172a66b06f826b3f5bc56f42e"
},
{
"url": "https://git.kernel.org/stable/c/6c93b683cedaef745884cb9d554d02ed6266b897"
},
{
"url": "https://git.kernel.org/stable/c/0f77b6b2ba70d7c9d69ef39694e283ded9f8b5f2"
},
{
"url": "https://git.kernel.org/stable/c/985432303cf7d4804fb2c2fdfbf0466a796d68c3"
},
{
"url": "https://git.kernel.org/stable/c/8cfb08575c6d4585f1ce0deeb189e5c824776b04"
}
],
"title": "arm64: ftrace: fix module PLTs with mcount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50579",
"datePublished": "2025-10-22T13:23:32.242Z",
"dateReserved": "2025-10-22T13:20:23.762Z",
"dateUpdated": "2025-10-22T13:23:32.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39761 (GCVE-0-2025-39761)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-09-29 05:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Decrement TID on RX peer frag setup error handling
Currently, TID is not decremented before peer cleanup, during error
handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to
out-of-bounds access in peer->rx_tid[].
Hence, add a decrement operation for TID, before peer cleanup to
ensures proper cleanup and prevents out-of-bounds access issues when
the RX peer frag setup fails.
Found during code review. Compile tested only.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb1e1526b82b8cf31f1ef9ca86a2647fb6cd89c6",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "7c3e99fd4a66a5ac9c7dd32db07359666efe0002",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "a3b73c72c42348bf1555fd2b00f32f941324b242",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "9530d666f4376c294cdf4348c29fe3542fec980a",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "7c0884fcd2ddde0544d2e77f297ae461e1f53f58",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Decrement TID on RX peer frag setup error handling\n\nCurrently, TID is not decremented before peer cleanup, during error\nhandling path of ath12k_dp_rx_peer_frag_setup(). This could lead to\nout-of-bounds access in peer-\u003erx_tid[].\n\nHence, add a decrement operation for TID, before peer cleanup to\nensures proper cleanup and prevents out-of-bounds access issues when\nthe RX peer frag setup fails.\n\nFound during code review. Compile tested only."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:52.710Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb1e1526b82b8cf31f1ef9ca86a2647fb6cd89c6"
},
{
"url": "https://git.kernel.org/stable/c/7c3e99fd4a66a5ac9c7dd32db07359666efe0002"
},
{
"url": "https://git.kernel.org/stable/c/a3b73c72c42348bf1555fd2b00f32f941324b242"
},
{
"url": "https://git.kernel.org/stable/c/9530d666f4376c294cdf4348c29fe3542fec980a"
},
{
"url": "https://git.kernel.org/stable/c/7c0884fcd2ddde0544d2e77f297ae461e1f53f58"
}
],
"title": "wifi: ath12k: Decrement TID on RX peer frag setup error handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39761",
"datePublished": "2025-09-11T16:52:29.788Z",
"dateReserved": "2025-04-16T07:20:57.126Z",
"dateUpdated": "2025-09-29T05:58:52.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-48956 (GCVE-0-2022-48956)
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2025-05-04 08:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: avoid use-after-free in ip6_fragment()
Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.
It seems to not be always true, at least for UDP stack.
syzbot reported:
BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]
BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618
CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
ip6_dst_idev include/net/ip6_fib.h:245 [inline]
ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
__ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
dst_output include/net/dst.h:445 [inline]
ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
sock_write_iter+0x295/0x3d0 net/socket.c:1108
call_write_iter include/linux/fs.h:2191 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x9ed/0xdd0 fs/read_write.c:584
ksys_write+0x1ec/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fde3588c0d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9
RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a
RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000
</TASK>
Allocated by task 7618:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422
dst_alloc+0x14a/0x1f0 net/core/dst.c:92
ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]
rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]
ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254
pol_lookup_func include/net/ip6_fib.h:582 [inline]
fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121
ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625
ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638
ip6_route_output include/net/ip6_route.h:98 [inline]
ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092
ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222
ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260
udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554
inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
sock_sendmsg_nosec n
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:21:00.418896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:28:39.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3d7ff8c04a83279fb7641fc4d5aa82a602df7c0",
"status": "affected",
"version": "1758fd4688eb92c796e75bdb1d256dc558ef9581",
"versionType": "git"
},
{
"lessThan": "7e0dcd5f3ade221a6126278aca60c8ab4cc3bce9",
"status": "affected",
"version": "1758fd4688eb92c796e75bdb1d256dc558ef9581",
"versionType": "git"
},
{
"lessThan": "6b6d3be3661bff2746cab26147bd629aa034e094",
"status": "affected",
"version": "1758fd4688eb92c796e75bdb1d256dc558ef9581",
"versionType": "git"
},
{
"lessThan": "8208d7e56b1e579320b9ff3712739ad2e63e1f86",
"status": "affected",
"version": "1758fd4688eb92c796e75bdb1d256dc558ef9581",
"versionType": "git"
},
{
"lessThan": "7390c70bd431cbfa6951477e2c80a301643e284b",
"status": "affected",
"version": "1758fd4688eb92c796e75bdb1d256dc558ef9581",
"versionType": "git"
},
{
"lessThan": "9b1a468a455d8319041528778d0e684a4c062792",
"status": "affected",
"version": "1758fd4688eb92c796e75bdb1d256dc558ef9581",
"versionType": "git"
},
{
"lessThan": "803e84867de59a1e5d126666d25eb4860cfd2ebe",
"status": "affected",
"version": "1758fd4688eb92c796e75bdb1d256dc558ef9581",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.269",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.302",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.269",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.227",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.159",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.83",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.13",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid use-after-free in ip6_fragment()\n\nBlamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.\n\nIt seems to not be always true, at least for UDP stack.\n\nsyzbot reported:\n\nBUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]\nBUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951\nRead of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618\n\nCPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x15e/0x45d mm/kasan/report.c:395\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:495\n ip6_dst_idev include/net/ip6_fib.h:245 [inline]\n ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951\n __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]\n ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206\n NF_HOOK_COND include/linux/netfilter.h:291 [inline]\n ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227\n dst_output include/net/dst.h:445 [inline]\n ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161\n ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966\n udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286\n udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313\n udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606\n inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0xd3/0x120 net/socket.c:734\n sock_write_iter+0x295/0x3d0 net/socket.c:1108\n call_write_iter include/linux/fs.h:2191 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x9ed/0xdd0 fs/read_write.c:584\n ksys_write+0x1ec/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fde3588c0d9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9\nRDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a\nRBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000\n \u003c/TASK\u003e\n\nAllocated by task 7618:\n kasan_save_stack+0x22/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slab.h:737 [inline]\n slab_alloc_node mm/slub.c:3398 [inline]\n slab_alloc mm/slub.c:3406 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3413 [inline]\n kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422\n dst_alloc+0x14a/0x1f0 net/core/dst.c:92\n ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344\n ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]\n rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]\n ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254\n pol_lookup_func include/net/ip6_fib.h:582 [inline]\n fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121\n ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625\n ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638\n ip6_route_output include/net/ip6_route.h:98 [inline]\n ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092\n ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222\n ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260\n udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554\n inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665\n sock_sendmsg_nosec n\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:26:53.995Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3d7ff8c04a83279fb7641fc4d5aa82a602df7c0"
},
{
"url": "https://git.kernel.org/stable/c/7e0dcd5f3ade221a6126278aca60c8ab4cc3bce9"
},
{
"url": "https://git.kernel.org/stable/c/6b6d3be3661bff2746cab26147bd629aa034e094"
},
{
"url": "https://git.kernel.org/stable/c/8208d7e56b1e579320b9ff3712739ad2e63e1f86"
},
{
"url": "https://git.kernel.org/stable/c/7390c70bd431cbfa6951477e2c80a301643e284b"
},
{
"url": "https://git.kernel.org/stable/c/9b1a468a455d8319041528778d0e684a4c062792"
},
{
"url": "https://git.kernel.org/stable/c/803e84867de59a1e5d126666d25eb4860cfd2ebe"
}
],
"title": "ipv6: avoid use-after-free in ip6_fragment()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-48956",
"datePublished": "2024-10-21T20:05:42.379Z",
"dateReserved": "2024-08-22T01:27:53.627Z",
"dateUpdated": "2025-05-04T08:26:53.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39955 (GCVE-0-2025-39955)
Vulnerability from cvelistv5
Published
2025-10-09 09:47
Modified
2025-10-09 09:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().
syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk
in the TCP_ESTABLISHED state. [0]
syzbot reused the server-side TCP Fast Open socket as a new client before
the TFO socket completes 3WHS:
1. accept()
2. connect(AF_UNSPEC)
3. connect() to another destination
As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes
it to TCP_CLOSE and makes connect() possible, which restarts timers.
Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the
retransmit timer triggered the warning and the intended packet was not
retransmitted.
Let's call reqsk_fastopen_remove() in tcp_disconnect().
[0]:
WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Modules linked in:
CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e
RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293
RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017
RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400
RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8
R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540
R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0
FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0
Call Trace:
<IRQ>
tcp_write_timer (net/ipv4/tcp_timer.c:738)
call_timer_fn (kernel/time/timer.c:1747)
__run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)
timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)
tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)
__walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))
tmigr_handle_remote (kernel/time/timer_migration.c:1096)
handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)
irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))
</IRQ>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ec092a91ff351dcde89c23e795b73a328274db6",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "a4378dedd6e07e62f2fccb17d78c9665718763d0",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "33a4fdf0b4a25f8ce65380c3b0136b407ca57609",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "17d699727577814198d744d6afe54735c6b54c99",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "dfd06131107e7b699ef1e2a24ed2f7d17c917753",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "fa4749c065644af4db496b338452a69a3e5147d9",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "ae313d14b45eca7a6bb29cb9bf396d977e7d28fb",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().\n\nsyzbot reported the splat below where a socket had tcp_sk(sk)-\u003efastopen_rsk\nin the TCP_ESTABLISHED state. [0]\n\nsyzbot reused the server-side TCP Fast Open socket as a new client before\nthe TFO socket completes 3WHS:\n\n 1. accept()\n 2. connect(AF_UNSPEC)\n 3. connect() to another destination\n\nAs of accept(), sk-\u003esk_state is TCP_SYN_RECV, and tcp_disconnect() changes\nit to TCP_CLOSE and makes connect() possible, which restarts timers.\n\nSince tcp_disconnect() forgot to clear tcp_sk(sk)-\u003efastopen_rsk, the\nretransmit timer triggered the warning and the intended packet was not\nretransmitted.\n\nLet\u0027s call reqsk_fastopen_remove() in tcp_disconnect().\n\n[0]:\nWARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nModules linked in:\nCPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nCode: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 \u003c0f\u003e 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e\nRSP: 0018:ffffc900002f8d40 EFLAGS: 00010293\nRAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017\nRDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400\nRBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8\nR10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540\nR13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0\nFS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_write_timer (net/ipv4/tcp_timer.c:738)\n call_timer_fn (kernel/time/timer.c:1747)\n __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)\n timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)\n tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)\n __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))\n tmigr_handle_remote (kernel/time/timer_migration.c:1096)\n handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)\n irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T09:47:33.556Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ec092a91ff351dcde89c23e795b73a328274db6"
},
{
"url": "https://git.kernel.org/stable/c/a4378dedd6e07e62f2fccb17d78c9665718763d0"
},
{
"url": "https://git.kernel.org/stable/c/33a4fdf0b4a25f8ce65380c3b0136b407ca57609"
},
{
"url": "https://git.kernel.org/stable/c/17d699727577814198d744d6afe54735c6b54c99"
},
{
"url": "https://git.kernel.org/stable/c/dfd06131107e7b699ef1e2a24ed2f7d17c917753"
},
{
"url": "https://git.kernel.org/stable/c/fa4749c065644af4db496b338452a69a3e5147d9"
},
{
"url": "https://git.kernel.org/stable/c/ae313d14b45eca7a6bb29cb9bf396d977e7d28fb"
},
{
"url": "https://git.kernel.org/stable/c/45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01"
}
],
"title": "tcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39955",
"datePublished": "2025-10-09T09:47:33.556Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-09T09:47:33.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53282 (GCVE-0-2023-53282)
Vulnerability from cvelistv5
Published
2025-09-16 08:11
Modified
2025-09-16 08:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix use-after-free KFENCE violation during sysfs firmware write
During the sysfs firmware write process, a use-after-free read warning is
logged from the lpfc_wr_object() routine:
BUG: KFENCE: use-after-free read in lpfc_wr_object+0x235/0x310 [lpfc]
Use-after-free read at 0x0000000000cf164d (in kfence-#111):
lpfc_wr_object+0x235/0x310 [lpfc]
lpfc_write_firmware.cold+0x206/0x30d [lpfc]
lpfc_sli4_request_firmware_update+0xa6/0x100 [lpfc]
lpfc_request_firmware_upgrade_store+0x66/0xb0 [lpfc]
kernfs_fop_write_iter+0x121/0x1b0
new_sync_write+0x11c/0x1b0
vfs_write+0x1ef/0x280
ksys_write+0x5f/0xe0
do_syscall_64+0x59/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The driver accessed wr_object pointer data, which was initialized into
mailbox payload memory, after the mailbox object was released back to the
mailbox pool.
Fix by moving the mailbox free calls to the end of the routine ensuring
that we don't reference internal mailbox memory after release.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_sli.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "51ab4eb1a25e73c7fc2ad9026520c4d8369c93cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8dfefa8f424ab208e552df1bfd008b732f3d0ad1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8becb97918f04bb177bc9c4e00c2bdb302e00944",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "21681b81b9ae548c5dae7ae00d931197a27f480c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_sli.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix use-after-free KFENCE violation during sysfs firmware write\n\nDuring the sysfs firmware write process, a use-after-free read warning is\nlogged from the lpfc_wr_object() routine:\n\n BUG: KFENCE: use-after-free read in lpfc_wr_object+0x235/0x310 [lpfc]\n Use-after-free read at 0x0000000000cf164d (in kfence-#111):\n lpfc_wr_object+0x235/0x310 [lpfc]\n lpfc_write_firmware.cold+0x206/0x30d [lpfc]\n lpfc_sli4_request_firmware_update+0xa6/0x100 [lpfc]\n lpfc_request_firmware_upgrade_store+0x66/0xb0 [lpfc]\n kernfs_fop_write_iter+0x121/0x1b0\n new_sync_write+0x11c/0x1b0\n vfs_write+0x1ef/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x59/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe driver accessed wr_object pointer data, which was initialized into\nmailbox payload memory, after the mailbox object was released back to the\nmailbox pool.\n\nFix by moving the mailbox free calls to the end of the routine ensuring\nthat we don\u0027t reference internal mailbox memory after release."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:11:16.083Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/51ab4eb1a25e73c7fc2ad9026520c4d8369c93cc"
},
{
"url": "https://git.kernel.org/stable/c/8dfefa8f424ab208e552df1bfd008b732f3d0ad1"
},
{
"url": "https://git.kernel.org/stable/c/8becb97918f04bb177bc9c4e00c2bdb302e00944"
},
{
"url": "https://git.kernel.org/stable/c/21681b81b9ae548c5dae7ae00d931197a27f480c"
}
],
"title": "scsi: lpfc: Fix use-after-free KFENCE violation during sysfs firmware write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53282",
"datePublished": "2025-09-16T08:11:16.083Z",
"dateReserved": "2025-09-16T08:09:37.991Z",
"dateUpdated": "2025-09-16T08:11:16.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39911 (GCVE-0-2025-39911)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration
later than the first, the error path wants to free the IRQs requested
so far. However, it uses the wrong dev_id argument for free_irq(), so
it does not free the IRQs correctly and instead triggers the warning:
Trying to free already-free IRQ 173
WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0
Modules linked in: i40e(+) [...]
CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)
Hardware name: [...]
RIP: 0010:__free_irq+0x192/0x2c0
[...]
Call Trace:
<TASK>
free_irq+0x32/0x70
i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]
i40e_vsi_request_irq+0x79/0x80 [i40e]
i40e_vsi_open+0x21f/0x2f0 [i40e]
i40e_open+0x63/0x130 [i40e]
__dev_open+0xfc/0x210
__dev_change_flags+0x1fc/0x240
netif_change_flags+0x27/0x70
do_setlink.isra.0+0x341/0xc70
rtnl_newlink+0x468/0x860
rtnetlink_rcv_msg+0x375/0x450
netlink_rcv_skb+0x5c/0x110
netlink_unicast+0x288/0x3c0
netlink_sendmsg+0x20d/0x430
____sys_sendmsg+0x3a2/0x3d0
___sys_sendmsg+0x99/0xe0
__sys_sendmsg+0x8a/0xf0
do_syscall_64+0x82/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
[...]
</TASK>
---[ end trace 0000000000000000 ]---
Use the same dev_id for free_irq() as for request_irq().
I tested this with inserting code to fail intentionally.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:36.010Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13ab9adef3cd386511c930a9660ae06595007f89",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "6e4016c0dca53afc71e3b99e24252b63417395df",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "b9721a023df38cf44a88f2739b4cf51efd051f85",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "b905b2acb3a0bbb08ad9be9984d8cdabdf827315",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "23431998a37764c464737b855c71a81d50992e98",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "a30afd6617c30aaa338d1dbcb1e34e7a1890085c",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "c62580674ce5feb1be4f90b5873ff3ce50e0a1db",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "915470e1b44e71d1dd07ee067276f003c3521ee3",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path\n\nIf request_irq() in i40e_vsi_request_irq_msix() fails in an iteration\nlater than the first, the error path wants to free the IRQs requested\nso far. However, it uses the wrong dev_id argument for free_irq(), so\nit does not free the IRQs correctly and instead triggers the warning:\n\n Trying to free already-free IRQ 173\n WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0\n Modules linked in: i40e(+) [...]\n CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:__free_irq+0x192/0x2c0\n [...]\n Call Trace:\n \u003cTASK\u003e\n free_irq+0x32/0x70\n i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]\n i40e_vsi_request_irq+0x79/0x80 [i40e]\n i40e_vsi_open+0x21f/0x2f0 [i40e]\n i40e_open+0x63/0x130 [i40e]\n __dev_open+0xfc/0x210\n __dev_change_flags+0x1fc/0x240\n netif_change_flags+0x27/0x70\n do_setlink.isra.0+0x341/0xc70\n rtnl_newlink+0x468/0x860\n rtnetlink_rcv_msg+0x375/0x450\n netlink_rcv_skb+0x5c/0x110\n netlink_unicast+0x288/0x3c0\n netlink_sendmsg+0x20d/0x430\n ____sys_sendmsg+0x3a2/0x3d0\n ___sys_sendmsg+0x99/0xe0\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x82/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nUse the same dev_id for free_irq() as for request_irq().\n\nI tested this with inserting code to fail intentionally."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:41.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13ab9adef3cd386511c930a9660ae06595007f89"
},
{
"url": "https://git.kernel.org/stable/c/6e4016c0dca53afc71e3b99e24252b63417395df"
},
{
"url": "https://git.kernel.org/stable/c/b9721a023df38cf44a88f2739b4cf51efd051f85"
},
{
"url": "https://git.kernel.org/stable/c/b905b2acb3a0bbb08ad9be9984d8cdabdf827315"
},
{
"url": "https://git.kernel.org/stable/c/23431998a37764c464737b855c71a81d50992e98"
},
{
"url": "https://git.kernel.org/stable/c/a30afd6617c30aaa338d1dbcb1e34e7a1890085c"
},
{
"url": "https://git.kernel.org/stable/c/c62580674ce5feb1be4f90b5873ff3ce50e0a1db"
},
{
"url": "https://git.kernel.org/stable/c/915470e1b44e71d1dd07ee067276f003c3521ee3"
}
],
"title": "i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39911",
"datePublished": "2025-10-01T07:44:34.561Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:36.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53570 (GCVE-0-2023-53570)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()
nl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the
number of MBSSID elements in the nested netlink attribute attrs, which can
lead to an integer overflow if a user of the nl80211 interface specifies
256 or more elements in the corresponding attribute in userspace. The
integer overflow can lead to a heap buffer overflow as num_elems determines
the size of the trailing array in elems, and this array is thereafter
written to for each element in attrs.
Note that this vulnerability only affects devices with the
wiphy->mbssid_max_interfaces member set for the wireless physical device
struct in the device driver, and can only be triggered by a process with
CAP_NET_ADMIN capabilities.
Fix this by checking for a maximum of 255 elements in attrs.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/nl80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e642eb67b8c10dcce758d549cc81564116e0fa49",
"status": "affected",
"version": "dc1e3cb8da8b414b37208b2fb6755fef8122504b",
"versionType": "git"
},
{
"lessThan": "7d09f9f255a5f78578deba5454923072bb53b16c",
"status": "affected",
"version": "dc1e3cb8da8b414b37208b2fb6755fef8122504b",
"versionType": "git"
},
{
"lessThan": "6311071a056272e1e761de8d0305e87cc566f734",
"status": "affected",
"version": "dc1e3cb8da8b414b37208b2fb6755fef8122504b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/nl80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()\n\nnl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the\nnumber of MBSSID elements in the nested netlink attribute attrs, which can\nlead to an integer overflow if a user of the nl80211 interface specifies\n256 or more elements in the corresponding attribute in userspace. The\ninteger overflow can lead to a heap buffer overflow as num_elems determines\nthe size of the trailing array in elems, and this array is thereafter\nwritten to for each element in attrs.\n\nNote that this vulnerability only affects devices with the\nwiphy-\u003embssid_max_interfaces member set for the wireless physical device\nstruct in the device driver, and can only be triggered by a process with\nCAP_NET_ADMIN capabilities.\n\nFix this by checking for a maximum of 255 elements in attrs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:11.525Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e642eb67b8c10dcce758d549cc81564116e0fa49"
},
{
"url": "https://git.kernel.org/stable/c/7d09f9f255a5f78578deba5454923072bb53b16c"
},
{
"url": "https://git.kernel.org/stable/c/6311071a056272e1e761de8d0305e87cc566f734"
}
],
"title": "wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53570",
"datePublished": "2025-10-04T15:17:11.525Z",
"dateReserved": "2025-10-04T15:14:15.925Z",
"dateUpdated": "2025-10-04T15:17:11.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53258 (GCVE-0-2023-53258)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-16 08:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix possible underflow for displays with large vblank
[Why]
Underflow observed when using a display with a large vblank region
and low refresh rate
[How]
Simplify calculation of vblank_nom
Increase value for VBlankNomDefaultUS to 800us
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5741133e6e2f304b40ca1da0e16f62af06f4d22",
"status": "affected",
"version": "4c3861f587400db00801810eb8034c7b480e21dd",
"versionType": "git"
},
{
"lessThan": "64bc8e10c87adf60b2d32aacf3afb288e51d5a62",
"status": "affected",
"version": "4c3861f587400db00801810eb8034c7b480e21dd",
"versionType": "git"
},
{
"lessThan": "1a4bcdbea4319efeb26cc4b05be859a7867e02dc",
"status": "affected",
"version": "4c3861f587400db00801810eb8034c7b480e21dd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix possible underflow for displays with large vblank\n\n[Why]\nUnderflow observed when using a display with a large vblank region\nand low refresh rate\n\n[How]\nSimplify calculation of vblank_nom\n\nIncrease value for VBlankNomDefaultUS to 800us"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:27.741Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5741133e6e2f304b40ca1da0e16f62af06f4d22"
},
{
"url": "https://git.kernel.org/stable/c/64bc8e10c87adf60b2d32aacf3afb288e51d5a62"
},
{
"url": "https://git.kernel.org/stable/c/1a4bcdbea4319efeb26cc4b05be859a7867e02dc"
}
],
"title": "drm/amd/display: Fix possible underflow for displays with large vblank",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53258",
"datePublished": "2025-09-15T14:46:29.867Z",
"dateReserved": "2025-09-15T14:19:21.850Z",
"dateUpdated": "2025-09-16T08:02:27.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53424 (GCVE-0-2023-53424)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: mediatek: fix of_iomap memory leak
Smatch reports:
drivers/clk/mediatek/clk-mtk.c:583 mtk_clk_simple_probe() warn:
'base' from of_iomap() not released on lines: 496.
This problem was also found in linux-next. In mtk_clk_simple_probe(),
base is not released when handling errors
if clk_data is not existed, which may cause a leak.
So free_base should be added here to release base.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/mediatek/clk-mtk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cae6a28d8c12c597e8656962271520434c61c48",
"status": "affected",
"version": "c58cd0e40ffac67961b945793876b973728f9b80",
"versionType": "git"
},
{
"lessThan": "47234e19b00816a8a7b278c7173f6d4e928c43c7",
"status": "affected",
"version": "c58cd0e40ffac67961b945793876b973728f9b80",
"versionType": "git"
},
{
"lessThan": "3db7285e044144fd88a356f5b641b9cd4b231a77",
"status": "affected",
"version": "c58cd0e40ffac67961b945793876b973728f9b80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/mediatek/clk-mtk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: fix of_iomap memory leak\n\nSmatch reports:\ndrivers/clk/mediatek/clk-mtk.c:583 mtk_clk_simple_probe() warn:\n \u0027base\u0027 from of_iomap() not released on lines: 496.\n\nThis problem was also found in linux-next. In mtk_clk_simple_probe(),\nbase is not released when handling errors\nif clk_data is not existed, which may cause a leak.\nSo free_base should be added here to release base."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:06.635Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cae6a28d8c12c597e8656962271520434c61c48"
},
{
"url": "https://git.kernel.org/stable/c/47234e19b00816a8a7b278c7173f6d4e928c43c7"
},
{
"url": "https://git.kernel.org/stable/c/3db7285e044144fd88a356f5b641b9cd4b231a77"
}
],
"title": "clk: mediatek: fix of_iomap memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53424",
"datePublished": "2025-09-18T16:04:06.635Z",
"dateReserved": "2025-09-17T14:54:09.742Z",
"dateUpdated": "2025-09-18T16:04:06.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53342 (GCVE-0-2023-53342)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: marvell: prestera: fix handling IPv4 routes with nhid
Fix handling IPv4 routes referencing a nexthop via its id by replacing
calls to fib_info_nh() with fib_info_nhc().
Trying to add an IPv4 route referencing a nextop via nhid:
$ ip link set up swp5
$ ip a a 10.0.0.1/24 dev swp5
$ ip nexthop add dev swp5 id 20 via 10.0.0.2
$ ip route add 10.0.1.0/24 nhid 20
triggers warnings when trying to handle the route:
[ 528.805763] ------------[ cut here ]------------
[ 528.810437] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera]
[ 528.820434] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci]
[ 528.837485] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G O 6.4.5 #1
[ 528.845178] Hardware name: delta,tn48m-dn (DT)
[ 528.849641] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera]
[ 528.857352] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 528.864347] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera]
[ 528.870135] lr : prestera_k_arb_fib_evt+0xb20/0xd50 [prestera]
[ 528.876007] sp : ffff80000b20bc90
[ 528.879336] x29: ffff80000b20bc90 x28: 0000000000000000 x27: ffff0001374d3a48
[ 528.886510] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800
[ 528.893683] x23: ffff000101c89148 x22: ffff000101c89000 x21: ffff000101c89200
[ 528.900855] x20: ffff00013641fda0 x19: ffff800009d01088 x18: 0000000000000059
[ 528.908027] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000
[ 528.915198] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000
[ 528.922371] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013d2020
[ 528.929543] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 : 000000001ca72f86
[ 528.936715] x5 : 0000000033399ea7 x4 : 0000000000000000 x3 : ffff0001374d3acc
[ 528.943886] x2 : 0000000000000000 x1 : ffff00010200de00 x0 : ffff000134ae3f80
[ 528.951058] Call trace:
[ 528.953516] __prestera_fi_is_direct+0x2c/0x68 [prestera]
[ 528.958952] __prestera_router_fib_event_work+0x100/0x158 [prestera]
[ 528.965348] process_one_work+0x208/0x488
[ 528.969387] worker_thread+0x4c/0x430
[ 528.973068] kthread+0x120/0x138
[ 528.976313] ret_from_fork+0x10/0x20
[ 528.979909] ---[ end trace 0000000000000000 ]---
[ 528.984998] ------------[ cut here ]------------
[ 528.989645] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera]
[ 528.999628] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci]
[ 529.016676] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G W O 6.4.5 #1
[ 529.024368] Hardware name: delta,tn48m-dn (DT)
[ 529.028830] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera]
[ 529.036539] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 529.043533] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera]
[ 529.049318] lr : __prestera_k_arb_fc_apply+0x280/0x2f8 [prestera]
[ 529.055452] sp : ffff80000b20bc60
[ 529.058781] x29: ffff80000b20bc60 x28: 0000000000000000 x27: ffff0001374d3a48
[ 529.065953] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800
[ 529.073126] x23: ffff000101c89148 x22: ffff000101c89148 x21: ffff00013641fda0
[ 529.080299] x20: ffff000101c89000 x19: ffff000101c89020 x18: 0000000000000059
[ 529.087471] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000
[ 529.094642] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000
[ 529.101814] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013cee80
[ 529.108985] x8 : 0000000000000018 x7 : 000000007b1703f8 x6
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/prestera/prestera_router.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3e5f3b7f25d7b90f3b76d98a946fec6e5f79216",
"status": "affected",
"version": "396b80cb5cc8006a488ea25ef84fae245dc1b43c",
"versionType": "git"
},
{
"lessThan": "8373dca3c1f8a203cecebe3421dbe890c4f08e16",
"status": "affected",
"version": "396b80cb5cc8006a488ea25ef84fae245dc1b43c",
"versionType": "git"
},
{
"lessThan": "2aa71b4b294ee2c3041d085404cea914be9b3225",
"status": "affected",
"version": "396b80cb5cc8006a488ea25ef84fae245dc1b43c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/prestera/prestera_router.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix handling IPv4 routes with nhid\n\nFix handling IPv4 routes referencing a nexthop via its id by replacing\ncalls to fib_info_nh() with fib_info_nhc().\n\nTrying to add an IPv4 route referencing a nextop via nhid:\n\n $ ip link set up swp5\n $ ip a a 10.0.0.1/24 dev swp5\n $ ip nexthop add dev swp5 id 20 via 10.0.0.2\n $ ip route add 10.0.1.0/24 nhid 20\n\ntriggers warnings when trying to handle the route:\n\n[ 528.805763] ------------[ cut here ]------------\n[ 528.810437] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera]\n[ 528.820434] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci]\n[ 528.837485] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G O 6.4.5 #1\n[ 528.845178] Hardware name: delta,tn48m-dn (DT)\n[ 528.849641] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera]\n[ 528.857352] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 528.864347] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera]\n[ 528.870135] lr : prestera_k_arb_fib_evt+0xb20/0xd50 [prestera]\n[ 528.876007] sp : ffff80000b20bc90\n[ 528.879336] x29: ffff80000b20bc90 x28: 0000000000000000 x27: ffff0001374d3a48\n[ 528.886510] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800\n[ 528.893683] x23: ffff000101c89148 x22: ffff000101c89000 x21: ffff000101c89200\n[ 528.900855] x20: ffff00013641fda0 x19: ffff800009d01088 x18: 0000000000000059\n[ 528.908027] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000\n[ 528.915198] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000\n[ 528.922371] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013d2020\n[ 528.929543] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 : 000000001ca72f86\n[ 528.936715] x5 : 0000000033399ea7 x4 : 0000000000000000 x3 : ffff0001374d3acc\n[ 528.943886] x2 : 0000000000000000 x1 : ffff00010200de00 x0 : ffff000134ae3f80\n[ 528.951058] Call trace:\n[ 528.953516] __prestera_fi_is_direct+0x2c/0x68 [prestera]\n[ 528.958952] __prestera_router_fib_event_work+0x100/0x158 [prestera]\n[ 528.965348] process_one_work+0x208/0x488\n[ 528.969387] worker_thread+0x4c/0x430\n[ 528.973068] kthread+0x120/0x138\n[ 528.976313] ret_from_fork+0x10/0x20\n[ 528.979909] ---[ end trace 0000000000000000 ]---\n[ 528.984998] ------------[ cut here ]------------\n[ 528.989645] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera]\n[ 528.999628] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci]\n[ 529.016676] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G W O 6.4.5 #1\n[ 529.024368] Hardware name: delta,tn48m-dn (DT)\n[ 529.028830] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera]\n[ 529.036539] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 529.043533] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera]\n[ 529.049318] lr : __prestera_k_arb_fc_apply+0x280/0x2f8 [prestera]\n[ 529.055452] sp : ffff80000b20bc60\n[ 529.058781] x29: ffff80000b20bc60 x28: 0000000000000000 x27: ffff0001374d3a48\n[ 529.065953] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800\n[ 529.073126] x23: ffff000101c89148 x22: ffff000101c89148 x21: ffff00013641fda0\n[ 529.080299] x20: ffff000101c89000 x19: ffff000101c89020 x18: 0000000000000059\n[ 529.087471] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000\n[ 529.094642] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000\n[ 529.101814] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013cee80\n[ 529.108985] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:35.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3e5f3b7f25d7b90f3b76d98a946fec6e5f79216"
},
{
"url": "https://git.kernel.org/stable/c/8373dca3c1f8a203cecebe3421dbe890c4f08e16"
},
{
"url": "https://git.kernel.org/stable/c/2aa71b4b294ee2c3041d085404cea914be9b3225"
}
],
"title": "net: marvell: prestera: fix handling IPv4 routes with nhid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53342",
"datePublished": "2025-09-17T14:56:35.574Z",
"dateReserved": "2025-09-16T16:08:59.565Z",
"dateUpdated": "2025-09-17T14:56:35.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39730 (GCVE-0-2025-39730)
Vulnerability from cvelistv5
Published
2025-09-07 15:16
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
The function needs to check the minimal filehandle length before it can
access the embedded filehandle.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 20fa19027286983ab2734b5910c4a687436e0c31 Version: 20fa19027286983ab2734b5910c4a687436e0c31 Version: 20fa19027286983ab2734b5910c4a687436e0c31 Version: 20fa19027286983ab2734b5910c4a687436e0c31 Version: 20fa19027286983ab2734b5910c4a687436e0c31 Version: 20fa19027286983ab2734b5910c4a687436e0c31 Version: 20fa19027286983ab2734b5910c4a687436e0c31 Version: 20fa19027286983ab2734b5910c4a687436e0c31 Version: 20fa19027286983ab2734b5910c4a687436e0c31 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:48.789Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f8eca87fef7519e9c41f3258f25ebc2752247ee",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "cb09afa0948d96b1e385d609ed044bb1aa043536",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "3570ef5c31314c13274c935a20b91768ab5bf412",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "763810bb883cb4de412a72f338d80947d97df67b",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "12ad3def2e5e0b120e3d0cb6ce8b7b796819ad40",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "2ad40b7992aa26bc631afc1a995b0e3ddc30de3f",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "b7f7866932466332a2528fda099000b035303485",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "7dd36f7477d1e03a1fcf8d13531ca326c4fb599f",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "ef93a685e01a281b5e2a25ce4e3428cf9371a205",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix filehandle bounds checking in nfs_fh_to_dentry()\n\nThe function needs to check the minimal filehandle length before it can\naccess the embedded filehandle."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:15.665Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f8eca87fef7519e9c41f3258f25ebc2752247ee"
},
{
"url": "https://git.kernel.org/stable/c/cb09afa0948d96b1e385d609ed044bb1aa043536"
},
{
"url": "https://git.kernel.org/stable/c/3570ef5c31314c13274c935a20b91768ab5bf412"
},
{
"url": "https://git.kernel.org/stable/c/763810bb883cb4de412a72f338d80947d97df67b"
},
{
"url": "https://git.kernel.org/stable/c/12ad3def2e5e0b120e3d0cb6ce8b7b796819ad40"
},
{
"url": "https://git.kernel.org/stable/c/2ad40b7992aa26bc631afc1a995b0e3ddc30de3f"
},
{
"url": "https://git.kernel.org/stable/c/b7f7866932466332a2528fda099000b035303485"
},
{
"url": "https://git.kernel.org/stable/c/7dd36f7477d1e03a1fcf8d13531ca326c4fb599f"
},
{
"url": "https://git.kernel.org/stable/c/ef93a685e01a281b5e2a25ce4e3428cf9371a205"
}
],
"title": "NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39730",
"datePublished": "2025-09-07T15:16:19.377Z",
"dateReserved": "2025-04-16T07:20:57.118Z",
"dateUpdated": "2025-11-03T17:42:48.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39931 (GCVE-0-2025-39931)
Vulnerability from cvelistv5
Published
2025-10-04 07:30
Modified
2025-10-04 07:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: af_alg - Set merge to zero early in af_alg_sendmsg
If an error causes af_alg_sendmsg to abort, ctx->merge may contain
a garbage value from the previous loop. This may then trigger a
crash on the next entry into af_alg_sendmsg when it attempts to do
a merge that can't be done.
Fix this by setting ctx->merge to zero near the start of the loop.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6241b9e2809b12da9130894cf5beddf088dc1b8a",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "2374c11189ef704a3e4863646369f1b8e6a27d71",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "24c1106504c625fabd3b7229611af617b4c27ac7",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "045ee26aa3920a47ec46d7fcb302420bf01fd753",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "9574b2330dbd2b5459b74d3b5e9619d39299fc6f",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Set merge to zero early in af_alg_sendmsg\n\nIf an error causes af_alg_sendmsg to abort, ctx-\u003emerge may contain\na garbage value from the previous loop. This may then trigger a\ncrash on the next entry into af_alg_sendmsg when it attempts to do\na merge that can\u0027t be done.\n\nFix this by setting ctx-\u003emerge to zero near the start of the loop."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:30:55.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6241b9e2809b12da9130894cf5beddf088dc1b8a"
},
{
"url": "https://git.kernel.org/stable/c/2374c11189ef704a3e4863646369f1b8e6a27d71"
},
{
"url": "https://git.kernel.org/stable/c/24c1106504c625fabd3b7229611af617b4c27ac7"
},
{
"url": "https://git.kernel.org/stable/c/045ee26aa3920a47ec46d7fcb302420bf01fd753"
},
{
"url": "https://git.kernel.org/stable/c/9574b2330dbd2b5459b74d3b5e9619d39299fc6f"
}
],
"title": "crypto: af_alg - Set merge to zero early in af_alg_sendmsg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39931",
"datePublished": "2025-10-04T07:30:55.964Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-04T07:30:55.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40010 (GCVE-0-2025-40010)
Vulnerability from cvelistv5
Published
2025-10-20 15:26
Modified
2025-10-20 15:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
afs: Fix potential null pointer dereference in afs_put_server
afs_put_server() accessed server->debug_id before the NULL check, which
could lead to a null pointer dereference. Move the debug_id assignment,
ensuring we never dereference a NULL server pointer.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/afs/server.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b8381f3c405b864a814d747e526e078c3ef4bc2",
"status": "affected",
"version": "2757a4dc184997c66ef1de32636f73b9f21aac14",
"versionType": "git"
},
{
"lessThan": "cab278cead49a547ac84c3e185f446f381303eae",
"status": "affected",
"version": "2757a4dc184997c66ef1de32636f73b9f21aac14",
"versionType": "git"
},
{
"lessThan": "a13dbc5e20c7284b82afe6f08debdecf51d2ca04",
"status": "affected",
"version": "2757a4dc184997c66ef1de32636f73b9f21aac14",
"versionType": "git"
},
{
"lessThan": "41782c44bb8431c43043129ae42f2ba614938479",
"status": "affected",
"version": "2757a4dc184997c66ef1de32636f73b9f21aac14",
"versionType": "git"
},
{
"lessThan": "9158c6bb245113d4966df9b2ba602197a379412e",
"status": "affected",
"version": "2757a4dc184997c66ef1de32636f73b9f21aac14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/afs/server.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix potential null pointer dereference in afs_put_server\n\nafs_put_server() accessed server-\u003edebug_id before the NULL check, which\ncould lead to a null pointer dereference. Move the debug_id assignment,\nensuring we never dereference a NULL server pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:55.874Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b8381f3c405b864a814d747e526e078c3ef4bc2"
},
{
"url": "https://git.kernel.org/stable/c/cab278cead49a547ac84c3e185f446f381303eae"
},
{
"url": "https://git.kernel.org/stable/c/a13dbc5e20c7284b82afe6f08debdecf51d2ca04"
},
{
"url": "https://git.kernel.org/stable/c/41782c44bb8431c43043129ae42f2ba614938479"
},
{
"url": "https://git.kernel.org/stable/c/9158c6bb245113d4966df9b2ba602197a379412e"
}
],
"title": "afs: Fix potential null pointer dereference in afs_put_server",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40010",
"datePublished": "2025-10-20T15:26:55.874Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:55.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53540 (GCVE-0-2023-53540)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: reject auth/assoc to AP with our address
If the AP uses our own address as its MLD address or BSSID, then
clearly something's wrong. Reject such connections so we don't
try and fail later.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "676a423410131d111a264d29aecbe6aadd57fb22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "07added2c6cd63de047bc786b39436322abb67c0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5d4e04bf3a0f098bd9033de3a5291810fa14c7a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: reject auth/assoc to AP with our address\n\nIf the AP uses our own address as its MLD address or BSSID, then\nclearly something\u0027s wrong. Reject such connections so we don\u0027t\ntry and fail later."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:50.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/676a423410131d111a264d29aecbe6aadd57fb22"
},
{
"url": "https://git.kernel.org/stable/c/07added2c6cd63de047bc786b39436322abb67c0"
},
{
"url": "https://git.kernel.org/stable/c/5d4e04bf3a0f098bd9033de3a5291810fa14c7a6"
}
],
"title": "wifi: cfg80211: reject auth/assoc to AP with our address",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53540",
"datePublished": "2025-10-04T15:16:50.079Z",
"dateReserved": "2025-10-04T15:14:15.919Z",
"dateUpdated": "2025-10-04T15:16:50.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40036 (GCVE-0-2025-40036)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix possible map leak in fastrpc_put_args
copy_to_user() failure would cause an early return without cleaning up
the fdlist, which has been updated by the DSP. This could lead to map
leak. Fix this by redirecting to a cleanup path on failure, ensuring
that all mapped buffers are properly released before returning.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a085658264d0c8d4f795d4631f77d7289a021de9",
"status": "affected",
"version": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988",
"versionType": "git"
},
{
"lessThan": "3ad42dc66445df6977cf4be0c06f1a655299ce6c",
"status": "affected",
"version": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988",
"versionType": "git"
},
{
"lessThan": "78d33a041555db03903e8037fd053ed74fbd88cb",
"status": "affected",
"version": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988",
"versionType": "git"
},
{
"lessThan": "c000f65f0ac93d9f9cc69a230d372f6ca93e4879",
"status": "affected",
"version": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988",
"versionType": "git"
},
{
"lessThan": "da1ba64176e0138f2bfa96f9e43e8c3640d01e1e",
"status": "affected",
"version": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix possible map leak in fastrpc_put_args\n\ncopy_to_user() failure would cause an early return without cleaning up\nthe fdlist, which has been updated by the DSP. This could lead to map\nleak. Fix this by redirecting to a cleanup path on failure, ensuring\nthat all mapped buffers are properly released before returning."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:17.630Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a085658264d0c8d4f795d4631f77d7289a021de9"
},
{
"url": "https://git.kernel.org/stable/c/3ad42dc66445df6977cf4be0c06f1a655299ce6c"
},
{
"url": "https://git.kernel.org/stable/c/78d33a041555db03903e8037fd053ed74fbd88cb"
},
{
"url": "https://git.kernel.org/stable/c/c000f65f0ac93d9f9cc69a230d372f6ca93e4879"
},
{
"url": "https://git.kernel.org/stable/c/da1ba64176e0138f2bfa96f9e43e8c3640d01e1e"
}
],
"title": "misc: fastrpc: fix possible map leak in fastrpc_put_args",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40036",
"datePublished": "2025-10-28T11:48:17.630Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-10-28T11:48:17.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53619 (GCVE-0-2023-53619)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
If nf_conntrack_init_start() fails (for example due to a
register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini()
clean-up path frees the nf_ct_helper_hash map.
When built with NF_CONNTRACK=y, further netfilter modules (e.g:
netfilter_conntrack_ftp) can still be loaded and call
nf_conntrack_helpers_register(), independently of whether nf_conntrack
initialized correctly. This accesses the nf_ct_helper_hash dangling
pointer and causes a uaf, possibly leading to random memory corruption.
This patch guards nf_conntrack_helper_register() from accessing a freed
or uninitialized nf_ct_helper_hash pointer and fixes possible
uses-after-free when loading a conntrack module.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 Version: 12f7a505331e6b2754684b509f2ac8f0011ce644 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ee69c91cb8f9ca144bc0861969e5a1a3c6152a7",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "00716f25f9697d02a0d9bd622575c7c7321ba3d0",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "61c7a5256543ae7d24cd9d21853d514c8632e1e9",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "8289d422f5e484efe4a565fe18e862ecd621c175",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "6f03ce2f1abcb9f9d0511e3659ca6eb60e39f566",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "05561f822f27b9fa88fa5504ddec34bf38833034",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "fce5cc7cbd4b92f979bf02c9ec5fb69aaeba92d7",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "6eef7a2b933885a17679eb8ed0796ddf0ee5309b",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: Avoid nf_ct_helper_hash uses after free\n\nIf nf_conntrack_init_start() fails (for example due to a\nregister_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini()\nclean-up path frees the nf_ct_helper_hash map.\n\nWhen built with NF_CONNTRACK=y, further netfilter modules (e.g:\nnetfilter_conntrack_ftp) can still be loaded and call\nnf_conntrack_helpers_register(), independently of whether nf_conntrack\ninitialized correctly. This accesses the nf_ct_helper_hash dangling\npointer and causes a uaf, possibly leading to random memory corruption.\n\nThis patch guards nf_conntrack_helper_register() from accessing a freed\nor uninitialized nf_ct_helper_hash pointer and fixes possible\nuses-after-free when loading a conntrack module."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:26.003Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ee69c91cb8f9ca144bc0861969e5a1a3c6152a7"
},
{
"url": "https://git.kernel.org/stable/c/00716f25f9697d02a0d9bd622575c7c7321ba3d0"
},
{
"url": "https://git.kernel.org/stable/c/61c7a5256543ae7d24cd9d21853d514c8632e1e9"
},
{
"url": "https://git.kernel.org/stable/c/8289d422f5e484efe4a565fe18e862ecd621c175"
},
{
"url": "https://git.kernel.org/stable/c/6f03ce2f1abcb9f9d0511e3659ca6eb60e39f566"
},
{
"url": "https://git.kernel.org/stable/c/05561f822f27b9fa88fa5504ddec34bf38833034"
},
{
"url": "https://git.kernel.org/stable/c/fce5cc7cbd4b92f979bf02c9ec5fb69aaeba92d7"
},
{
"url": "https://git.kernel.org/stable/c/6eef7a2b933885a17679eb8ed0796ddf0ee5309b"
}
],
"title": "netfilter: conntrack: Avoid nf_ct_helper_hash uses after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53619",
"datePublished": "2025-10-07T15:19:26.003Z",
"dateReserved": "2025-10-07T15:16:59.655Z",
"dateUpdated": "2025-10-07T15:19:26.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38494 (GCVE-0-2025-38494)
Vulnerability from cvelistv5
Published
2025-07-28 11:22
Modified
2025-11-03 17:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: do not bypass hid_hw_raw_request
hid_hw_raw_request() is actually useful to ensure the provided buffer
and length are valid. Directly calling in the low level transport driver
function bypassed those checks and allowed invalid paramto be used.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:01.805Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd8e8314f2ce225dade5248dcfb9e2ac0edda624",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40e25aa7e4e0f2440c73a683ee448e41c7c344ed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f10923b8d32a473b229477b63f23bbd72b1e9910",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a62a895edb2bfebffa865b5129a66e3b4287f34f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0e5017d84d650ca0eeaf4a3fe9264c5dbc886b81",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d18f63e848840100dbc351a82e7042eac5a28cf5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "19d1314d46c0d8a5c08ab53ddeb62280c77698c0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c2ca42f190b6714d6c481dfd3d9b62ea091c946b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: do not bypass hid_hw_raw_request\n\nhid_hw_raw_request() is actually useful to ensure the provided buffer\nand length are valid. Directly calling in the low level transport driver\nfunction bypassed those checks and allowed invalid paramto be used."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:28.710Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd8e8314f2ce225dade5248dcfb9e2ac0edda624"
},
{
"url": "https://git.kernel.org/stable/c/40e25aa7e4e0f2440c73a683ee448e41c7c344ed"
},
{
"url": "https://git.kernel.org/stable/c/f10923b8d32a473b229477b63f23bbd72b1e9910"
},
{
"url": "https://git.kernel.org/stable/c/a62a895edb2bfebffa865b5129a66e3b4287f34f"
},
{
"url": "https://git.kernel.org/stable/c/0e5017d84d650ca0eeaf4a3fe9264c5dbc886b81"
},
{
"url": "https://git.kernel.org/stable/c/d18f63e848840100dbc351a82e7042eac5a28cf5"
},
{
"url": "https://git.kernel.org/stable/c/19d1314d46c0d8a5c08ab53ddeb62280c77698c0"
},
{
"url": "https://git.kernel.org/stable/c/c2ca42f190b6714d6c481dfd3d9b62ea091c946b"
}
],
"title": "HID: core: do not bypass hid_hw_raw_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38494",
"datePublished": "2025-07-28T11:22:03.180Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-11-03T17:39:01.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39952 (GCVE-0-2025-39952)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wilc1000: avoid buffer overflow in WID string configuration
Fix the following copy overflow warning identified by Smatch checker.
drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame()
error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537)
This patch introduces size check before accessing the memory buffer.
The checks are base on the WID type of received data from the firmware.
For WID string configuration, the size limit is determined by individual
element size in 'struct wilc_cfg_str_vals' that is maintained in 'len' field
of 'struct wilc_cfg_str'.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/microchip/wilc1000/wlan_cfg.c",
"drivers/net/wireless/microchip/wilc1000/wlan_cfg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6085291a1a5865d4ad70f0e5812d524ebd5d1711",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2203ef417044b10a8563ade6a17c74183745d72e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae50f8562306a7ea1cf3c9722f97ee244f974729",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fe9e4d0c39311d0f97b024147a0d155333f388b5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/microchip/wilc1000/wlan_cfg.c",
"drivers/net/wireless/microchip/wilc1000/wlan_cfg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: avoid buffer overflow in WID string configuration\n\nFix the following copy overflow warning identified by Smatch checker.\n\n drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame()\n error: \u0027__memcpy()\u0027 \u0027cfg-\u003es[i]-\u003estr\u0027 copy overflow (512 vs 65537)\n\nThis patch introduces size check before accessing the memory buffer.\nThe checks are base on the WID type of received data from the firmware.\nFor WID string configuration, the size limit is determined by individual\nelement size in \u0027struct wilc_cfg_str_vals\u0027 that is maintained in \u0027len\u0027 field\nof \u0027struct wilc_cfg_str\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:12.445Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6085291a1a5865d4ad70f0e5812d524ebd5d1711"
},
{
"url": "https://git.kernel.org/stable/c/2203ef417044b10a8563ade6a17c74183745d72e"
},
{
"url": "https://git.kernel.org/stable/c/ae50f8562306a7ea1cf3c9722f97ee244f974729"
},
{
"url": "https://git.kernel.org/stable/c/fe9e4d0c39311d0f97b024147a0d155333f388b5"
}
],
"title": "wifi: wilc1000: avoid buffer overflow in WID string configuration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39952",
"datePublished": "2025-10-04T07:31:12.445Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:12.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39847 (GCVE-0-2025-39847)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ppp: fix memory leak in pad_compress_skb
If alloc_skb() fails in pad_compress_skb(), it returns NULL without
releasing the old skb. The caller does:
skb = pad_compress_skb(ppp, skb);
if (!skb)
goto drop;
drop:
kfree_skb(skb);
When pad_compress_skb() returns NULL, the reference to the old skb is
lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.
Align pad_compress_skb() semantics with realloc(): only free the old
skb if allocation and compression succeed. At the call site, use the
new_skb variable so the original skb is not lost when pad_compress_skb()
fails.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c Version: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c Version: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c Version: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c Version: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c Version: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c Version: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c Version: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:04.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ca6a040f76c0b149293e430dabab446f3fc8ab7",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "87a35a36742df328d0badf4fbc2e56061c15846c",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "0b21e9cd4559102da798bdcba453b64ecd7be7ee",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "85c1c86a67e09143aa464e9bf09c397816772348",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "33a5bac5f14772730d2caf632ae97b6c2ee95044",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
},
{
"lessThan": "4844123fe0b853a4982c02666cb3fd863d701d50",
"status": "affected",
"version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix memory leak in pad_compress_skb\n\nIf alloc_skb() fails in pad_compress_skb(), it returns NULL without\nreleasing the old skb. The caller does:\n\n skb = pad_compress_skb(ppp, skb);\n if (!skb)\n goto drop;\n\ndrop:\n kfree_skb(skb);\n\nWhen pad_compress_skb() returns NULL, the reference to the old skb is\nlost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.\n\nAlign pad_compress_skb() semantics with realloc(): only free the old\nskb if allocation and compression succeed. At the call site, use the\nnew_skb variable so the original skb is not lost when pad_compress_skb()\nfails."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:57.392Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ca6a040f76c0b149293e430dabab446f3fc8ab7"
},
{
"url": "https://git.kernel.org/stable/c/87a35a36742df328d0badf4fbc2e56061c15846c"
},
{
"url": "https://git.kernel.org/stable/c/0b21e9cd4559102da798bdcba453b64ecd7be7ee"
},
{
"url": "https://git.kernel.org/stable/c/1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8"
},
{
"url": "https://git.kernel.org/stable/c/85c1c86a67e09143aa464e9bf09c397816772348"
},
{
"url": "https://git.kernel.org/stable/c/631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4"
},
{
"url": "https://git.kernel.org/stable/c/33a5bac5f14772730d2caf632ae97b6c2ee95044"
},
{
"url": "https://git.kernel.org/stable/c/4844123fe0b853a4982c02666cb3fd863d701d50"
}
],
"title": "ppp: fix memory leak in pad_compress_skb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39847",
"datePublished": "2025-09-19T15:26:20.648Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-11-03T17:44:04.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39873 (GCVE-0-2025-39873)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
can_put_echo_skb() takes ownership of the SKB and it may be freed
during or after the call.
However, xilinx_can xcan_write_frame() keeps using SKB after the call.
Fix that by only calling can_put_echo_skb() after the code is done
touching the SKB.
The tx_lock is held for the entire xcan_write_frame() execution and
also on the can_get_echo_skb() side so the order of operations does not
matter.
An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb
memory") did not move the can_put_echo_skb() call far enough.
[mkl: add "commit" in front of sha1 in patch description]
[mkl: fix indention]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:20.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/xilinx_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e202ffd9e54538ef67ec301ebd6d9da4823466c9",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "1139321161a3ba5e45e61e0738b37f42f20bc57a",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "94b050726288a56a6b8ff55aa641f2fedbd3b44c",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "725b33deebd6e4c96fe7893f384510a54258f28f",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "668cc1e3bb21101d074e430de1b7ba8fd10189e7",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "ef79f00be72bd81d2e1e6f060d83cf7e425deee4",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/xilinx_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB\n\ncan_put_echo_skb() takes ownership of the SKB and it may be freed\nduring or after the call.\n\nHowever, xilinx_can xcan_write_frame() keeps using SKB after the call.\n\nFix that by only calling can_put_echo_skb() after the code is done\ntouching the SKB.\n\nThe tx_lock is held for the entire xcan_write_frame() execution and\nalso on the can_get_echo_skb() side so the order of operations does not\nmatter.\n\nAn earlier fix commit 3d3c817c3a40 (\"can: xilinx_can: Fix usage of skb\nmemory\") did not move the can_put_echo_skb() call far enough.\n\n[mkl: add \"commit\" in front of sha1 in patch description]\n[mkl: fix indention]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:10.369Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e202ffd9e54538ef67ec301ebd6d9da4823466c9"
},
{
"url": "https://git.kernel.org/stable/c/1139321161a3ba5e45e61e0738b37f42f20bc57a"
},
{
"url": "https://git.kernel.org/stable/c/94b050726288a56a6b8ff55aa641f2fedbd3b44c"
},
{
"url": "https://git.kernel.org/stable/c/725b33deebd6e4c96fe7893f384510a54258f28f"
},
{
"url": "https://git.kernel.org/stable/c/668cc1e3bb21101d074e430de1b7ba8fd10189e7"
},
{
"url": "https://git.kernel.org/stable/c/ef79f00be72bd81d2e1e6f060d83cf7e425deee4"
}
],
"title": "can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39873",
"datePublished": "2025-09-23T06:00:46.157Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:20.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53287 (GCVE-0-2023-53287)
Vulnerability from cvelistv5
Published
2025-09-16 08:11
Modified
2025-09-17 11:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: Put the cdns set active part outside the spin lock
The device may be scheduled during the resume process,
so this cannot appear in atomic operations. Since
pm_runtime_set_active will resume suppliers, put set
active outside the spin lock, which is only used to
protect the struct cdns data structure, otherwise the
kernel will report the following warning:
BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1163
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 651, name: sh
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
CPU: 0 PID: 651 Comm: sh Tainted: G WC 6.1.20 #1
Hardware name: Freescale i.MX8QM MEK (DT)
Call trace:
dump_backtrace.part.0+0xe0/0xf0
show_stack+0x18/0x30
dump_stack_lvl+0x64/0x80
dump_stack+0x1c/0x38
__might_resched+0x1fc/0x240
__might_sleep+0x68/0xc0
__pm_runtime_resume+0x9c/0xe0
rpm_get_suppliers+0x68/0x1b0
__pm_runtime_set_status+0x298/0x560
cdns_resume+0xb0/0x1c0
cdns3_controller_resume.isra.0+0x1e0/0x250
cdns3_plat_resume+0x28/0x40
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdns3-plat.c",
"drivers/usb/cdns3/cdnsp-pci.c",
"drivers/usb/cdns3/core.c",
"drivers/usb/cdns3/core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c861a61be6d30538ebcf7fcab1d43f244e298840",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "bbc9c3652708108738009e096d608ece3cd9fa8a",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "d3f372ec95b89776f72d5c9a475424e27734c223",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "2319b9c87fe243327285f2fefd7374ffd75a65fc",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdns3-plat.c",
"drivers/usb/cdns3/cdnsp-pci.c",
"drivers/usb/cdns3/core.c",
"drivers/usb/cdns3/core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: Put the cdns set active part outside the spin lock\n\nThe device may be scheduled during the resume process,\nso this cannot appear in atomic operations. Since\npm_runtime_set_active will resume suppliers, put set\nactive outside the spin lock, which is only used to\nprotect the struct cdns data structure, otherwise the\nkernel will report the following warning:\n\n BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1163\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 651, name: sh\n preempt_count: 1, expected: 0\n RCU nest depth: 0, expected: 0\n CPU: 0 PID: 651 Comm: sh Tainted: G WC 6.1.20 #1\n Hardware name: Freescale i.MX8QM MEK (DT)\n Call trace:\n dump_backtrace.part.0+0xe0/0xf0\n show_stack+0x18/0x30\n dump_stack_lvl+0x64/0x80\n dump_stack+0x1c/0x38\n __might_resched+0x1fc/0x240\n __might_sleep+0x68/0xc0\n __pm_runtime_resume+0x9c/0xe0\n rpm_get_suppliers+0x68/0x1b0\n __pm_runtime_set_status+0x298/0x560\n cdns_resume+0xb0/0x1c0\n cdns3_controller_resume.isra.0+0x1e0/0x250\n cdns3_plat_resume+0x28/0x40"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T11:02:53.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c861a61be6d30538ebcf7fcab1d43f244e298840"
},
{
"url": "https://git.kernel.org/stable/c/bbc9c3652708108738009e096d608ece3cd9fa8a"
},
{
"url": "https://git.kernel.org/stable/c/d3f372ec95b89776f72d5c9a475424e27734c223"
},
{
"url": "https://git.kernel.org/stable/c/2319b9c87fe243327285f2fefd7374ffd75a65fc"
}
],
"title": "usb: cdns3: Put the cdns set active part outside the spin lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53287",
"datePublished": "2025-09-16T08:11:20.304Z",
"dateReserved": "2025-09-16T08:09:37.992Z",
"dateUpdated": "2025-09-17T11:02:53.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40071 (GCVE-0-2025-40071)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: n_gsm: Don't block input queue by waiting MSC
Currently gsm_queue() processes incoming frames and when opening
a DLC channel it calls gsm_dlci_open() which calls gsm_modem_update().
If basic mode is used it calls gsm_modem_upd_via_msc() and it
cannot block the input queue by waiting the response to come
into the same input queue.
Instead allow sending Modem Status Command without waiting for remote
end to respond. Define a new function gsm_modem_send_initial_msc()
for this purpose. As MSC is only valid for basic encoding, it does
not do anything for advanced or when convergence layer type 2 is used.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 48473802506d2d6151f59e0e764932b33b53cb3b Version: 48473802506d2d6151f59e0e764932b33b53cb3b Version: 48473802506d2d6151f59e0e764932b33b53cb3b Version: 48473802506d2d6151f59e0e764932b33b53cb3b Version: 920e849b7d23ced84c9d11e11e2449e34973cfb8 Version: e83b4e1540469babeffcfd44a605cf8a61542598 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/n_gsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c36785f9de03df56ff9b8eca30fa681a12b2310d",
"status": "affected",
"version": "48473802506d2d6151f59e0e764932b33b53cb3b",
"versionType": "git"
},
{
"lessThan": "5416e89b81b00443cb03c88df8da097ae091a141",
"status": "affected",
"version": "48473802506d2d6151f59e0e764932b33b53cb3b",
"versionType": "git"
},
{
"lessThan": "c5a2791a7f11939f05f95c01f0aec0c55bbf28d5",
"status": "affected",
"version": "48473802506d2d6151f59e0e764932b33b53cb3b",
"versionType": "git"
},
{
"lessThan": "3cf0b3c243e56bc43be560617416c1d9f301f44c",
"status": "affected",
"version": "48473802506d2d6151f59e0e764932b33b53cb3b",
"versionType": "git"
},
{
"status": "affected",
"version": "920e849b7d23ced84c9d11e11e2449e34973cfb8",
"versionType": "git"
},
{
"status": "affected",
"version": "e83b4e1540469babeffcfd44a605cf8a61542598",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/n_gsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: Don\u0027t block input queue by waiting MSC\n\nCurrently gsm_queue() processes incoming frames and when opening\na DLC channel it calls gsm_dlci_open() which calls gsm_modem_update().\nIf basic mode is used it calls gsm_modem_upd_via_msc() and it\ncannot block the input queue by waiting the response to come\ninto the same input queue.\n\nInstead allow sending Modem Status Command without waiting for remote\nend to respond. Define a new function gsm_modem_send_initial_msc()\nfor this purpose. As MSC is only valid for basic encoding, it does\nnot do anything for advanced or when convergence layer type 2 is used."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:39.417Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c36785f9de03df56ff9b8eca30fa681a12b2310d"
},
{
"url": "https://git.kernel.org/stable/c/5416e89b81b00443cb03c88df8da097ae091a141"
},
{
"url": "https://git.kernel.org/stable/c/c5a2791a7f11939f05f95c01f0aec0c55bbf28d5"
},
{
"url": "https://git.kernel.org/stable/c/3cf0b3c243e56bc43be560617416c1d9f301f44c"
}
],
"title": "tty: n_gsm: Don\u0027t block input queue by waiting MSC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40071",
"datePublished": "2025-10-28T11:48:39.417Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2025-10-28T11:48:39.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53546 (GCVE-0-2023-53546)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx
when mlx5_cmd_exec failed in mlx5dr_cmd_create_reformat_ctx, the memory
pointed by 'in' is not released, which will cause memory leak. Move memory
release after mlx5_cmd_exec.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1d9186476e12c85dc81a0f01f5c614a9683af7f2 Version: 1d9186476e12c85dc81a0f01f5c614a9683af7f2 Version: 1d9186476e12c85dc81a0f01f5c614a9683af7f2 Version: 1d9186476e12c85dc81a0f01f5c614a9683af7f2 Version: 1d9186476e12c85dc81a0f01f5c614a9683af7f2 Version: 1d9186476e12c85dc81a0f01f5c614a9683af7f2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "800d8c96bf997da5eb76ccf8d88795c4231c83fb",
"status": "affected",
"version": "1d9186476e12c85dc81a0f01f5c614a9683af7f2",
"versionType": "git"
},
{
"lessThan": "165159854757dbae0dfd1812b27051da35aa6223",
"status": "affected",
"version": "1d9186476e12c85dc81a0f01f5c614a9683af7f2",
"versionType": "git"
},
{
"lessThan": "00cecb0a8f9e7a21754d5ad85813ab6b47b3308f",
"status": "affected",
"version": "1d9186476e12c85dc81a0f01f5c614a9683af7f2",
"versionType": "git"
},
{
"lessThan": "3169c3854397f3070a63b1b772db16dcb8cba7b4",
"status": "affected",
"version": "1d9186476e12c85dc81a0f01f5c614a9683af7f2",
"versionType": "git"
},
{
"lessThan": "622d71d99124e69f7bf2e2b7a89f5f444a24d235",
"status": "affected",
"version": "1d9186476e12c85dc81a0f01f5c614a9683af7f2",
"versionType": "git"
},
{
"lessThan": "5dd77585dd9d0e03dd1bceb95f0269a7eaf6b936",
"status": "affected",
"version": "1d9186476e12c85dc81a0f01f5c614a9683af7f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx\n\nwhen mlx5_cmd_exec failed in mlx5dr_cmd_create_reformat_ctx, the memory\npointed by \u0027in\u0027 is not released, which will cause memory leak. Move memory\nrelease after mlx5_cmd_exec."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:54.132Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/800d8c96bf997da5eb76ccf8d88795c4231c83fb"
},
{
"url": "https://git.kernel.org/stable/c/165159854757dbae0dfd1812b27051da35aa6223"
},
{
"url": "https://git.kernel.org/stable/c/00cecb0a8f9e7a21754d5ad85813ab6b47b3308f"
},
{
"url": "https://git.kernel.org/stable/c/3169c3854397f3070a63b1b772db16dcb8cba7b4"
},
{
"url": "https://git.kernel.org/stable/c/622d71d99124e69f7bf2e2b7a89f5f444a24d235"
},
{
"url": "https://git.kernel.org/stable/c/5dd77585dd9d0e03dd1bceb95f0269a7eaf6b936"
}
],
"title": "net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53546",
"datePublished": "2025-10-04T15:16:54.132Z",
"dateReserved": "2025-10-04T15:14:15.921Z",
"dateUpdated": "2025-10-04T15:16:54.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56605 (GCVE-0-2024-56605)
Vulnerability from cvelistv5
Published
2024-12-27 14:51
Modified
2025-11-03 20:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()
bt_sock_alloc() allocates the sk object and attaches it to the provided
sock object. On error l2cap_sock_alloc() frees the sk object, but the
dangling pointer is still attached to the sock object, which may create
use-after-free in other code.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56605",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:42:08.177341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:22.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:50:51.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6ad641646b67f29c7578dcd6c25813c7dcbf51e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "daa13175a6dea312a76099066cb4cbd4fc959a84",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a8677028dd5123e5e525b8195483994d87123de4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bb2f2342a6ddf7c04f9aefbbfe86104cd138e629",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8ad09ddc63ace3950ac43db6fbfe25b40f589dd6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "61686abc2f3c2c67822aa23ce6f160467ec83d35",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c4f78cdb8e7501e9f92d291a7d956591bf73be9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()\n\nbt_sock_alloc() allocates the sk object and attaches it to the provided\nsock object. On error l2cap_sock_alloc() frees the sk object, but the\ndangling pointer is still attached to the sock object, which may create\nuse-after-free in other code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:59:35.056Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6ad641646b67f29c7578dcd6c25813c7dcbf51e"
},
{
"url": "https://git.kernel.org/stable/c/daa13175a6dea312a76099066cb4cbd4fc959a84"
},
{
"url": "https://git.kernel.org/stable/c/a8677028dd5123e5e525b8195483994d87123de4"
},
{
"url": "https://git.kernel.org/stable/c/bb2f2342a6ddf7c04f9aefbbfe86104cd138e629"
},
{
"url": "https://git.kernel.org/stable/c/8ad09ddc63ace3950ac43db6fbfe25b40f589dd6"
},
{
"url": "https://git.kernel.org/stable/c/61686abc2f3c2c67822aa23ce6f160467ec83d35"
},
{
"url": "https://git.kernel.org/stable/c/7c4f78cdb8e7501e9f92d291a7d956591bf73be9"
}
],
"title": "Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56605",
"datePublished": "2024-12-27T14:51:10.344Z",
"dateReserved": "2024-12-27T14:03:06.013Z",
"dateUpdated": "2025-11-03T20:50:51.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39673 (GCVE-0-2025-39673)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ppp: fix race conditions in ppp_fill_forward_path
ppp_fill_forward_path() has two race conditions:
1. The ppp->channels list can change between list_empty() and
list_first_entry(), as ppp_lock() is not held. If the only channel
is deleted in ppp_disconnect_channel(), list_first_entry() may
access an empty head or a freed entry, and trigger a panic.
2. pch->chan can be NULL. When ppp_unregister_channel() is called,
pch->chan is set to NULL before pch is removed from ppp->channels.
Fix these by using a lockless RCU approach:
- Use list_first_or_null_rcu() to safely test and access the first list
entry.
- Convert list modifications on ppp->channels to their RCU variants and
add synchronize_net() after removal.
- Check for a NULL pch->chan before dereferencing it.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f6efc675c9dd8d93f826b79ae7e33e03301db609 Version: f6efc675c9dd8d93f826b79ae7e33e03301db609 Version: f6efc675c9dd8d93f826b79ae7e33e03301db609 Version: f6efc675c9dd8d93f826b79ae7e33e03301db609 Version: f6efc675c9dd8d93f826b79ae7e33e03301db609 Version: f6efc675c9dd8d93f826b79ae7e33e03301db609 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:08.016Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a1969fbffc1f1900d92d7594b1b7d8d72ef3dc7",
"status": "affected",
"version": "f6efc675c9dd8d93f826b79ae7e33e03301db609",
"versionType": "git"
},
{
"lessThan": "0f1630be6fcca3f0c63e4b242ad202e5cde28a40",
"status": "affected",
"version": "f6efc675c9dd8d93f826b79ae7e33e03301db609",
"versionType": "git"
},
{
"lessThan": "ca18d751bcc9faf5b7e82e9fae1223d103928181",
"status": "affected",
"version": "f6efc675c9dd8d93f826b79ae7e33e03301db609",
"versionType": "git"
},
{
"lessThan": "94731cc551e29511d85aa8dec61a6c071b1f2430",
"status": "affected",
"version": "f6efc675c9dd8d93f826b79ae7e33e03301db609",
"versionType": "git"
},
{
"lessThan": "f97f6475fdcb3c28ff3c55cc4b7bde632119ec08",
"status": "affected",
"version": "f6efc675c9dd8d93f826b79ae7e33e03301db609",
"versionType": "git"
},
{
"lessThan": "0417adf367a0af11adf7ace849af4638cfb573f7",
"status": "affected",
"version": "f6efc675c9dd8d93f826b79ae7e33e03301db609",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix race conditions in ppp_fill_forward_path\n\nppp_fill_forward_path() has two race conditions:\n\n1. The ppp-\u003echannels list can change between list_empty() and\n list_first_entry(), as ppp_lock() is not held. If the only channel\n is deleted in ppp_disconnect_channel(), list_first_entry() may\n access an empty head or a freed entry, and trigger a panic.\n\n2. pch-\u003echan can be NULL. When ppp_unregister_channel() is called,\n pch-\u003echan is set to NULL before pch is removed from ppp-\u003echannels.\n\nFix these by using a lockless RCU approach:\n- Use list_first_or_null_rcu() to safely test and access the first list\n entry.\n- Convert list modifications on ppp-\u003echannels to their RCU variants and\n add synchronize_net() after removal.\n- Check for a NULL pch-\u003echan before dereferencing it."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:08.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a1969fbffc1f1900d92d7594b1b7d8d72ef3dc7"
},
{
"url": "https://git.kernel.org/stable/c/0f1630be6fcca3f0c63e4b242ad202e5cde28a40"
},
{
"url": "https://git.kernel.org/stable/c/ca18d751bcc9faf5b7e82e9fae1223d103928181"
},
{
"url": "https://git.kernel.org/stable/c/94731cc551e29511d85aa8dec61a6c071b1f2430"
},
{
"url": "https://git.kernel.org/stable/c/f97f6475fdcb3c28ff3c55cc4b7bde632119ec08"
},
{
"url": "https://git.kernel.org/stable/c/0417adf367a0af11adf7ace849af4638cfb573f7"
}
],
"title": "ppp: fix race conditions in ppp_fill_forward_path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39673",
"datePublished": "2025-09-05T17:20:38.769Z",
"dateReserved": "2025-04-16T07:20:57.112Z",
"dateUpdated": "2025-11-03T17:42:08.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53150 (GCVE-0-2023-53150)
Vulnerability from cvelistv5
Published
2025-09-15 14:03
Modified
2025-09-15 14:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Pointer may be dereferenced
Klocwork tool reported pointer 'rport' returned from call to function
fc_bsg_to_rport() may be NULL and will be dereferenced.
Add a fix to validate rport before dereferencing.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "005961bd8f066fe931104f67c34ebfcc7f240099",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a69125a3ce88d9a386872034e7664b30cc4bcbed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3f22f9ddbb29dba369daddb084be3bacf1587529",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5addd62586a94a572359418464ce0ae12fa46187",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0715da51391d223bf4981e28346770edea7eeb74",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b06d1b525364bbcf4929b4b35d81945b10dc9883",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "22b1d7c8bb59c3376430a8bad5840194b12bf29a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "00eca15319d9ce8c31cdf22f32a3467775423df4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Pointer may be dereferenced\n\nKlocwork tool reported pointer \u0027rport\u0027 returned from call to function\nfc_bsg_to_rport() may be NULL and will be dereferenced.\n\nAdd a fix to validate rport before dereferencing."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:03:14.494Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/005961bd8f066fe931104f67c34ebfcc7f240099"
},
{
"url": "https://git.kernel.org/stable/c/a69125a3ce88d9a386872034e7664b30cc4bcbed"
},
{
"url": "https://git.kernel.org/stable/c/3f22f9ddbb29dba369daddb084be3bacf1587529"
},
{
"url": "https://git.kernel.org/stable/c/5addd62586a94a572359418464ce0ae12fa46187"
},
{
"url": "https://git.kernel.org/stable/c/0715da51391d223bf4981e28346770edea7eeb74"
},
{
"url": "https://git.kernel.org/stable/c/b06d1b525364bbcf4929b4b35d81945b10dc9883"
},
{
"url": "https://git.kernel.org/stable/c/22b1d7c8bb59c3376430a8bad5840194b12bf29a"
},
{
"url": "https://git.kernel.org/stable/c/00eca15319d9ce8c31cdf22f32a3467775423df4"
}
],
"title": "scsi: qla2xxx: Pointer may be dereferenced",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53150",
"datePublished": "2025-09-15T14:03:14.494Z",
"dateReserved": "2025-05-02T15:51:43.565Z",
"dateUpdated": "2025-09-15T14:03:14.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53666 (GCVE-0-2023-53666)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: wcd938x: fix missing mbhc init error handling
MBHC initialisation can fail so add the missing error handling to avoid
dereferencing an error pointer when later configuring the jack:
Unable to handle kernel paging request at virtual address fffffffffffffff8
pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]
lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]
Call trace:
wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]
wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]
snd_soc_component_set_jack+0x28/0x8c [snd_soc_core]
qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common]
sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp]
snd_soc_link_init+0x28/0x90 [snd_soc_core]
snd_soc_bind_card+0x628/0xbfc [snd_soc_core]
snd_soc_register_card+0xec/0x104 [snd_soc_core]
devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core]
sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd938x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a34d252052b5da743ef82591c860fc947384d4e",
"status": "affected",
"version": "bcee7ed09b8e70b65d5c04f5d1acd2cf4213c2f3",
"versionType": "git"
},
{
"lessThan": "bb241ae928c694e365c30c888c9eb02dcc812dfd",
"status": "affected",
"version": "bcee7ed09b8e70b65d5c04f5d1acd2cf4213c2f3",
"versionType": "git"
},
{
"lessThan": "31ee704c84c4bf4df8521ef1478c161f710d0f94",
"status": "affected",
"version": "bcee7ed09b8e70b65d5c04f5d1acd2cf4213c2f3",
"versionType": "git"
},
{
"lessThan": "7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66",
"status": "affected",
"version": "bcee7ed09b8e70b65d5c04f5d1acd2cf4213c2f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd938x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd938x: fix missing mbhc init error handling\n\nMBHC initialisation can fail so add the missing error handling to avoid\ndereferencing an error pointer when later configuring the jack:\n\n Unable to handle kernel paging request at virtual address fffffffffffffff8\n\n pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]\n lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]\n\n Call trace:\n wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]\n wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]\n snd_soc_component_set_jack+0x28/0x8c [snd_soc_core]\n qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common]\n sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp]\n snd_soc_link_init+0x28/0x90 [snd_soc_core]\n snd_soc_bind_card+0x628/0xbfc [snd_soc_core]\n snd_soc_register_card+0xec/0x104 [snd_soc_core]\n devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core]\n sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:24.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a34d252052b5da743ef82591c860fc947384d4e"
},
{
"url": "https://git.kernel.org/stable/c/bb241ae928c694e365c30c888c9eb02dcc812dfd"
},
{
"url": "https://git.kernel.org/stable/c/31ee704c84c4bf4df8521ef1478c161f710d0f94"
},
{
"url": "https://git.kernel.org/stable/c/7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66"
}
],
"title": "ASoC: codecs: wcd938x: fix missing mbhc init error handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53666",
"datePublished": "2025-10-07T15:21:24.490Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:24.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39683 (GCVE-0-2025-39683)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Limit access to parser->buffer when trace_get_user failed
When the length of the string written to set_ftrace_filter exceeds
FTRACE_BUFF_MAX, the following KASAN alarm will be triggered:
BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0
Read of size 1 at addr ffff0000d00bd5ba by task ash/165
CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty
Hardware name: linux,dummy-virt (DT)
Call trace:
show_stack+0x34/0x50 (C)
dump_stack_lvl+0xa0/0x158
print_address_description.constprop.0+0x88/0x398
print_report+0xb0/0x280
kasan_report+0xa4/0xf0
__asan_report_load1_noabort+0x20/0x30
strsep+0x18c/0x1b0
ftrace_process_regex.isra.0+0x100/0x2d8
ftrace_regex_release+0x484/0x618
__fput+0x364/0xa58
____fput+0x28/0x40
task_work_run+0x154/0x278
do_notify_resume+0x1f0/0x220
el0_svc+0xec/0xf0
el0t_64_sync_handler+0xa0/0xe8
el0t_64_sync+0x1ac/0x1b0
The reason is that trace_get_user will fail when processing a string
longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0.
Then an OOB access will be triggered in ftrace_regex_release->
ftrace_process_regex->strsep->strpbrk. We can solve this problem by
limiting access to parser->buffer when trace_get_user failed.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 634684d79733124f7470b226b0f42aada4426b07 Version: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Version: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Version: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Version: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Version: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Version: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Version: 24cd31752f47699b89b4b3471155c8e599a1a23a Version: e9cb474de7ff7a970c2a3951c12ec7e3113c0c35 Version: 6ab671191f64b0da7d547e2ad4dc199ca7e5b558 Version: 3d9281a4ac7171c808f9507f0937eb236b353905 Version: 0b641b25870f02e2423e494365fc5243cc1e2759 Version: ffd51dbfd2900e50c71b5c069fe407957e52d61f Version: cdd107d7f18158d966c2bc136204fe826dac445c |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:15.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c",
"kernel/trace/trace.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b842ef39c2ad6156c13afdec25ecc6792a9b67b9",
"status": "affected",
"version": "634684d79733124f7470b226b0f42aada4426b07",
"versionType": "git"
},
{
"lessThan": "41b838420457802f21918df66764b6fbf829d330",
"status": "affected",
"version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
"versionType": "git"
},
{
"lessThan": "418b448e1d7470da9d4d4797f71782595ee69c49",
"status": "affected",
"version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
"versionType": "git"
},
{
"lessThan": "58ff8064cb4c7eddac4da1a59da039ead586950a",
"status": "affected",
"version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
"versionType": "git"
},
{
"lessThan": "d0c68045b8b0f3737ed7bd6b8c83b7887014adee",
"status": "affected",
"version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
"versionType": "git"
},
{
"lessThan": "3079517a5ba80901fe828a06998da64b9b8749be",
"status": "affected",
"version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
"versionType": "git"
},
{
"lessThan": "6a909ea83f226803ea0e718f6e88613df9234d58",
"status": "affected",
"version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
"versionType": "git"
},
{
"status": "affected",
"version": "24cd31752f47699b89b4b3471155c8e599a1a23a",
"versionType": "git"
},
{
"status": "affected",
"version": "e9cb474de7ff7a970c2a3951c12ec7e3113c0c35",
"versionType": "git"
},
{
"status": "affected",
"version": "6ab671191f64b0da7d547e2ad4dc199ca7e5b558",
"versionType": "git"
},
{
"status": "affected",
"version": "3d9281a4ac7171c808f9507f0937eb236b353905",
"versionType": "git"
},
{
"status": "affected",
"version": "0b641b25870f02e2423e494365fc5243cc1e2759",
"versionType": "git"
},
{
"status": "affected",
"version": "ffd51dbfd2900e50c71b5c069fe407957e52d61f",
"versionType": "git"
},
{
"status": "affected",
"version": "cdd107d7f18158d966c2bc136204fe826dac445c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c",
"kernel/trace/trace.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.10.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.233",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.191",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Limit access to parser-\u003ebuffer when trace_get_user failed\n\nWhen the length of the string written to set_ftrace_filter exceeds\nFTRACE_BUFF_MAX, the following KASAN alarm will be triggered:\n\nBUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0\nRead of size 1 at addr ffff0000d00bd5ba by task ash/165\n\nCPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x34/0x50 (C)\n dump_stack_lvl+0xa0/0x158\n print_address_description.constprop.0+0x88/0x398\n print_report+0xb0/0x280\n kasan_report+0xa4/0xf0\n __asan_report_load1_noabort+0x20/0x30\n strsep+0x18c/0x1b0\n ftrace_process_regex.isra.0+0x100/0x2d8\n ftrace_regex_release+0x484/0x618\n __fput+0x364/0xa58\n ____fput+0x28/0x40\n task_work_run+0x154/0x278\n do_notify_resume+0x1f0/0x220\n el0_svc+0xec/0xf0\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1ac/0x1b0\n\nThe reason is that trace_get_user will fail when processing a string\nlonger than FTRACE_BUFF_MAX, but not set the end of parser-\u003ebuffer to 0.\nThen an OOB access will be triggered in ftrace_regex_release-\u003e\nftrace_process_regex-\u003estrsep-\u003estrpbrk. We can solve this problem by\nlimiting access to parser-\u003ebuffer when trace_get_user failed."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:20.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b842ef39c2ad6156c13afdec25ecc6792a9b67b9"
},
{
"url": "https://git.kernel.org/stable/c/41b838420457802f21918df66764b6fbf829d330"
},
{
"url": "https://git.kernel.org/stable/c/418b448e1d7470da9d4d4797f71782595ee69c49"
},
{
"url": "https://git.kernel.org/stable/c/58ff8064cb4c7eddac4da1a59da039ead586950a"
},
{
"url": "https://git.kernel.org/stable/c/d0c68045b8b0f3737ed7bd6b8c83b7887014adee"
},
{
"url": "https://git.kernel.org/stable/c/3079517a5ba80901fe828a06998da64b9b8749be"
},
{
"url": "https://git.kernel.org/stable/c/6a909ea83f226803ea0e718f6e88613df9234d58"
}
],
"title": "tracing: Limit access to parser-\u003ebuffer when trace_get_user failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39683",
"datePublished": "2025-09-05T17:20:49.821Z",
"dateReserved": "2025-04-16T07:20:57.113Z",
"dateUpdated": "2025-11-03T17:42:15.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39832 (GCVE-0-2025-39832)
Vulnerability from cvelistv5
Published
2025-09-16 13:08
Modified
2025-09-29 06:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix lockdep assertion on sync reset unload event
Fix lockdep assertion triggered during sync reset unload event. When the
sync reset flow is initiated using the devlink reload fw_activate
option, the PF already holds the devlink lock while handling unload
event. In this case, delegate sync reset unload event handling back to
the devlink callback process to avoid double-locking and resolve the
lockdep warning.
Kernel log:
WARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40
[...]
Call Trace:
<TASK>
mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core]
mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core]
process_one_work+0x222/0x640
worker_thread+0x199/0x350
kthread+0x10b/0x230
? __pfx_worker_thread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x8e/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/devlink.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddac9d0fe2493dd550cbfc75eeaf31e9b6dac959",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
},
{
"lessThan": "0c87dba9ccd3801d3b503f0b4fd41be343af4f06",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
},
{
"lessThan": "06d897148e79638651800d851a69547b56b4be2e",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
},
{
"lessThan": "902a8bc23a24882200f57cadc270e15a2cfaf2bb",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/devlink.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix lockdep assertion on sync reset unload event\n\nFix lockdep assertion triggered during sync reset unload event. When the\nsync reset flow is initiated using the devlink reload fw_activate\noption, the PF already holds the devlink lock while handling unload\nevent. In this case, delegate sync reset unload event handling back to\nthe devlink callback process to avoid double-locking and resolve the\nlockdep warning.\n\nKernel log:\nWARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40\n[...]\nCall Trace:\n\u003cTASK\u003e\n mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core]\n mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core]\n process_one_work+0x222/0x640\n worker_thread+0x199/0x350\n kthread+0x10b/0x230\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x8e/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:35.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddac9d0fe2493dd550cbfc75eeaf31e9b6dac959"
},
{
"url": "https://git.kernel.org/stable/c/0c87dba9ccd3801d3b503f0b4fd41be343af4f06"
},
{
"url": "https://git.kernel.org/stable/c/06d897148e79638651800d851a69547b56b4be2e"
},
{
"url": "https://git.kernel.org/stable/c/902a8bc23a24882200f57cadc270e15a2cfaf2bb"
}
],
"title": "net/mlx5: Fix lockdep assertion on sync reset unload event",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39832",
"datePublished": "2025-09-16T13:08:49.513Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-29T06:00:35.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53641 (GCVE-0-2023-53641)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: fix memory leak of remain_skbs
hif_dev->remain_skb is allocated and used exclusively in
ath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is
processed and subsequently freed (in error paths) only during the next
call of ath9k_hif_usb_rx_stream().
So, if the urbs are deallocated between those two calls due to the device
deinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream()
is not called next time and the allocated remain_skb is leaked. Our local
Syzkaller instance was able to trigger that.
remain_skb makes sense when receiving two consecutive urbs which are
logically linked together, i.e. a specific data field from the first skb
indicates a cached skb to be allocated, memcpy'd with some data and
subsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs
deallocation supposedly makes that link irrelevant so we need to free the
cached skb in those cases.
Fix the leak by introducing a function to explicitly free remain_skb (if
it is not NULL) when the rx urbs have been deallocated. remain_skb is NULL
when it has not been allocated at all (hif_dev struct is kzalloced) or
when it has been processed in next call to ath9k_hif_usb_rx_stream().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6719e3797ec52cd144c8a5ba8aaab36674800585",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "d9899318660791141ea6002fda5577b2c5d7386e",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "320d760a35273aa815d58b57e4fd9ba5279a3489",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "59073060fe0950c6ecbe12bdc06469dcac62128d",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "9b9356a3014123f0ce4b50d9278c1265173150ab",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "f0931fc8f4b6847c72e170d2326861c0a081d680",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "8f02d538878c9b1501f624595eb22ee4e5e0ff84",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "7654cc03eb699297130b693ec34e25f77b17c947",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: fix memory leak of remain_skbs\n\nhif_dev-\u003eremain_skb is allocated and used exclusively in\nath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is\nprocessed and subsequently freed (in error paths) only during the next\ncall of ath9k_hif_usb_rx_stream().\n\nSo, if the urbs are deallocated between those two calls due to the device\ndeinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream()\nis not called next time and the allocated remain_skb is leaked. Our local\nSyzkaller instance was able to trigger that.\n\nremain_skb makes sense when receiving two consecutive urbs which are\nlogically linked together, i.e. a specific data field from the first skb\nindicates a cached skb to be allocated, memcpy\u0027d with some data and\nsubsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs\ndeallocation supposedly makes that link irrelevant so we need to free the\ncached skb in those cases.\n\nFix the leak by introducing a function to explicitly free remain_skb (if\nit is not NULL) when the rx urbs have been deallocated. remain_skb is NULL\nwhen it has not been allocated at all (hif_dev struct is kzalloced) or\nwhen it has been processed in next call to ath9k_hif_usb_rx_stream().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:41.028Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6719e3797ec52cd144c8a5ba8aaab36674800585"
},
{
"url": "https://git.kernel.org/stable/c/d9899318660791141ea6002fda5577b2c5d7386e"
},
{
"url": "https://git.kernel.org/stable/c/320d760a35273aa815d58b57e4fd9ba5279a3489"
},
{
"url": "https://git.kernel.org/stable/c/59073060fe0950c6ecbe12bdc06469dcac62128d"
},
{
"url": "https://git.kernel.org/stable/c/9b9356a3014123f0ce4b50d9278c1265173150ab"
},
{
"url": "https://git.kernel.org/stable/c/f0931fc8f4b6847c72e170d2326861c0a081d680"
},
{
"url": "https://git.kernel.org/stable/c/8f02d538878c9b1501f624595eb22ee4e5e0ff84"
},
{
"url": "https://git.kernel.org/stable/c/7654cc03eb699297130b693ec34e25f77b17c947"
}
],
"title": "wifi: ath9k: hif_usb: fix memory leak of remain_skbs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53641",
"datePublished": "2025-10-07T15:19:41.028Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-07T15:19:41.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53670 (GCVE-0-2023-53670)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-core: fix dev_pm_qos memleak
Call dev_pm_qos_hide_latency_tolerance() in the error unwind patch to
avoid following kmemleak:-
blktests (master) # kmemleak-clear; ./check nvme/044;
blktests (master) # kmemleak-scan ; kmemleak-show
nvme/044 (Test bi-directional authentication) [passed]
runtime 2.111s ... 2.124s
unreferenced object 0xffff888110c46240 (size 96):
comm "nvme", pid 33461, jiffies 4345365353 (age 75.586s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000069ac2cec>] kmalloc_trace+0x25/0x90
[<000000006acc66d5>] dev_pm_qos_update_user_latency_tolerance+0x6f/0x100
[<00000000cc376ea7>] nvme_init_ctrl+0x38e/0x410 [nvme_core]
[<000000007df61b4b>] 0xffffffffc05e88b3
[<00000000d152b985>] 0xffffffffc05744cb
[<00000000f04a4041>] vfs_write+0xc5/0x3c0
[<00000000f9491baf>] ksys_write+0x5f/0xe0
[<000000001c46513d>] do_syscall_64+0x3b/0x90
[<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1379e067b9485e5af03399fe3f0d39bccb023ad",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "7237c26431cc78e5ec3259f4350f3dd58f6a4319",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "2ed9a89192e3192e5fea7ff6475c8722513f325e",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "7ed5cf8e6d9bfb6a78d0471317edff14f0f2b4dd",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix dev_pm_qos memleak\n\nCall dev_pm_qos_hide_latency_tolerance() in the error unwind patch to\navoid following kmemleak:-\n\nblktests (master) # kmemleak-clear; ./check nvme/044;\nblktests (master) # kmemleak-scan ; kmemleak-show\nnvme/044 (Test bi-directional authentication) [passed]\n runtime 2.111s ... 2.124s\nunreferenced object 0xffff888110c46240 (size 96):\n comm \"nvme\", pid 33461, jiffies 4345365353 (age 75.586s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c0000000069ac2cec\u003e] kmalloc_trace+0x25/0x90\n [\u003c000000006acc66d5\u003e] dev_pm_qos_update_user_latency_tolerance+0x6f/0x100\n [\u003c00000000cc376ea7\u003e] nvme_init_ctrl+0x38e/0x410 [nvme_core]\n [\u003c000000007df61b4b\u003e] 0xffffffffc05e88b3\n [\u003c00000000d152b985\u003e] 0xffffffffc05744cb\n [\u003c00000000f04a4041\u003e] vfs_write+0xc5/0x3c0\n [\u003c00000000f9491baf\u003e] ksys_write+0x5f/0xe0\n [\u003c000000001c46513d\u003e] do_syscall_64+0x3b/0x90\n [\u003c00000000ecf348fe\u003e] entry_SYSCALL_64_after_hwframe+0x72/0xdc"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:27.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1379e067b9485e5af03399fe3f0d39bccb023ad"
},
{
"url": "https://git.kernel.org/stable/c/7237c26431cc78e5ec3259f4350f3dd58f6a4319"
},
{
"url": "https://git.kernel.org/stable/c/2ed9a89192e3192e5fea7ff6475c8722513f325e"
},
{
"url": "https://git.kernel.org/stable/c/7ed5cf8e6d9bfb6a78d0471317edff14f0f2b4dd"
}
],
"title": "nvme-core: fix dev_pm_qos memleak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53670",
"datePublished": "2025-10-07T15:21:27.626Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:27.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50509 (GCVE-0-2022-50509)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: coda: Add check for kmalloc
As the kmalloc may return NULL pointer,
it should be better to check the return value
in order to avoid NULL poineter dereference,
same as the others.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 Version: cb1d3a336371e35c3920cc50a701c5403c255644 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/chips-media/coda-bit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d308c4a035b636756786af91e5f39f9d92d7d42a",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "11e32126b3e56c3156fb610d793732acd2bdac4f",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "ba9cc9e2035f7a45f5222543265daf7cd51f2530",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "7a2c66429b04e85fee44d6d9f455327bf23cf49c",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "d9b37ea8869e4e6da90c07a310d819a78cbd23d2",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "441c05485cf1a29eef05c1fd8281716815283315",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "aa17a252dbde432095e390e2092205d4debb12e1",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "0209e70ad496c1fcd85c2ec70e6736fd09f95d14",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
},
{
"lessThan": "6e5e5defdb8b0186312c2f855ace175aee6daf9b",
"status": "affected",
"version": "cb1d3a336371e35c3920cc50a701c5403c255644",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/chips-media/coda-bit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: coda: Add check for kmalloc\n\nAs the kmalloc may return NULL pointer,\nit should be better to check the return value\nin order to avoid NULL poineter dereference,\nsame as the others."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:06.661Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d308c4a035b636756786af91e5f39f9d92d7d42a"
},
{
"url": "https://git.kernel.org/stable/c/11e32126b3e56c3156fb610d793732acd2bdac4f"
},
{
"url": "https://git.kernel.org/stable/c/ba9cc9e2035f7a45f5222543265daf7cd51f2530"
},
{
"url": "https://git.kernel.org/stable/c/7a2c66429b04e85fee44d6d9f455327bf23cf49c"
},
{
"url": "https://git.kernel.org/stable/c/d9b37ea8869e4e6da90c07a310d819a78cbd23d2"
},
{
"url": "https://git.kernel.org/stable/c/441c05485cf1a29eef05c1fd8281716815283315"
},
{
"url": "https://git.kernel.org/stable/c/aa17a252dbde432095e390e2092205d4debb12e1"
},
{
"url": "https://git.kernel.org/stable/c/0209e70ad496c1fcd85c2ec70e6736fd09f95d14"
},
{
"url": "https://git.kernel.org/stable/c/6e5e5defdb8b0186312c2f855ace175aee6daf9b"
}
],
"title": "media: coda: Add check for kmalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50509",
"datePublished": "2025-10-07T15:19:06.661Z",
"dateReserved": "2025-10-04T15:39:19.466Z",
"dateUpdated": "2025-10-07T15:19:06.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39726 (GCVE-0-2025-39726)
Vulnerability from cvelistv5
Published
2025-09-05 17:27
Modified
2025-09-05 17:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/ism: fix concurrency management in ism_cmd()
The s390x ISM device data sheet clearly states that only one
request-response sequence is allowable per ISM function at any point in
time. Unfortunately as of today the s390/ism driver in Linux does not
honor that requirement. This patch aims to rectify that.
This problem was discovered based on Aliaksei's bug report which states
that for certain workloads the ISM functions end up entering error state
(with PEC 2 as seen from the logs) after a while and as a consequence
connections handled by the respective function break, and for future
connection requests the ISM device is not considered -- given it is in a
dysfunctional state. During further debugging PEC 3A was observed as
well.
A kernel message like
[ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a
is a reliable indicator of the stated function entering error state
with PEC 2. Let me also point out that a kernel message like
[ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery
is a reliable indicator that the ISM function won't be auto-recovered
because the ISM driver currently lacks support for it.
On a technical level, without this synchronization, commands (inputs to
the FW) may be partially or fully overwritten (corrupted) by another CPU
trying to issue commands on the same function. There is hard evidence that
this can lead to DMB token values being used as DMB IOVAs, leading to
PEC 2 PCI events indicating invalid DMA. But this is only one of the
failure modes imaginable. In theory even completely losing one command
and executing another one twice and then trying to interpret the outputs
as if the command we intended to execute was actually executed and not
the other one is also possible. Frankly, I don't feel confident about
providing an exhaustive list of possible consequences.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/ism_drv.c",
"include/linux/ism.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "faf44487dfc80817f178dc8de7a0b73f960d019b",
"status": "affected",
"version": "684b89bc39ce4f204b1a2b180f39f2eb36a6b695",
"versionType": "git"
},
{
"lessThan": "1194ad0d44d66b273a02a3a22882dc863a68d764",
"status": "affected",
"version": "684b89bc39ce4f204b1a2b180f39f2eb36a6b695",
"versionType": "git"
},
{
"lessThan": "fafaa4982bedb5532f5952000f714a3e63023f40",
"status": "affected",
"version": "684b89bc39ce4f204b1a2b180f39f2eb36a6b695",
"versionType": "git"
},
{
"lessThan": "897e8601b9cff1d054cdd53047f568b0e1995726",
"status": "affected",
"version": "684b89bc39ce4f204b1a2b180f39f2eb36a6b695",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/ism_drv.c",
"include/linux/ism.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.41",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.9",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ism: fix concurrency management in ism_cmd()\n\nThe s390x ISM device data sheet clearly states that only one\nrequest-response sequence is allowable per ISM function at any point in\ntime. Unfortunately as of today the s390/ism driver in Linux does not\nhonor that requirement. This patch aims to rectify that.\n\nThis problem was discovered based on Aliaksei\u0027s bug report which states\nthat for certain workloads the ISM functions end up entering error state\n(with PEC 2 as seen from the logs) after a while and as a consequence\nconnections handled by the respective function break, and for future\nconnection requests the ISM device is not considered -- given it is in a\ndysfunctional state. During further debugging PEC 3A was observed as\nwell.\n\nA kernel message like\n[ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a\nis a reliable indicator of the stated function entering error state\nwith PEC 2. Let me also point out that a kernel message like\n[ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery\nis a reliable indicator that the ISM function won\u0027t be auto-recovered\nbecause the ISM driver currently lacks support for it.\n\nOn a technical level, without this synchronization, commands (inputs to\nthe FW) may be partially or fully overwritten (corrupted) by another CPU\ntrying to issue commands on the same function. There is hard evidence that\nthis can lead to DMB token values being used as DMB IOVAs, leading to\nPEC 2 PCI events indicating invalid DMA. But this is only one of the\nfailure modes imaginable. In theory even completely losing one command\nand executing another one twice and then trying to interpret the outputs\nas if the command we intended to execute was actually executed and not\nthe other one is also possible. Frankly, I don\u0027t feel confident about\nproviding an exhaustive list of possible consequences."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T17:27:19.818Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/faf44487dfc80817f178dc8de7a0b73f960d019b"
},
{
"url": "https://git.kernel.org/stable/c/1194ad0d44d66b273a02a3a22882dc863a68d764"
},
{
"url": "https://git.kernel.org/stable/c/fafaa4982bedb5532f5952000f714a3e63023f40"
},
{
"url": "https://git.kernel.org/stable/c/897e8601b9cff1d054cdd53047f568b0e1995726"
}
],
"title": "s390/ism: fix concurrency management in ism_cmd()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39726",
"datePublished": "2025-09-05T17:27:19.818Z",
"dateReserved": "2025-04-16T07:20:57.117Z",
"dateUpdated": "2025-09-05T17:27:19.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21791 (GCVE-0-2025-21791)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vrf: use RCU protection in l3mdev_l3_out()
l3mdev_l3_out() can be called without RCU being held:
raw_sendmsg()
ip_push_pending_frames()
ip_send_skb()
ip_local_out()
__ip_local_out()
l3mdev_ip_out()
Add rcu_read_lock() / rcu_read_unlock() pair to avoid
a potential UAF.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21791",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:16.236835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:26.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:34.647Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/l3mdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "20a3489b396764cc9376e32a9172bee26a89dc3b",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "5bb4228c32261d06e4fbece37ec3828bcc005b6b",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "c7574740be8ce68a57d0aece24987b9be2114c3c",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "c40cb5c03e37552d6eff963187109e2c3f78ef6f",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "022cac1c693add610ae76ede03adf4d9d5a2cf21",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "7b81425b517accefd46bee854d94954f5c57e019",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "6d0ce46a93135d96b7fa075a94a88fe0da8e8773",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/l3mdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvrf: use RCU protection in l3mdev_l3_out()\n\nl3mdev_l3_out() can be called without RCU being held:\n\nraw_sendmsg()\n ip_push_pending_frames()\n ip_send_skb()\n ip_local_out()\n __ip_local_out()\n l3mdev_ip_out()\n\nAdd rcu_read_lock() / rcu_read_unlock() pair to avoid\na potential UAF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:18.929Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e"
},
{
"url": "https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b"
},
{
"url": "https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b"
},
{
"url": "https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c"
},
{
"url": "https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f"
},
{
"url": "https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21"
},
{
"url": "https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019"
},
{
"url": "https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773"
}
],
"title": "vrf: use RCU protection in l3mdev_l3_out()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21791",
"datePublished": "2025-02-27T02:18:29.014Z",
"dateReserved": "2024-12-29T08:45:45.766Z",
"dateUpdated": "2025-11-03T20:59:34.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38691 (GCVE-0-2025-38691)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pNFS: Fix uninited ptr deref in block/scsi layout
The error occurs on the third attempt to encode extents. When function
ext_tree_prepare_commit() reallocates a larger buffer to retry encoding
extents, the "layoutupdate_pages" page array is initialized only after the
retry loop. But ext_tree_free_commitdata() is called on every iteration
and tries to put pages in the array, thus dereferencing uninitialized
pointers.
An additional problem is that there is no limit on the maximum possible
buffer_size. When there are too many extents, the client may create a
layoutcommit that is larger than the maximum possible RPC size accepted
by the server.
During testing, we observed two typical scenarios. First, one memory page
for extents is enough when we work with small files, append data to the
end of the file, or preallocate extents before writing. But when we fill
a new large file without preallocating, the number of extents can be huge,
and counting the number of written extents in ext_tree_encode_commit()
does not help much. Since this number increases even more between
unlocking and locking of ext_tree, the reallocated buffer may not be
large enough again and again.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:16.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/blocklayout/extent_tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "579b85f893d9885162e1cabf99a4a088916e143e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2896f101110076ac6bf99d7aaf463d61e26f89dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f783333cbfa2ee7d4aa8e47f6bd1b3f77534fcf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9be5c04beca3202d0a5f09fb4b2ecb644caa0bc5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "24334f3cf8a294f253071b5bf22d754dbb6d0f2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f0b2eee3fbba9b7e3746ef698424ef5e4a197776",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "94ec6d939031a616474376dadbf4a8d0ef8b0bcc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "37c3443a2685528f972d910a6fb87716b96fef46",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9768797c219326699778fba9cd3b607b2f1e7950",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/blocklayout/extent_tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npNFS: Fix uninited ptr deref in block/scsi layout\n\nThe error occurs on the third attempt to encode extents. When function\next_tree_prepare_commit() reallocates a larger buffer to retry encoding\nextents, the \"layoutupdate_pages\" page array is initialized only after the\nretry loop. But ext_tree_free_commitdata() is called on every iteration\nand tries to put pages in the array, thus dereferencing uninitialized\npointers.\n\nAn additional problem is that there is no limit on the maximum possible\nbuffer_size. When there are too many extents, the client may create a\nlayoutcommit that is larger than the maximum possible RPC size accepted\nby the server.\n\nDuring testing, we observed two typical scenarios. First, one memory page\nfor extents is enough when we work with small files, append data to the\nend of the file, or preallocate extents before writing. But when we fill\na new large file without preallocating, the number of extents can be huge,\nand counting the number of written extents in ext_tree_encode_commit()\ndoes not help much. Since this number increases even more between\nunlocking and locking of ext_tree, the reallocated buffer may not be\nlarge enough again and again."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:06.928Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/579b85f893d9885162e1cabf99a4a088916e143e"
},
{
"url": "https://git.kernel.org/stable/c/2896f101110076ac6bf99d7aaf463d61e26f89dd"
},
{
"url": "https://git.kernel.org/stable/c/4f783333cbfa2ee7d4aa8e47f6bd1b3f77534fcf"
},
{
"url": "https://git.kernel.org/stable/c/9be5c04beca3202d0a5f09fb4b2ecb644caa0bc5"
},
{
"url": "https://git.kernel.org/stable/c/24334f3cf8a294f253071b5bf22d754dbb6d0f2d"
},
{
"url": "https://git.kernel.org/stable/c/f0b2eee3fbba9b7e3746ef698424ef5e4a197776"
},
{
"url": "https://git.kernel.org/stable/c/94ec6d939031a616474376dadbf4a8d0ef8b0bcc"
},
{
"url": "https://git.kernel.org/stable/c/37c3443a2685528f972d910a6fb87716b96fef46"
},
{
"url": "https://git.kernel.org/stable/c/9768797c219326699778fba9cd3b607b2f1e7950"
}
],
"title": "pNFS: Fix uninited ptr deref in block/scsi layout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38691",
"datePublished": "2025-09-04T15:32:45.301Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:16.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53146 (GCVE-0-2024-53146)
Vulnerability from cvelistv5
Published
2024-12-24 11:28
Modified
2025-11-03 20:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Prevent a potential integer overflow
If the tag length is >= U32_MAX - 3 then the "length + 4" addition
can result in an integer overflow. Address this by splitting the
decoding into several steps so that decode_cb_compound4res() does
not have to perform arithmetic on the unsafe length value.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:09:53.824541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:09.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:46:29.848Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4callback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "745f7ce5a95e783ba62fe774325829466aec2aa8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "90adbae9dd158da8331d9fdd32077bd1af04f553",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3c5f545c9a1f8a1869246f6f3ae8c17289d6a841",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "842f1c27a1aef5367e535f9e85c8c3b06352151a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de53c5305184ca1333b87e695d329d1502d694ce",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dde654cad08fdaac370febb161ec41eb58e9d2a2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "084f797dbc7e52209a4ab6dbc7f0109268754eb9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ccd3394f9a7200d6b088553bf38e688620cd27af",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f33b92e5b18e904a481e6e208486da43e4dc841",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4callback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.325",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Prevent a potential integer overflow\n\nIf the tag length is \u003e= U32_MAX - 3 then the \"length + 4\" addition\ncan result in an integer overflow. Address this by splitting the\ndecoding into several steps so that decode_cb_compound4res() does\nnot have to perform arithmetic on the unsafe length value."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:54:12.514Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/745f7ce5a95e783ba62fe774325829466aec2aa8"
},
{
"url": "https://git.kernel.org/stable/c/90adbae9dd158da8331d9fdd32077bd1af04f553"
},
{
"url": "https://git.kernel.org/stable/c/3c5f545c9a1f8a1869246f6f3ae8c17289d6a841"
},
{
"url": "https://git.kernel.org/stable/c/842f1c27a1aef5367e535f9e85c8c3b06352151a"
},
{
"url": "https://git.kernel.org/stable/c/de53c5305184ca1333b87e695d329d1502d694ce"
},
{
"url": "https://git.kernel.org/stable/c/dde654cad08fdaac370febb161ec41eb58e9d2a2"
},
{
"url": "https://git.kernel.org/stable/c/084f797dbc7e52209a4ab6dbc7f0109268754eb9"
},
{
"url": "https://git.kernel.org/stable/c/ccd3394f9a7200d6b088553bf38e688620cd27af"
},
{
"url": "https://git.kernel.org/stable/c/7f33b92e5b18e904a481e6e208486da43e4dc841"
}
],
"title": "NFSD: Prevent a potential integer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53146",
"datePublished": "2024-12-24T11:28:46.883Z",
"dateReserved": "2024-11-19T17:17:24.998Z",
"dateUpdated": "2025-11-03T20:46:29.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50545 (GCVE-0-2022-50545)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
r6040: Fix kmemleak in probe and remove
There is a memory leaks reported by kmemleak:
unreferenced object 0xffff888116111000 (size 2048):
comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s)
hex dump (first 32 bytes):
00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................
08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffff827e20ee>] phy_device_create+0x4e/0x90
[<ffffffff827e6072>] get_phy_device+0xd2/0x220
[<ffffffff827e7844>] mdiobus_scan+0xa4/0x2e0
[<ffffffff827e8be2>] __mdiobus_register+0x482/0x8b0
[<ffffffffa01f5d24>] r6040_init_one+0x714/0xd2c [r6040]
...
The problem occurs in probe process as follows:
r6040_init_one:
mdiobus_register
mdiobus_scan <- alloc and register phy_device,
the reference count of phy_device is 3
r6040_mii_probe
phy_connect <- connect to the first phy_device,
so the reference count of the first
phy_device is 4, others are 3
register_netdev <- fault inject succeeded, goto error handling path
// error handling path
err_out_mdio_unregister:
mdiobus_unregister(lp->mii_bus);
err_out_mdio:
mdiobus_free(lp->mii_bus); <- the reference count of the first
phy_device is 1, it is not released
and other phy_devices are released
// similarly, the remove process also has the same problem
The root cause is traced to the phy_device is not disconnected when
removes one r6040 device in r6040_remove_one() or on error handling path
after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet
device is connected to the first PHY device of mii_bus, in order to
notify the connected driver when the link status changes, which is the
default behavior of the PHY infrastructure to handle everything.
Therefore the phy_device should be disconnected when removes one r6040
device or on error handling path.
Fix it by adding phy_disconnect() when removes one r6040 device or on
error handling path after r6040_mii probed successfully.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b Version: 3831861b4ad8fd0ad7110048eb3e155628799d2b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rdc/r6040.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a04707f4596952049da05756c27398c34d9a1d36",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "b4448816e6a565e08236a6009c6bf48c6836cdfd",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "2ce242e1b9ad31c1f68496b3548e407a8cb2c07d",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "b0a61359026b57a287a48fbb4ba1d097023eca3e",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "3d5f83a62e8235d235534b3dc6f197d8a822c269",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "9b5b50329e2e966831a7237dd6949e7b5362a49a",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "ad2c8f25457ca9a81e7e958148cbc26600ce3071",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "5944c25c67de54e0aa53623e1e1af3bf8b16ed44",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "7e43039a49c2da45edc1d9d7c9ede4003ab45a5f",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rdc/r6040.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nr6040: Fix kmemleak in probe and remove\n\nThere is a memory leaks reported by kmemleak:\n\n unreferenced object 0xffff888116111000 (size 2048):\n comm \"modprobe\", pid 817, jiffies 4294759745 (age 76.502s)\n hex dump (first 32 bytes):\n 00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................\n 08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff815bcd82\u003e] kmalloc_trace+0x22/0x60\n [\u003cffffffff827e20ee\u003e] phy_device_create+0x4e/0x90\n [\u003cffffffff827e6072\u003e] get_phy_device+0xd2/0x220\n [\u003cffffffff827e7844\u003e] mdiobus_scan+0xa4/0x2e0\n [\u003cffffffff827e8be2\u003e] __mdiobus_register+0x482/0x8b0\n [\u003cffffffffa01f5d24\u003e] r6040_init_one+0x714/0xd2c [r6040]\n ...\n\nThe problem occurs in probe process as follows:\n r6040_init_one:\n mdiobus_register\n mdiobus_scan \u003c- alloc and register phy_device,\n the reference count of phy_device is 3\n r6040_mii_probe\n phy_connect \u003c- connect to the first phy_device,\n so the reference count of the first\n phy_device is 4, others are 3\n register_netdev \u003c- fault inject succeeded, goto error handling path\n\n // error handling path\n err_out_mdio_unregister:\n mdiobus_unregister(lp-\u003emii_bus);\n err_out_mdio:\n mdiobus_free(lp-\u003emii_bus); \u003c- the reference count of the first\n phy_device is 1, it is not released\n and other phy_devices are released\n // similarly, the remove process also has the same problem\n\nThe root cause is traced to the phy_device is not disconnected when\nremoves one r6040 device in r6040_remove_one() or on error handling path\nafter r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet\ndevice is connected to the first PHY device of mii_bus, in order to\nnotify the connected driver when the link status changes, which is the\ndefault behavior of the PHY infrastructure to handle everything.\nTherefore the phy_device should be disconnected when removes one r6040\ndevice or on error handling path.\n\nFix it by adding phy_disconnect() when removes one r6040 device or on\nerror handling path after r6040_mii probed successfully."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:09.288Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a04707f4596952049da05756c27398c34d9a1d36"
},
{
"url": "https://git.kernel.org/stable/c/b4448816e6a565e08236a6009c6bf48c6836cdfd"
},
{
"url": "https://git.kernel.org/stable/c/2ce242e1b9ad31c1f68496b3548e407a8cb2c07d"
},
{
"url": "https://git.kernel.org/stable/c/b0a61359026b57a287a48fbb4ba1d097023eca3e"
},
{
"url": "https://git.kernel.org/stable/c/3d5f83a62e8235d235534b3dc6f197d8a822c269"
},
{
"url": "https://git.kernel.org/stable/c/9b5b50329e2e966831a7237dd6949e7b5362a49a"
},
{
"url": "https://git.kernel.org/stable/c/ad2c8f25457ca9a81e7e958148cbc26600ce3071"
},
{
"url": "https://git.kernel.org/stable/c/5944c25c67de54e0aa53623e1e1af3bf8b16ed44"
},
{
"url": "https://git.kernel.org/stable/c/7e43039a49c2da45edc1d9d7c9ede4003ab45a5f"
}
],
"title": "r6040: Fix kmemleak in probe and remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50545",
"datePublished": "2025-10-07T15:21:09.288Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:09.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49564 (GCVE-0-2022-49564)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - add param check for DH
Reject requests with a source buffer that is bigger than the size of the
key. This is to prevent a possible integer underflow that might happen
when copying the source scatterlist into a linear buffer.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:06.730762Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:38.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_asym_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7f979ed51f96495328157df663c835b17db1e30",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "76c9216833e7c20a67c987cf89719a3f01666aaa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2acbb8771f6ac82422886e63832ee7a0f4b1635b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_asym_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for DH\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:44.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7f979ed51f96495328157df663c835b17db1e30"
},
{
"url": "https://git.kernel.org/stable/c/76c9216833e7c20a67c987cf89719a3f01666aaa"
},
{
"url": "https://git.kernel.org/stable/c/2acbb8771f6ac82422886e63832ee7a0f4b1635b"
}
],
"title": "crypto: qat - add param check for DH",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49564",
"datePublished": "2025-02-26T02:23:10.733Z",
"dateReserved": "2025-02-26T02:21:30.410Z",
"dateUpdated": "2025-10-01T19:46:38.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50492 (GCVE-0-2022-50492)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: fix use-after-free on probe deferral
The bridge counter was never reset when tearing down the DRM device so
that stale pointers to deallocated structures would be accessed on the
next tear down (e.g. after a second late bind deferral).
Given enough bridges and a few probe deferrals this could currently also
lead to data beyond the bridge array being corrupted.
Patchwork: https://patchwork.freedesktop.org/patch/502665/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a30a47741b6df1f9555a0fac6aebb7e8c363bad",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
},
{
"lessThan": "6808abdb33bf90330e70a687d29f038507e06ebb",
"status": "affected",
"version": "a3376e3ec81c5dd0622cbc187db76d2824d31c1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix use-after-free on probe deferral\n\nThe bridge counter was never reset when tearing down the DRM device so\nthat stale pointers to deallocated structures would be accessed on the\nnext tear down (e.g. after a second late bind deferral).\n\nGiven enough bridges and a few probe deferrals this could currently also\nlead to data beyond the bridge array being corrupted.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502665/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:45.204Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a30a47741b6df1f9555a0fac6aebb7e8c363bad"
},
{
"url": "https://git.kernel.org/stable/c/6808abdb33bf90330e70a687d29f038507e06ebb"
}
],
"title": "drm/msm: fix use-after-free on probe deferral",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50492",
"datePublished": "2025-10-04T15:43:45.204Z",
"dateReserved": "2025-10-04T15:39:19.463Z",
"dateUpdated": "2025-10-04T15:43:45.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40087 (GCVE-0-2025-40087)
Vulnerability from cvelistv5
Published
2025-10-30 09:47
Modified
2025-10-30 09:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Define a proc_layoutcommit for the FlexFiles layout type
Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT
operation on a FlexFiles layout.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/flexfilelayout.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a75994dd879401c3e24ff51c2536559f1a53ea27",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "34d187e020cbda112a6c6f094f0ca5e6a8672b75",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "ba88a53d7f5df4191583abf214214efe0cda91d2",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "da9129ef77786839a3ccd1d7afeeab790bceaa1d",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "f7353208c91ab004e0179c5fb6c365b0f132f9f0",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "a156af6a4dc38c2aa7c98e89520a70fb3b3e7df4",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "785ec512afa80d0540f2ca797c0e56de747a6083",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "4b47a8601b71ad98833b447d465592d847b4dc77",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/flexfilelayout.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc2",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Define a proc_layoutcommit for the FlexFiles layout type\n\nAvoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT\noperation on a FlexFiles layout."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T09:47:56.675Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a75994dd879401c3e24ff51c2536559f1a53ea27"
},
{
"url": "https://git.kernel.org/stable/c/34d187e020cbda112a6c6f094f0ca5e6a8672b75"
},
{
"url": "https://git.kernel.org/stable/c/ba88a53d7f5df4191583abf214214efe0cda91d2"
},
{
"url": "https://git.kernel.org/stable/c/da9129ef77786839a3ccd1d7afeeab790bceaa1d"
},
{
"url": "https://git.kernel.org/stable/c/f7353208c91ab004e0179c5fb6c365b0f132f9f0"
},
{
"url": "https://git.kernel.org/stable/c/a156af6a4dc38c2aa7c98e89520a70fb3b3e7df4"
},
{
"url": "https://git.kernel.org/stable/c/785ec512afa80d0540f2ca797c0e56de747a6083"
},
{
"url": "https://git.kernel.org/stable/c/4b47a8601b71ad98833b447d465592d847b4dc77"
}
],
"title": "NFSD: Define a proc_layoutcommit for the FlexFiles layout type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40087",
"datePublished": "2025-10-30T09:47:56.675Z",
"dateReserved": "2025-04-16T07:20:57.162Z",
"dateUpdated": "2025-10-30T09:47:56.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50154 (GCVE-0-2024-50154)
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2025-11-03 22:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().
"""
We are seeing a use-after-free from a bpf prog attached to
trace_tcp_retransmit_synack. The program passes the req->sk to the
bpf_sk_storage_get_tracing kernel helper which does check for null
before using it.
"""
The commit 83fccfc3940c ("inet: fix potential deadlock in
reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not
to call del_timer_sync() from reqsk_timer_handler(), but it introduced a
small race window.
Before the timer is called, expire_timers() calls detach_timer(timer, true)
to clear timer->entry.pprev and marks it as not pending.
If reqsk_queue_unlink() checks timer_pending() just after expire_timers()
calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will
continue running and send multiple SYN+ACKs until it expires.
The reported UAF could happen if req->sk is close()d earlier than the timer
expiration, which is 63s by default.
The scenario would be
1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),
but del_timer_sync() is missed
2. reqsk timer is executed and scheduled again
3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but
reqsk timer still has another one, and inet_csk_accept() does not
clear req->sk for non-TFO sockets
4. sk is close()d
5. reqsk timer is executed again, and BPF touches req->sk
Let's not use timer_pending() by passing the caller context to
__inet_csk_reqsk_queue_drop().
Note that reqsk timer is pinned, so the issue does not happen in most
use cases. [1]
[0]
BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0
Use-after-free read at 0x00000000a891fb3a (in kfence-#1):
bpf_sk_storage_get_tracing+0x2e/0x1b0
bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda
bpf_trace_run2+0x4c/0xc0
tcp_rtx_synack+0xf9/0x100
reqsk_timer_handler+0xda/0x3d0
run_timer_softirq+0x292/0x8a0
irq_exit_rcu+0xf5/0x320
sysvec_apic_timer_interrupt+0x6d/0x80
asm_sysvec_apic_timer_interrupt+0x16/0x20
intel_idle_irq+0x5a/0xa0
cpuidle_enter_state+0x94/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6
allocated by task 0 on cpu 9 at 260507.901592s:
sk_prot_alloc+0x35/0x140
sk_clone_lock+0x1f/0x3f0
inet_csk_clone_lock+0x15/0x160
tcp_create_openreq_child+0x1f/0x410
tcp_v6_syn_recv_sock+0x1da/0x700
tcp_check_req+0x1fb/0x510
tcp_v6_rcv+0x98b/0x1420
ipv6_list_rcv+0x2258/0x26e0
napi_complete_done+0x5b1/0x2990
mlx5e_napi_poll+0x2ae/0x8d0
net_rx_action+0x13e/0x590
irq_exit_rcu+0xf5/0x320
common_interrupt+0x80/0x90
asm_common_interrupt+0x22/0x40
cpuidle_enter_state+0xfb/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
freed by task 0 on cpu 9 at 260507.927527s:
rcu_core_si+0x4ff/0xf10
irq_exit_rcu+0xf5/0x320
sysvec_apic_timer_interrupt+0x6d/0x80
asm_sysvec_apic_timer_interrupt+0x16/0x20
cpuidle_enter_state+0xfb/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: d3a1196bfc462943694623412d8e03aaf172bdc1 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T14:25:48.087506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T14:58:32.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:26:13.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/inet_connection_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "106e457953315e476b3642ef24be25ed862aaba3",
"status": "affected",
"version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
"versionType": "git"
},
{
"lessThan": "c964bf65f80a14288d767023a1b300b30f5b9cd0",
"status": "affected",
"version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
"versionType": "git"
},
{
"lessThan": "8459d61fbf24967839a70235165673148c7c7f17",
"status": "affected",
"version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
"versionType": "git"
},
{
"lessThan": "5071beb59ee416e8ab456ac8647a4dabcda823b1",
"status": "affected",
"version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
"versionType": "git"
},
{
"lessThan": "997ae8da14f1639ce6fb66a063dab54031cd61b3",
"status": "affected",
"version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
"versionType": "git"
},
{
"lessThan": "51e34db64f4e43c7b055ccf881b7f3e0c31bb26d",
"status": "affected",
"version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
"versionType": "git"
},
{
"lessThan": "e8c526f2bdf1845bedaf6a478816a3d06fa78b8f",
"status": "affected",
"version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
"versionType": "git"
},
{
"status": "affected",
"version": "d3a1196bfc462943694623412d8e03aaf172bdc1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/inet_connection_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.293",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.170",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.115",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.59",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.6",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().\n\nMartin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().\n\n \"\"\"\n We are seeing a use-after-free from a bpf prog attached to\n trace_tcp_retransmit_synack. The program passes the req-\u003esk to the\n bpf_sk_storage_get_tracing kernel helper which does check for null\n before using it.\n \"\"\"\n\nThe commit 83fccfc3940c (\"inet: fix potential deadlock in\nreqsk_queue_unlink()\") added timer_pending() in reqsk_queue_unlink() not\nto call del_timer_sync() from reqsk_timer_handler(), but it introduced a\nsmall race window.\n\nBefore the timer is called, expire_timers() calls detach_timer(timer, true)\nto clear timer-\u003eentry.pprev and marks it as not pending.\n\nIf reqsk_queue_unlink() checks timer_pending() just after expire_timers()\ncalls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will\ncontinue running and send multiple SYN+ACKs until it expires.\n\nThe reported UAF could happen if req-\u003esk is close()d earlier than the timer\nexpiration, which is 63s by default.\n\nThe scenario would be\n\n 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),\n but del_timer_sync() is missed\n\n 2. reqsk timer is executed and scheduled again\n\n 3. req-\u003esk is accept()ed and reqsk_put() decrements rsk_refcnt, but\n reqsk timer still has another one, and inet_csk_accept() does not\n clear req-\u003esk for non-TFO sockets\n\n 4. sk is close()d\n\n 5. reqsk timer is executed again, and BPF touches req-\u003esk\n\nLet\u0027s not use timer_pending() by passing the caller context to\n__inet_csk_reqsk_queue_drop().\n\nNote that reqsk timer is pinned, so the issue does not happen in most\nuse cases. [1]\n\n[0]\nBUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0\n\nUse-after-free read at 0x00000000a891fb3a (in kfence-#1):\nbpf_sk_storage_get_tracing+0x2e/0x1b0\nbpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda\nbpf_trace_run2+0x4c/0xc0\ntcp_rtx_synack+0xf9/0x100\nreqsk_timer_handler+0xda/0x3d0\nrun_timer_softirq+0x292/0x8a0\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nintel_idle_irq+0x5a/0xa0\ncpuidle_enter_state+0x94/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nkfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6\n\nallocated by task 0 on cpu 9 at 260507.901592s:\nsk_prot_alloc+0x35/0x140\nsk_clone_lock+0x1f/0x3f0\ninet_csk_clone_lock+0x15/0x160\ntcp_create_openreq_child+0x1f/0x410\ntcp_v6_syn_recv_sock+0x1da/0x700\ntcp_check_req+0x1fb/0x510\ntcp_v6_rcv+0x98b/0x1420\nipv6_list_rcv+0x2258/0x26e0\nnapi_complete_done+0x5b1/0x2990\nmlx5e_napi_poll+0x2ae/0x8d0\nnet_rx_action+0x13e/0x590\nirq_exit_rcu+0xf5/0x320\ncommon_interrupt+0x80/0x90\nasm_common_interrupt+0x22/0x40\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nfreed by task 0 on cpu 9 at 260507.927527s:\nrcu_core_si+0x4ff/0xf10\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:59:37.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/106e457953315e476b3642ef24be25ed862aaba3"
},
{
"url": "https://git.kernel.org/stable/c/c964bf65f80a14288d767023a1b300b30f5b9cd0"
},
{
"url": "https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17"
},
{
"url": "https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1"
},
{
"url": "https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3"
},
{
"url": "https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d"
},
{
"url": "https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f"
}
],
"title": "tcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50154",
"datePublished": "2024-11-07T09:31:30.855Z",
"dateReserved": "2024-10-21T19:36:19.960Z",
"dateUpdated": "2025-11-03T22:26:13.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39947 (GCVE-0-2025-39947)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Harden uplink netdev access against device unbind
The function mlx5_uplink_netdev_get() gets the uplink netdevice
pointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can
be removed and its pointer cleared when unbound from the mlx5_core.eth
driver. This results in a NULL pointer, causing a kernel panic.
BUG: unable to handle page fault for address: 0000000000001300
at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core]
Call Trace:
<TASK>
mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core]
esw_offloads_enable+0x593/0x910 [mlx5_core]
mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core]
mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core]
devlink_nl_eswitch_set_doit+0x60/0xd0
genl_family_rcv_msg_doit+0xe0/0x130
genl_rcv_msg+0x183/0x290
netlink_rcv_skb+0x4b/0xf0
genl_rcv+0x24/0x40
netlink_unicast+0x255/0x380
netlink_sendmsg+0x1f3/0x420
__sock_sendmsg+0x38/0x60
__sys_sendto+0x119/0x180
do_syscall_64+0x53/0x1d0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Ensure the pointer is valid before use by checking it for NULL. If it
is valid, immediately call netdev_hold() to take a reference, and
preventing the netdevice from being freed while it is in use.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c",
"drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c",
"drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h",
"include/linux/mlx5/driver.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cb17c88edd3a1c7aa6bc880dcdb35a6866fcb2e",
"status": "affected",
"version": "7a9fb35e8c3a67145fca262c304de65cb2f83abf",
"versionType": "git"
},
{
"lessThan": "d1f3db4e7a3be29fc17f01850f162363f919370d",
"status": "affected",
"version": "7a9fb35e8c3a67145fca262c304de65cb2f83abf",
"versionType": "git"
},
{
"lessThan": "8df354eb2dd63d111ed5ae2e956e0dbb22bcf93b",
"status": "affected",
"version": "7a9fb35e8c3a67145fca262c304de65cb2f83abf",
"versionType": "git"
},
{
"lessThan": "6b4be64fd9fec16418f365c2d8e47a7566e9eba5",
"status": "affected",
"version": "7a9fb35e8c3a67145fca262c304de65cb2f83abf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c",
"drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c",
"drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h",
"include/linux/mlx5/driver.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Harden uplink netdev access against device unbind\n\nThe function mlx5_uplink_netdev_get() gets the uplink netdevice\npointer from mdev-\u003emlx5e_res.uplink_netdev. However, the netdevice can\nbe removed and its pointer cleared when unbound from the mlx5_core.eth\ndriver. This results in a NULL pointer, causing a kernel panic.\n\n BUG: unable to handle page fault for address: 0000000000001300\n at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core]\n Call Trace:\n \u003cTASK\u003e\n mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core]\n esw_offloads_enable+0x593/0x910 [mlx5_core]\n mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core]\n devlink_nl_eswitch_set_doit+0x60/0xd0\n genl_family_rcv_msg_doit+0xe0/0x130\n genl_rcv_msg+0x183/0x290\n netlink_rcv_skb+0x4b/0xf0\n genl_rcv+0x24/0x40\n netlink_unicast+0x255/0x380\n netlink_sendmsg+0x1f3/0x420\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x119/0x180\n do_syscall_64+0x53/0x1d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nEnsure the pointer is valid before use by checking it for NULL. If it\nis valid, immediately call netdev_hold() to take a reference, and\npreventing the netdevice from being freed while it is in use."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:31:08.636Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cb17c88edd3a1c7aa6bc880dcdb35a6866fcb2e"
},
{
"url": "https://git.kernel.org/stable/c/d1f3db4e7a3be29fc17f01850f162363f919370d"
},
{
"url": "https://git.kernel.org/stable/c/8df354eb2dd63d111ed5ae2e956e0dbb22bcf93b"
},
{
"url": "https://git.kernel.org/stable/c/6b4be64fd9fec16418f365c2d8e47a7566e9eba5"
}
],
"title": "net/mlx5e: Harden uplink netdev access against device unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39947",
"datePublished": "2025-10-04T07:31:08.636Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:31:08.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53579 (GCVE-0-2023-53579)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio: mvebu: fix irq domain leak
Uwe Kleine-König pointed out we still have one resource leak in the mvebu
driver triggered on driver detach. Let's address it with a custom devm
action.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 812d47889a8e418d7bea9bec383581a34c19183e Version: 812d47889a8e418d7bea9bec383581a34c19183e Version: 812d47889a8e418d7bea9bec383581a34c19183e Version: 812d47889a8e418d7bea9bec383581a34c19183e Version: f0cde54863da281cec1ed85497b4ec58d29c1460 Version: 7a9239fd04802ee6ddf82d211cff3ee7df9c473a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-mvebu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b19e90521286a03bc3793fd598f20277a8f99c85",
"status": "affected",
"version": "812d47889a8e418d7bea9bec383581a34c19183e",
"versionType": "git"
},
{
"lessThan": "44e2afbf650f3264519643fcc9e6b4d2f6e8d547",
"status": "affected",
"version": "812d47889a8e418d7bea9bec383581a34c19183e",
"versionType": "git"
},
{
"lessThan": "d9b791d8362359d241b4e8f4b4767c681ffdb6ef",
"status": "affected",
"version": "812d47889a8e418d7bea9bec383581a34c19183e",
"versionType": "git"
},
{
"lessThan": "644ee70267a934be27370f9aa618b29af7290544",
"status": "affected",
"version": "812d47889a8e418d7bea9bec383581a34c19183e",
"versionType": "git"
},
{
"status": "affected",
"version": "f0cde54863da281cec1ed85497b4ec58d29c1460",
"versionType": "git"
},
{
"status": "affected",
"version": "7a9239fd04802ee6ddf82d211cff3ee7df9c473a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-mvebu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mvebu: fix irq domain leak\n\nUwe Kleine-K\u00f6nig pointed out we still have one resource leak in the mvebu\ndriver triggered on driver detach. Let\u0027s address it with a custom devm\naction."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:18.040Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b19e90521286a03bc3793fd598f20277a8f99c85"
},
{
"url": "https://git.kernel.org/stable/c/44e2afbf650f3264519643fcc9e6b4d2f6e8d547"
},
{
"url": "https://git.kernel.org/stable/c/d9b791d8362359d241b4e8f4b4767c681ffdb6ef"
},
{
"url": "https://git.kernel.org/stable/c/644ee70267a934be27370f9aa618b29af7290544"
}
],
"title": "gpio: mvebu: fix irq domain leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53579",
"datePublished": "2025-10-04T15:17:18.040Z",
"dateReserved": "2025-10-04T15:14:15.926Z",
"dateUpdated": "2025-10-04T15:17:18.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53370 (GCVE-0-2023-53370)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-19 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix memory leak in mes self test
The fences associated with mes queue have to be freed
up during amdgpu_ring_fini.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce3288d8d654b252ba832626e7de481c195ef20a",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "8d8c96efcec95736622381b2afc0fe9e317f88aa",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "31d7c3a4fc3d312a0646990767647925d5bde540",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix memory leak in mes self test\n\nThe fences associated with mes queue have to be freed\nup during amdgpu_ring_fini."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T15:21:38.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce3288d8d654b252ba832626e7de481c195ef20a"
},
{
"url": "https://git.kernel.org/stable/c/8d8c96efcec95736622381b2afc0fe9e317f88aa"
},
{
"url": "https://git.kernel.org/stable/c/31d7c3a4fc3d312a0646990767647925d5bde540"
}
],
"title": "drm/amdgpu: fix memory leak in mes self test",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53370",
"datePublished": "2025-09-18T13:33:18.117Z",
"dateReserved": "2025-09-17T14:54:09.734Z",
"dateUpdated": "2025-09-19T15:21:38.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53360 (GCVE-0-2023-53360)
Vulnerability from cvelistv5
Published
2025-09-17 14:56
Modified
2025-09-17 14:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4.2: Rework scratch handling for READ_PLUS (again)
I found that the read code might send multiple requests using the same
nfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is
how we ended up occasionally double-freeing the scratch buffer, but also
means we set a NULL pointer but non-zero length to the xdr scratch
buffer. This results in an oops the first time decoding needs to copy
something to scratch, which frequently happens when decoding READ_PLUS
hole segments.
I fix this by moving scratch handling into the pageio read code. I
provide a function to allocate scratch space for decoding read replies,
and free the scratch buffer when the nfs_pgio_header is freed.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/internal.h",
"fs/nfs/nfs42.h",
"fs/nfs/nfs42xdr.c",
"fs/nfs/nfs4proc.c",
"fs/nfs/read.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "adac9f0ddd2b291c7ce41f549fdb27a13616cff5",
"status": "affected",
"version": "886959f425b6a936a30b82a297ae3aecb3b8230f",
"versionType": "git"
},
{
"lessThan": "a2f4cb206bd94b3f4a7bb05fcdce9525283b5681",
"status": "affected",
"version": "fbd2a05f29a95d5b42b294bf47e55a711424965b",
"versionType": "git"
},
{
"lessThan": "ae5d5672f1db711e91db6f52df5cb16ecd8f5692",
"status": "affected",
"version": "fbd2a05f29a95d5b42b294bf47e55a711424965b",
"versionType": "git"
},
{
"lessThan": "303a78052091c81e9003915c521fdca1c7e117af",
"status": "affected",
"version": "fbd2a05f29a95d5b42b294bf47e55a711424965b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/internal.h",
"fs/nfs/nfs42.h",
"fs/nfs/nfs42xdr.c",
"fs/nfs/nfs4proc.c",
"fs/nfs/read.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: Rework scratch handling for READ_PLUS (again)\n\nI found that the read code might send multiple requests using the same\nnfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is\nhow we ended up occasionally double-freeing the scratch buffer, but also\nmeans we set a NULL pointer but non-zero length to the xdr scratch\nbuffer. This results in an oops the first time decoding needs to copy\nsomething to scratch, which frequently happens when decoding READ_PLUS\nhole segments.\n\nI fix this by moving scratch handling into the pageio read code. I\nprovide a function to allocate scratch space for decoding read replies,\nand free the scratch buffer when the nfs_pgio_header is freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:56:50.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/adac9f0ddd2b291c7ce41f549fdb27a13616cff5"
},
{
"url": "https://git.kernel.org/stable/c/a2f4cb206bd94b3f4a7bb05fcdce9525283b5681"
},
{
"url": "https://git.kernel.org/stable/c/ae5d5672f1db711e91db6f52df5cb16ecd8f5692"
},
{
"url": "https://git.kernel.org/stable/c/303a78052091c81e9003915c521fdca1c7e117af"
}
],
"title": "NFSv4.2: Rework scratch handling for READ_PLUS (again)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53360",
"datePublished": "2025-09-17T14:56:50.287Z",
"dateReserved": "2025-09-17T14:54:09.733Z",
"dateUpdated": "2025-09-17T14:56:50.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53562 (GCVE-0-2023-53562)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: fix vram leak on bind errors
Make sure to release the VRAM buffer also in a case a subcomponent fails
to bind.
Patchwork: https://patchwork.freedesktop.org/patch/525094/
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d863f0c7b536288e2bd40cbc01c10465dd226b11 Version: d863f0c7b536288e2bd40cbc01c10465dd226b11 Version: d863f0c7b536288e2bd40cbc01c10465dd226b11 Version: d863f0c7b536288e2bd40cbc01c10465dd226b11 Version: 0680689c609c7b2a15e52a9b9ca58fc2a04b2eee Version: ba74e0f222c7394eae16cbe91233aa34ba5122ea Version: d565c626b4e14864be4f6886d73e86f3338f7bac |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "544711591a67a6da4d9f0f70ba3c805eb2548729",
"status": "affected",
"version": "d863f0c7b536288e2bd40cbc01c10465dd226b11",
"versionType": "git"
},
{
"lessThan": "c02e8c1c5b3eb0b6193946194ac280f58f48b3b5",
"status": "affected",
"version": "d863f0c7b536288e2bd40cbc01c10465dd226b11",
"versionType": "git"
},
{
"lessThan": "e3401e07ba98a94b978164b7e873c25e5fc82b4b",
"status": "affected",
"version": "d863f0c7b536288e2bd40cbc01c10465dd226b11",
"versionType": "git"
},
{
"lessThan": "60d476af96015891c7959f30838ae7a9749932bf",
"status": "affected",
"version": "d863f0c7b536288e2bd40cbc01c10465dd226b11",
"versionType": "git"
},
{
"status": "affected",
"version": "0680689c609c7b2a15e52a9b9ca58fc2a04b2eee",
"versionType": "git"
},
{
"status": "affected",
"version": "ba74e0f222c7394eae16cbe91233aa34ba5122ea",
"versionType": "git"
},
{
"status": "affected",
"version": "d565c626b4e14864be4f6886d73e86f3338f7bac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.169",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix vram leak on bind errors\n\nMake sure to release the VRAM buffer also in a case a subcomponent fails\nto bind.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525094/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:05.652Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/544711591a67a6da4d9f0f70ba3c805eb2548729"
},
{
"url": "https://git.kernel.org/stable/c/c02e8c1c5b3eb0b6193946194ac280f58f48b3b5"
},
{
"url": "https://git.kernel.org/stable/c/e3401e07ba98a94b978164b7e873c25e5fc82b4b"
},
{
"url": "https://git.kernel.org/stable/c/60d476af96015891c7959f30838ae7a9749932bf"
}
],
"title": "drm/msm: fix vram leak on bind errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53562",
"datePublished": "2025-10-04T15:17:05.652Z",
"dateReserved": "2025-10-04T15:14:15.923Z",
"dateUpdated": "2025-10-04T15:17:05.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53492 (GCVE-0-2023-53492)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: do not ignore genmask when looking up chain by id
When adding a rule to a chain referring to its ID, if that chain had been
deleted on the same batch, the rule might end up referring to a deleted
chain.
This will lead to a WARNING like following:
[ 33.098431] ------------[ cut here ]------------
[ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260
[ 33.099217] Modules linked in:
[ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409
[ 33.099726] Workqueue: events nf_tables_trans_destroy_work
[ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260
[ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7
[ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202
[ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000
[ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000
[ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500
[ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10
[ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000
[ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0
[ 33.104872] PKRU: 55555554
[ 33.104999] Call Trace:
[ 33.105113] <TASK>
[ 33.105214] ? show_regs+0x72/0x90
[ 33.105371] ? __warn+0xa5/0x210
[ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260
[ 33.105732] ? report_bug+0x1f2/0x200
[ 33.105902] ? handle_bug+0x46/0x90
[ 33.106546] ? exc_invalid_op+0x19/0x50
[ 33.106762] ? asm_exc_invalid_op+0x1b/0x20
[ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260
[ 33.107249] ? nf_tables_chain_destroy+0x30/0x260
[ 33.107506] nf_tables_trans_destroy_work+0x669/0x680
[ 33.107782] ? mark_held_locks+0x28/0xa0
[ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10
[ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70
[ 33.108538] process_one_work+0x68c/0xb70
[ 33.108755] ? lock_acquire+0x17f/0x420
[ 33.108977] ? __pfx_process_one_work+0x10/0x10
[ 33.109218] ? do_raw_spin_lock+0x128/0x1d0
[ 33.109435] ? _raw_spin_lock_irq+0x71/0x80
[ 33.109634] worker_thread+0x2bd/0x700
[ 33.109817] ? __pfx_worker_thread+0x10/0x10
[ 33.110254] kthread+0x18b/0x1d0
[ 33.110410] ? __pfx_kthread+0x10/0x10
[ 33.110581] ret_from_fork+0x29/0x50
[ 33.110757] </TASK>
[ 33.110866] irq event stamp: 1651
[ 33.111017] hardirqs last enabled at (1659): [<ffffffffa206a209>] __up_console_sem+0x79/0xa0
[ 33.111379] hardirqs last disabled at (1666): [<ffffffffa206a1ee>] __up_console_sem+0x5e/0xa0
[ 33.111740] softirqs last enabled at (1616): [<ffffffffa1f5d40e>] __irq_exit_rcu+0x9e/0xe0
[ 33.112094] softirqs last disabled at (1367): [<ffffffffa1f5d40e>] __irq_exit_rcu+0x9e/0xe0
[ 33.112453] ---[ end trace 0000000000000000 ]---
This is due to the nft_chain_lookup_byid ignoring the genmask. After this
change, adding the new rule will fail as it will not find the chain.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ae2e501331aaa506eaf760339bb2f43e5769395",
"status": "affected",
"version": "837830a4b439bfeb86c70b0115c280377c84714b",
"versionType": "git"
},
{
"lessThan": "041e2ac88caef286b39064e83e825e3f53113d36",
"status": "affected",
"version": "837830a4b439bfeb86c70b0115c280377c84714b",
"versionType": "git"
},
{
"lessThan": "fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49",
"status": "affected",
"version": "837830a4b439bfeb86c70b0115c280377c84714b",
"versionType": "git"
},
{
"lessThan": "5e5e967e8505fbdabfb6497367ec1b808cadc356",
"status": "affected",
"version": "837830a4b439bfeb86c70b0115c280377c84714b",
"versionType": "git"
},
{
"lessThan": "515ad530795c118f012539ed76d02bacfd426d89",
"status": "affected",
"version": "837830a4b439bfeb86c70b0115c280377c84714b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not ignore genmask when looking up chain by id\n\nWhen adding a rule to a chain referring to its ID, if that chain had been\ndeleted on the same batch, the rule might end up referring to a deleted\nchain.\n\nThis will lead to a WARNING like following:\n\n[ 33.098431] ------------[ cut here ]------------\n[ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260\n[ 33.099217] Modules linked in:\n[ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409\n[ 33.099726] Workqueue: events nf_tables_trans_destroy_work\n[ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260\n[ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc \u003c0f\u003e 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7\n[ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202\n[ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000\n[ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000\n[ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500\n[ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10\n[ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000\n[ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0\n[ 33.104872] PKRU: 55555554\n[ 33.104999] Call Trace:\n[ 33.105113] \u003cTASK\u003e\n[ 33.105214] ? show_regs+0x72/0x90\n[ 33.105371] ? __warn+0xa5/0x210\n[ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260\n[ 33.105732] ? report_bug+0x1f2/0x200\n[ 33.105902] ? handle_bug+0x46/0x90\n[ 33.106546] ? exc_invalid_op+0x19/0x50\n[ 33.106762] ? asm_exc_invalid_op+0x1b/0x20\n[ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260\n[ 33.107249] ? nf_tables_chain_destroy+0x30/0x260\n[ 33.107506] nf_tables_trans_destroy_work+0x669/0x680\n[ 33.107782] ? mark_held_locks+0x28/0xa0\n[ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10\n[ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70\n[ 33.108538] process_one_work+0x68c/0xb70\n[ 33.108755] ? lock_acquire+0x17f/0x420\n[ 33.108977] ? __pfx_process_one_work+0x10/0x10\n[ 33.109218] ? do_raw_spin_lock+0x128/0x1d0\n[ 33.109435] ? _raw_spin_lock_irq+0x71/0x80\n[ 33.109634] worker_thread+0x2bd/0x700\n[ 33.109817] ? __pfx_worker_thread+0x10/0x10\n[ 33.110254] kthread+0x18b/0x1d0\n[ 33.110410] ? __pfx_kthread+0x10/0x10\n[ 33.110581] ret_from_fork+0x29/0x50\n[ 33.110757] \u003c/TASK\u003e\n[ 33.110866] irq event stamp: 1651\n[ 33.111017] hardirqs last enabled at (1659): [\u003cffffffffa206a209\u003e] __up_console_sem+0x79/0xa0\n[ 33.111379] hardirqs last disabled at (1666): [\u003cffffffffa206a1ee\u003e] __up_console_sem+0x5e/0xa0\n[ 33.111740] softirqs last enabled at (1616): [\u003cffffffffa1f5d40e\u003e] __irq_exit_rcu+0x9e/0xe0\n[ 33.112094] softirqs last disabled at (1367): [\u003cffffffffa1f5d40e\u003e] __irq_exit_rcu+0x9e/0xe0\n[ 33.112453] ---[ end trace 0000000000000000 ]---\n\nThis is due to the nft_chain_lookup_byid ignoring the genmask. After this\nchange, adding the new rule will fail as it will not find the chain."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:44.019Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ae2e501331aaa506eaf760339bb2f43e5769395"
},
{
"url": "https://git.kernel.org/stable/c/041e2ac88caef286b39064e83e825e3f53113d36"
},
{
"url": "https://git.kernel.org/stable/c/fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49"
},
{
"url": "https://git.kernel.org/stable/c/5e5e967e8505fbdabfb6497367ec1b808cadc356"
},
{
"url": "https://git.kernel.org/stable/c/515ad530795c118f012539ed76d02bacfd426d89"
}
],
"title": "netfilter: nf_tables: do not ignore genmask when looking up chain by id",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53492",
"datePublished": "2025-10-01T11:45:44.019Z",
"dateReserved": "2025-10-01T11:39:39.403Z",
"dateUpdated": "2025-10-01T11:45:44.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50125 (GCVE-0-2024-50125)
Vulnerability from cvelistv5
Published
2024-11-05 17:10
Modified
2025-11-03 22:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix UAF on sco_sock_timeout
conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
sco_sk_list.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ba316be1b6a00db7126ed9a39f9bee434a508043 Version: ba316be1b6a00db7126ed9a39f9bee434a508043 Version: ba316be1b6a00db7126ed9a39f9bee434a508043 Version: ba316be1b6a00db7126ed9a39f9bee434a508043 Version: ba316be1b6a00db7126ed9a39f9bee434a508043 Version: fea63ccd928c01573306983346588b26cffb5572 Version: 48669c81a65628ef234cbdd91b9395952c7c27fe Version: 37d7ae2b0578f2373674a755402ee722e96edc08 Version: a1073aad497d0d071a71f61b721966a176d50c08 Version: ec1f74319bb35c1c90c25014ec0f6ea6c3ca2134 Version: b657bba82ff6a007d84fd076bd73b11131726a2b |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T14:25:55.353607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T14:58:33.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:25:44.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/bluetooth.h",
"net/bluetooth/af_bluetooth.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74a466a15731a754bcd8b5a83c126b5122e15a45",
"status": "affected",
"version": "ba316be1b6a00db7126ed9a39f9bee434a508043",
"versionType": "git"
},
{
"lessThan": "9ddda5d967e84796e7df1b54a55f36b4b9f21079",
"status": "affected",
"version": "ba316be1b6a00db7126ed9a39f9bee434a508043",
"versionType": "git"
},
{
"lessThan": "d30803f6a972b5b9e26d1d43b583c7ec151de04b",
"status": "affected",
"version": "ba316be1b6a00db7126ed9a39f9bee434a508043",
"versionType": "git"
},
{
"lessThan": "80b05fbfa998480fb3d5299d93eab946f51e9c36",
"status": "affected",
"version": "ba316be1b6a00db7126ed9a39f9bee434a508043",
"versionType": "git"
},
{
"lessThan": "1bf4470a3939c678fb822073e9ea77a0560bc6bb",
"status": "affected",
"version": "ba316be1b6a00db7126ed9a39f9bee434a508043",
"versionType": "git"
},
{
"status": "affected",
"version": "fea63ccd928c01573306983346588b26cffb5572",
"versionType": "git"
},
{
"status": "affected",
"version": "48669c81a65628ef234cbdd91b9395952c7c27fe",
"versionType": "git"
},
{
"status": "affected",
"version": "37d7ae2b0578f2373674a755402ee722e96edc08",
"versionType": "git"
},
{
"status": "affected",
"version": "a1073aad497d0d071a71f61b721966a176d50c08",
"versionType": "git"
},
{
"status": "affected",
"version": "ec1f74319bb35c1c90c25014ec0f6ea6c3ca2134",
"versionType": "git"
},
{
"status": "affected",
"version": "b657bba82ff6a007d84fd076bd73b11131726a2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/bluetooth.h",
"net/bluetooth/af_bluetooth.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.115",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.59",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_sock_timeout\n\nconn-\u003esk maybe have been unlinked/freed while waiting for sco_conn_lock\nso this checks if the conn-\u003esk is still valid by checking if it part of\nsco_sk_list."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:59:35.245Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74a466a15731a754bcd8b5a83c126b5122e15a45"
},
{
"url": "https://git.kernel.org/stable/c/9ddda5d967e84796e7df1b54a55f36b4b9f21079"
},
{
"url": "https://git.kernel.org/stable/c/d30803f6a972b5b9e26d1d43b583c7ec151de04b"
},
{
"url": "https://git.kernel.org/stable/c/80b05fbfa998480fb3d5299d93eab946f51e9c36"
},
{
"url": "https://git.kernel.org/stable/c/1bf4470a3939c678fb822073e9ea77a0560bc6bb"
}
],
"title": "Bluetooth: SCO: Fix UAF on sco_sock_timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50125",
"datePublished": "2024-11-05T17:10:53.090Z",
"dateReserved": "2024-10-21T19:36:19.954Z",
"dateUpdated": "2025-11-03T22:25:44.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39860 (GCVE-0-2025-39860)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
syzbot reported the splat below without a repro.
In the splat, a single thread calling bt_accept_dequeue() freed sk
and touched it after that.
The root cause would be the racy l2cap_sock_cleanup_listen() call
added by the cited commit.
bt_accept_dequeue() is called under lock_sock() except for
l2cap_sock_release().
Two threads could see the same socket during the list iteration
in bt_accept_dequeue():
CPU1 CPU2 (close())
---- ----
sock_hold(sk) sock_hold(sk);
lock_sock(sk) <-- block close()
sock_put(sk)
bt_accept_unlink(sk)
sock_put(sk) <-- refcnt by bt_accept_enqueue()
release_sock(sk)
lock_sock(sk)
sock_put(sk)
bt_accept_unlink(sk)
sock_put(sk) <-- last refcnt
bt_accept_unlink(sk) <-- UAF
Depending on the timing, the other thread could show up in the
"Freed by task" part.
Let's call l2cap_sock_cleanup_listen() under lock_sock() in
l2cap_sock_release().
[0]:
BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
spin_lock_bh include/linux/spinlock.h:356 [inline]
release_sock+0x21/0x220 net/core/sock.c:3746
bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x3ff/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2accf8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
</TASK>
Allocated by task 5326:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_nopro
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a2da00d1ea1abfb04f846638e210b5b5166e3c9c Version: 06f87c96216bc5cd1094c23492274f77f1d5dd3b Version: fbe5a2fed8156cc19eb3b956602b0a1dd46a302d Version: 29fac18499332211b2615ade356e2bd8b3269f98 Version: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 Version: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 Version: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 Version: 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 Version: 51822644a047eac2310fab0799b64e3430b5a111 Version: 82cdb2ccbe43337798393369f0ceb98699fe6037 Version: 10426afe65c8bf7b24dd0c7be4dcc65f86fc99f9 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:12.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "964cbb198f9c46c2b2358cd1faffc04c1e8248cf",
"status": "affected",
"version": "a2da00d1ea1abfb04f846638e210b5b5166e3c9c",
"versionType": "git"
},
{
"lessThan": "83e1d9892ef51785cf0760b7681436760dda435a",
"status": "affected",
"version": "06f87c96216bc5cd1094c23492274f77f1d5dd3b",
"versionType": "git"
},
{
"lessThan": "47f6090bcf75c369695d21c3f179db8a56bbbd49",
"status": "affected",
"version": "fbe5a2fed8156cc19eb3b956602b0a1dd46a302d",
"versionType": "git"
},
{
"lessThan": "2ca99fc3512a8074de20ee52a87b492dfcc41a4d",
"status": "affected",
"version": "29fac18499332211b2615ade356e2bd8b3269f98",
"versionType": "git"
},
{
"lessThan": "6077d16b5c0f65d571eee709de2f0541fb5ef0ca",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"lessThan": "306b0991413b482dbf5585b423022123bb505966",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"lessThan": "3dff390f55ccd9ce12e91233849769b5312180c2",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"lessThan": "862c628108562d8c7a516a900034823b381d3cba",
"status": "affected",
"version": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1",
"versionType": "git"
},
{
"status": "affected",
"version": "51822644a047eac2310fab0799b64e3430b5a111",
"versionType": "git"
},
{
"status": "affected",
"version": "82cdb2ccbe43337798393369f0ceb98699fe6037",
"versionType": "git"
},
{
"status": "affected",
"version": "10426afe65c8bf7b24dd0c7be4dcc65f86fc99f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "5.4.253",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "5.10.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.15.126",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "6.1.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()\n\nsyzbot reported the splat below without a repro.\n\nIn the splat, a single thread calling bt_accept_dequeue() freed sk\nand touched it after that.\n\nThe root cause would be the racy l2cap_sock_cleanup_listen() call\nadded by the cited commit.\n\nbt_accept_dequeue() is called under lock_sock() except for\nl2cap_sock_release().\n\nTwo threads could see the same socket during the list iteration\nin bt_accept_dequeue():\n\n CPU1 CPU2 (close())\n ---- ----\n sock_hold(sk) sock_hold(sk);\n lock_sock(sk) \u003c-- block close()\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) \u003c-- refcnt by bt_accept_enqueue()\n release_sock(sk)\n lock_sock(sk)\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) \u003c-- last refcnt\n bt_accept_unlink(sk) \u003c-- UAF\n\nDepending on the timing, the other thread could show up in the\n\"Freed by task\" part.\n\nLet\u0027s call l2cap_sock_cleanup_listen() under lock_sock() in\nl2cap_sock_release().\n\n[0]:\nBUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\nRead of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995\nCPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\n do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n release_sock+0x21/0x220 net/core/sock.c:3746\n bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312\n l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451\n l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425\n __sock_release+0xb3/0x270 net/socket.c:649\n sock_close+0x1c/0x30 net/socket.c:1439\n __fput+0x3ff/0xb70 fs/file_table.c:468\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2accf8ebe9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f\nR10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c\nR13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490\n \u003c/TASK\u003e\n\nAllocated by task 5326:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4365 [inline]\n __kmalloc_nopro\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:14.857Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/964cbb198f9c46c2b2358cd1faffc04c1e8248cf"
},
{
"url": "https://git.kernel.org/stable/c/83e1d9892ef51785cf0760b7681436760dda435a"
},
{
"url": "https://git.kernel.org/stable/c/47f6090bcf75c369695d21c3f179db8a56bbbd49"
},
{
"url": "https://git.kernel.org/stable/c/2ca99fc3512a8074de20ee52a87b492dfcc41a4d"
},
{
"url": "https://git.kernel.org/stable/c/6077d16b5c0f65d571eee709de2f0541fb5ef0ca"
},
{
"url": "https://git.kernel.org/stable/c/306b0991413b482dbf5585b423022123bb505966"
},
{
"url": "https://git.kernel.org/stable/c/3dff390f55ccd9ce12e91233849769b5312180c2"
},
{
"url": "https://git.kernel.org/stable/c/862c628108562d8c7a516a900034823b381d3cba"
}
],
"title": "Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39860",
"datePublished": "2025-09-19T15:26:30.767Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:12.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53316 (GCVE-0-2023-53316)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: Free resources after unregistering them
The DP component's unbind operation walks through the submodules to
unregister and clean things up. But if the unbind happens because the DP
controller itself is being removed, all the memory for those submodules
has just been freed.
Change the order of these operations to avoid the many use-after-free
that otherwise happens in this code path.
Patchwork: https://patchwork.freedesktop.org/patch/542166/
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c943b4948b5848fc0e07f875edbd35a973879e22 Version: c943b4948b5848fc0e07f875edbd35a973879e22 Version: c943b4948b5848fc0e07f875edbd35a973879e22 Version: c943b4948b5848fc0e07f875edbd35a973879e22 Version: c943b4948b5848fc0e07f875edbd35a973879e22 Version: c943b4948b5848fc0e07f875edbd35a973879e22 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c67a55f7cc8d767d624235bf1bcd0947e56abe0f",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
},
{
"lessThan": "3c3f3d35f5e05c468b048eb42a4f8c62c6655692",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
},
{
"lessThan": "4e9f1a2367aea7d61f6781213e25313cd983b0d7",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
},
{
"lessThan": "5c3278db06e332fdc14f3f297499fb88ded264d2",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
},
{
"lessThan": "ca47d0dc00968358c136a1847cfed550cedfd1b5",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
},
{
"lessThan": "fa0048a4b1fa7a50c8b0e514f5b428abdf69a6f8",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: Free resources after unregistering them\n\nThe DP component\u0027s unbind operation walks through the submodules to\nunregister and clean things up. But if the unbind happens because the DP\ncontroller itself is being removed, all the memory for those submodules\nhas just been freed.\n\nChange the order of these operations to avoid the many use-after-free\nthat otherwise happens in this code path.\n\nPatchwork: https://patchwork.freedesktop.org/patch/542166/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:53.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c67a55f7cc8d767d624235bf1bcd0947e56abe0f"
},
{
"url": "https://git.kernel.org/stable/c/3c3f3d35f5e05c468b048eb42a4f8c62c6655692"
},
{
"url": "https://git.kernel.org/stable/c/4e9f1a2367aea7d61f6781213e25313cd983b0d7"
},
{
"url": "https://git.kernel.org/stable/c/5c3278db06e332fdc14f3f297499fb88ded264d2"
},
{
"url": "https://git.kernel.org/stable/c/ca47d0dc00968358c136a1847cfed550cedfd1b5"
},
{
"url": "https://git.kernel.org/stable/c/fa0048a4b1fa7a50c8b0e514f5b428abdf69a6f8"
}
],
"title": "drm/msm/dp: Free resources after unregistering them",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53316",
"datePublished": "2025-09-16T16:11:53.059Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:53.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53480 (GCVE-0-2023-53480)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
kobject: Add sanity check for kset->kobj.ktype in kset_register()
When I register a kset in the following way:
static struct kset my_kset;
kobject_set_name(&my_kset.kobj, "my_kset");
ret = kset_register(&my_kset);
A null pointer dereference exception is occurred:
[ 4453.568337] Unable to handle kernel NULL pointer dereference at \
virtual address 0000000000000028
... ...
[ 4453.810361] Call trace:
[ 4453.813062] kobject_get_ownership+0xc/0x34
[ 4453.817493] kobject_add_internal+0x98/0x274
[ 4453.822005] kset_register+0x5c/0xb4
[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]
... ...
Because I didn't initialize my_kset.kobj.ktype.
According to the description in Documentation/core-api/kobject.rst:
- A ktype is the type of object that embeds a kobject. Every structure
that embeds a kobject needs a corresponding ktype.
So add sanity check to make sure kset->kobj.ktype is not NULL.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/kobject.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1792eac72e27f676bf9ebde28a5afea627fb85f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "039ec9db2d30032eafa365f5f89b30eca5322b05",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "964e025ceefdf75da46b0133d0c2790de451aeec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5df5829158513134ddcaf2184d9286eda7b0bb18",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f3f6bf22a4f5ba649cf26ae4670de5c7f861bdef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "48aebbe801e78a8932404c122ed0e880ccedc220",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a772881bc059c596d8ca587cbd2a233edce3d3b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4d0fe8c52bb3029d83e323c961221156ab98680b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/kobject.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkobject: Add sanity check for kset-\u003ekobj.ktype in kset_register()\n\nWhen I register a kset in the following way:\n\tstatic struct kset my_kset;\n\tkobject_set_name(\u0026my_kset.kobj, \"my_kset\");\n ret = kset_register(\u0026my_kset);\n\nA null pointer dereference exception is occurred:\n[ 4453.568337] Unable to handle kernel NULL pointer dereference at \\\nvirtual address 0000000000000028\n... ...\n[ 4453.810361] Call trace:\n[ 4453.813062] kobject_get_ownership+0xc/0x34\n[ 4453.817493] kobject_add_internal+0x98/0x274\n[ 4453.822005] kset_register+0x5c/0xb4\n[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]\n... ...\n\nBecause I didn\u0027t initialize my_kset.kobj.ktype.\n\nAccording to the description in Documentation/core-api/kobject.rst:\n - A ktype is the type of object that embeds a kobject. Every structure\n that embeds a kobject needs a corresponding ktype.\n\nSo add sanity check to make sure kset-\u003ekobj.ktype is not NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:48.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1792eac72e27f676bf9ebde28a5afea627fb85f0"
},
{
"url": "https://git.kernel.org/stable/c/039ec9db2d30032eafa365f5f89b30eca5322b05"
},
{
"url": "https://git.kernel.org/stable/c/964e025ceefdf75da46b0133d0c2790de451aeec"
},
{
"url": "https://git.kernel.org/stable/c/5df5829158513134ddcaf2184d9286eda7b0bb18"
},
{
"url": "https://git.kernel.org/stable/c/f3f6bf22a4f5ba649cf26ae4670de5c7f861bdef"
},
{
"url": "https://git.kernel.org/stable/c/48aebbe801e78a8932404c122ed0e880ccedc220"
},
{
"url": "https://git.kernel.org/stable/c/1a772881bc059c596d8ca587cbd2a233edce3d3b"
},
{
"url": "https://git.kernel.org/stable/c/4d0fe8c52bb3029d83e323c961221156ab98680b"
}
],
"title": "kobject: Add sanity check for kset-\u003ekobj.ktype in kset_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53480",
"datePublished": "2025-10-01T11:42:48.919Z",
"dateReserved": "2025-10-01T11:39:39.402Z",
"dateUpdated": "2025-10-01T11:42:48.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39743 (GCVE-0-2025-39743)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: truncate good inode pages when hard link is 0
The fileset value of the inode copy from the disk by the reproducer is
AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its
inode pages are not truncated. This causes the bugon to be triggered when
executing clear_inode() because nrpages is greater than 0.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:59.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89fff8e3d6710fc32507b8e19eb5afa9fb79b896",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5845b926c561b8333cd65169526eec357d7bb449",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8ed7275910fb7177012619864e04d3008763f3ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b5b471820c33365a8ccd2d463578bf4e47056c2c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "34d8e982bac48bdcca7524644a8825a580edce74",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "df3fd8daf278eca365f221749ae5b728e8382a04",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2b1d5ca395a5fb170c3f885cd42c16179f7f54ec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bb5cdc3e39f0c2b311fcb631258b7e60d3fb0d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2d91b3765cd05016335cd5df5e5c6a29708ec058",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: truncate good inode pages when hard link is 0\n\nThe fileset value of the inode copy from the disk by the reproducer is\nAGGR_RESERVED_I. When executing evict, its hard link number is 0, so its\ninode pages are not truncated. This causes the bugon to be triggered when\nexecuting clear_inode() because nrpages is greater than 0."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:30.843Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89fff8e3d6710fc32507b8e19eb5afa9fb79b896"
},
{
"url": "https://git.kernel.org/stable/c/5845b926c561b8333cd65169526eec357d7bb449"
},
{
"url": "https://git.kernel.org/stable/c/8ed7275910fb7177012619864e04d3008763f3ea"
},
{
"url": "https://git.kernel.org/stable/c/b5b471820c33365a8ccd2d463578bf4e47056c2c"
},
{
"url": "https://git.kernel.org/stable/c/34d8e982bac48bdcca7524644a8825a580edce74"
},
{
"url": "https://git.kernel.org/stable/c/df3fd8daf278eca365f221749ae5b728e8382a04"
},
{
"url": "https://git.kernel.org/stable/c/2b1d5ca395a5fb170c3f885cd42c16179f7f54ec"
},
{
"url": "https://git.kernel.org/stable/c/1bb5cdc3e39f0c2b311fcb631258b7e60d3fb0d3"
},
{
"url": "https://git.kernel.org/stable/c/2d91b3765cd05016335cd5df5e5c6a29708ec058"
}
],
"title": "jfs: truncate good inode pages when hard link is 0",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39743",
"datePublished": "2025-09-11T16:52:17.043Z",
"dateReserved": "2025-04-16T07:20:57.120Z",
"dateUpdated": "2025-11-03T17:42:59.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39997 (GCVE-0-2025-39997)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-10-15 07:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
removal") patched a UAF issue caused by the error timer.
However, because the error timer kill added in this patch occurs after the
endpoint delete, a race condition to UAF still occurs, albeit rarely.
Additionally, since kill-cleanup for urb is also missing, freed memory can
be accessed in interrupt context related to urb, which can cause UAF.
Therefore, to prevent this, error timer and urb must be killed before
freeing the heap memory.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 647410a7da46067953a53c0d03f8680eff570959 Version: c611b9e55174e439dcd85a72969b43a95f3827a4 Version: 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 Version: 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 Version: 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 Version: 62066758d2ae169278e5d6aea5995b1b6f6ddeb5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc4874366cf6cf4a31d8fa4b7f0e2a5b2d7647ba",
"status": "affected",
"version": "647410a7da46067953a53c0d03f8680eff570959",
"versionType": "git"
},
{
"lessThan": "647d6b8d22be12842fde6ed0c56859ebc615f21e",
"status": "affected",
"version": "c611b9e55174e439dcd85a72969b43a95f3827a4",
"versionType": "git"
},
{
"lessThan": "af600e7f5526d16146b3ae99f6ad57bfea79ca33",
"status": "affected",
"version": "0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1",
"versionType": "git"
},
{
"lessThan": "353d8c715cc951a980728133c9dd64ca5a0a186c",
"status": "affected",
"version": "0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1",
"versionType": "git"
},
{
"lessThan": "9f2c0ac1423d5f267e7f1d1940780fc764b0fee3",
"status": "affected",
"version": "0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1",
"versionType": "git"
},
{
"status": "affected",
"version": "62066758d2ae169278e5d6aea5995b1b6f6ddeb5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free\n\nThe previous commit 0718a78f6a9f (\"ALSA: usb-audio: Kill timer properly at\nremoval\") patched a UAF issue caused by the error timer.\n\nHowever, because the error timer kill added in this patch occurs after the\nendpoint delete, a race condition to UAF still occurs, albeit rarely.\n\nAdditionally, since kill-cleanup for urb is also missing, freed memory can\nbe accessed in interrupt context related to urb, which can cause UAF.\n\nTherefore, to prevent this, error timer and urb must be killed before\nfreeing the heap memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:58:21.702Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc4874366cf6cf4a31d8fa4b7f0e2a5b2d7647ba"
},
{
"url": "https://git.kernel.org/stable/c/647d6b8d22be12842fde6ed0c56859ebc615f21e"
},
{
"url": "https://git.kernel.org/stable/c/af600e7f5526d16146b3ae99f6ad57bfea79ca33"
},
{
"url": "https://git.kernel.org/stable/c/353d8c715cc951a980728133c9dd64ca5a0a186c"
},
{
"url": "https://git.kernel.org/stable/c/9f2c0ac1423d5f267e7f1d1940780fc764b0fee3"
}
],
"title": "ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39997",
"datePublished": "2025-10-15T07:58:21.702Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-15T07:58:21.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7324 (GCVE-0-2023-7324)
Vulnerability from cvelistv5
Published
2025-10-29 13:46
Modified
2025-10-29 13:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
Sanitize possible addl_desc_ptr out-of-bounds accesses in
ses_enclosure_data_process().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af5114d824f3511a69d68beff49ca9a7c32d44e0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a156a262c543fa5ff30bcb2fc6ad1a95cb4ab57a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8e454aba72805241239caf8ba9b8e5a6be772b96",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2ecd344173a5663d523433819da0484cb268b186",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "384aa697d8f2a28b5e962f5292cdfd2e528b5df7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "27067c672980b497cc34048b69b12820851ac6b9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b91ef85a32fdba45fcbad87dd526d73d3b6d857d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "db95d4df71cb55506425b6e4a5f8d68e3a765b63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses\n\nSanitize possible addl_desc_ptr out-of-bounds accesses in\nses_enclosure_data_process()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:46:14.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af5114d824f3511a69d68beff49ca9a7c32d44e0"
},
{
"url": "https://git.kernel.org/stable/c/a156a262c543fa5ff30bcb2fc6ad1a95cb4ab57a"
},
{
"url": "https://git.kernel.org/stable/c/8e454aba72805241239caf8ba9b8e5a6be772b96"
},
{
"url": "https://git.kernel.org/stable/c/2ecd344173a5663d523433819da0484cb268b186"
},
{
"url": "https://git.kernel.org/stable/c/384aa697d8f2a28b5e962f5292cdfd2e528b5df7"
},
{
"url": "https://git.kernel.org/stable/c/27067c672980b497cc34048b69b12820851ac6b9"
},
{
"url": "https://git.kernel.org/stable/c/b91ef85a32fdba45fcbad87dd526d73d3b6d857d"
},
{
"url": "https://git.kernel.org/stable/c/db95d4df71cb55506425b6e4a5f8d68e3a765b63"
}
],
"title": "scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-7324",
"datePublished": "2025-10-29T13:46:14.184Z",
"dateReserved": "2025-10-29T13:44:46.603Z",
"dateUpdated": "2025-10-29T13:46:14.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39810 (GCVE-0-2025-39810)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-29 05:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix memory corruption when FW resources change during ifdown
bnxt_set_dflt_rings() assumes that it is always called before any TC has
been created. So it doesn't take bp->num_tc into account and assumes
that it is always 0 or 1.
In the FW resource or capability change scenario, the FW will return
flags in bnxt_hwrm_if_change() that will cause the driver to
reinitialize and call bnxt_cancel_reservations(). This will lead to
bnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp->num_tc
may be greater than 1. This will cause bp->tx_ring[] to be sized too
small and cause memory corruption in bnxt_alloc_cp_rings().
Fix it by properly scaling the TX rings by bp->num_tc in the code
paths mentioned above. Add 2 helper functions to determine
bp->tx_nr_rings and bp->tx_nr_rings_per_tc.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d00e98977ef519280b075d783653e2c492fffbb6",
"status": "affected",
"version": "ec5d31e3c15d5233b491400133c67f78a320062c",
"versionType": "git"
},
{
"lessThan": "9ab6a9950f152e094395d2e3967f889857daa185",
"status": "affected",
"version": "ec5d31e3c15d5233b491400133c67f78a320062c",
"versionType": "git"
},
{
"lessThan": "2747328ba2714f1a7454208dbbc1dc0631990b4a",
"status": "affected",
"version": "ec5d31e3c15d5233b491400133c67f78a320062c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix memory corruption when FW resources change during ifdown\n\nbnxt_set_dflt_rings() assumes that it is always called before any TC has\nbeen created. So it doesn\u0027t take bp-\u003enum_tc into account and assumes\nthat it is always 0 or 1.\n\nIn the FW resource or capability change scenario, the FW will return\nflags in bnxt_hwrm_if_change() that will cause the driver to\nreinitialize and call bnxt_cancel_reservations(). This will lead to\nbnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp-\u003enum_tc\nmay be greater than 1. This will cause bp-\u003etx_ring[] to be sized too\nsmall and cause memory corruption in bnxt_alloc_cp_rings().\n\nFix it by properly scaling the TX rings by bp-\u003enum_tc in the code\npaths mentioned above. Add 2 helper functions to determine\nbp-\u003etx_nr_rings and bp-\u003etx_nr_rings_per_tc."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:53.627Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d00e98977ef519280b075d783653e2c492fffbb6"
},
{
"url": "https://git.kernel.org/stable/c/9ab6a9950f152e094395d2e3967f889857daa185"
},
{
"url": "https://git.kernel.org/stable/c/2747328ba2714f1a7454208dbbc1dc0631990b4a"
}
],
"title": "bnxt_en: Fix memory corruption when FW resources change during ifdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39810",
"datePublished": "2025-09-16T13:00:12.677Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-09-29T05:59:53.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50532 (GCVE-0-2022-50532)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()
In mpt3sas_transport_port_add(), if sas_rphy_add() returns error,
sas_rphy_free() needs be called to free the resource allocated in
sas_end_device_alloc(). Otherwise a kernel crash will happen:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108
CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : device_del+0x54/0x3d0
lr : device_del+0x37c/0x3d0
Call trace:
device_del+0x54/0x3d0
attribute_container_class_device_del+0x28/0x38
transport_remove_classdev+0x6c/0x80
attribute_container_device_trigger+0x108/0x110
transport_remove_device+0x28/0x38
sas_rphy_remove+0x50/0x78 [scsi_transport_sas]
sas_port_delete+0x30/0x148 [scsi_transport_sas]
do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]
device_for_each_child+0x68/0xb0
sas_remove_children+0x30/0x50 [scsi_transport_sas]
sas_rphy_remove+0x38/0x78 [scsi_transport_sas]
sas_port_delete+0x30/0x148 [scsi_transport_sas]
do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]
device_for_each_child+0x68/0xb0
sas_remove_children+0x30/0x50 [scsi_transport_sas]
sas_remove_host+0x20/0x38 [scsi_transport_sas]
scsih_remove+0xd8/0x420 [mpt3sas]
Because transport_add_device() is not called when sas_rphy_add() fails, the
device is not added. When sas_rphy_remove() is subsequently called to
remove the device in the remove() path, a NULL pointer dereference happens.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d60000cb1195a464080b0efb4949daf7594e0020",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "ce1a69cc85006b494353911b35171da195d79e25",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "6a92129c8f999ff5b122c100ce7f625eb3e98c4b",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "6f6768e2fc8638fabdd8802c2ef693d7aef01db1",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "d17bca3ddfe507874cb826d32721552da12e741f",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "78316e9dfc24906dd474630928ed1d3c562b568e",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()\n\nIn mpt3sas_transport_port_add(), if sas_rphy_add() returns error,\nsas_rphy_free() needs be called to free the resource allocated in\nsas_end_device_alloc(). Otherwise a kernel crash will happen:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000108\nCPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x54/0x3d0\nlr : device_del+0x37c/0x3d0\nCall trace:\n device_del+0x54/0x3d0\n attribute_container_class_device_del+0x28/0x38\n transport_remove_classdev+0x6c/0x80\n attribute_container_device_trigger+0x108/0x110\n transport_remove_device+0x28/0x38\n sas_rphy_remove+0x50/0x78 [scsi_transport_sas]\n sas_port_delete+0x30/0x148 [scsi_transport_sas]\n do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]\n device_for_each_child+0x68/0xb0\n sas_remove_children+0x30/0x50 [scsi_transport_sas]\n sas_rphy_remove+0x38/0x78 [scsi_transport_sas]\n sas_port_delete+0x30/0x148 [scsi_transport_sas]\n do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]\n device_for_each_child+0x68/0xb0\n sas_remove_children+0x30/0x50 [scsi_transport_sas]\n sas_remove_host+0x20/0x38 [scsi_transport_sas]\n scsih_remove+0xd8/0x420 [mpt3sas]\n\nBecause transport_add_device() is not called when sas_rphy_add() fails, the\ndevice is not added. When sas_rphy_remove() is subsequently called to\nremove the device in the remove() path, a NULL pointer dereference happens."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:22.581Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d60000cb1195a464080b0efb4949daf7594e0020"
},
{
"url": "https://git.kernel.org/stable/c/ce1a69cc85006b494353911b35171da195d79e25"
},
{
"url": "https://git.kernel.org/stable/c/6a92129c8f999ff5b122c100ce7f625eb3e98c4b"
},
{
"url": "https://git.kernel.org/stable/c/6f6768e2fc8638fabdd8802c2ef693d7aef01db1"
},
{
"url": "https://git.kernel.org/stable/c/d17bca3ddfe507874cb826d32721552da12e741f"
},
{
"url": "https://git.kernel.org/stable/c/78316e9dfc24906dd474630928ed1d3c562b568e"
}
],
"title": "scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50532",
"datePublished": "2025-10-07T15:19:22.581Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:22.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50576 (GCVE-0-2022-50576)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: pch: Fix PCI device refcount leak in pch_request_dma()
As comment of pci_get_slot() says, it returns a pci_device with its
refcount increased. The caller must decrement the reference count by
calling pci_dev_put().
Since 'dma_dev' is only used to filter the channel in filter(), we can
call pci_dev_put() before exiting from pch_request_dma(). Add the
missing pci_dev_put() for the normal and error path.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3c6a483275f47a2ef7119309ad3d791c10cf30da Version: 3c6a483275f47a2ef7119309ad3d791c10cf30da Version: 3c6a483275f47a2ef7119309ad3d791c10cf30da Version: 3c6a483275f47a2ef7119309ad3d791c10cf30da Version: 3c6a483275f47a2ef7119309ad3d791c10cf30da Version: 3c6a483275f47a2ef7119309ad3d791c10cf30da Version: 3c6a483275f47a2ef7119309ad3d791c10cf30da Version: 3c6a483275f47a2ef7119309ad3d791c10cf30da Version: 3c6a483275f47a2ef7119309ad3d791c10cf30da |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/pch_uart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90ff030ca10b69feeebda1427550ebf9ed2ad868",
"status": "affected",
"version": "3c6a483275f47a2ef7119309ad3d791c10cf30da",
"versionType": "git"
},
{
"lessThan": "56e5a7c5ee3f0dc8978b5df2b1a98a1b060c5e2a",
"status": "affected",
"version": "3c6a483275f47a2ef7119309ad3d791c10cf30da",
"versionType": "git"
},
{
"lessThan": "dfd15c5550b9190d5b0f9bcacb3e6436322f3854",
"status": "affected",
"version": "3c6a483275f47a2ef7119309ad3d791c10cf30da",
"versionType": "git"
},
{
"lessThan": "d165388227aa7e46a9751b90bae6337b5335cdbb",
"status": "affected",
"version": "3c6a483275f47a2ef7119309ad3d791c10cf30da",
"versionType": "git"
},
{
"lessThan": "07f4ca68b0f6bf84b6b391c14b59fd179fcde9c5",
"status": "affected",
"version": "3c6a483275f47a2ef7119309ad3d791c10cf30da",
"versionType": "git"
},
{
"lessThan": "6f7d82380fbeaed3a940efc33c23f0c4bbd0fc02",
"status": "affected",
"version": "3c6a483275f47a2ef7119309ad3d791c10cf30da",
"versionType": "git"
},
{
"lessThan": "4f5d28865c665c9064de631a518f9bc8099d9ce4",
"status": "affected",
"version": "3c6a483275f47a2ef7119309ad3d791c10cf30da",
"versionType": "git"
},
{
"lessThan": "516614a371c26e3334625b4bca19a5362bf658d6",
"status": "affected",
"version": "3c6a483275f47a2ef7119309ad3d791c10cf30da",
"versionType": "git"
},
{
"lessThan": "8be3a7bf773700534a6e8f87f6ed2ed111254be5",
"status": "affected",
"version": "3c6a483275f47a2ef7119309ad3d791c10cf30da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/pch_uart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: pch: Fix PCI device refcount leak in pch_request_dma()\n\nAs comment of pci_get_slot() says, it returns a pci_device with its\nrefcount increased. The caller must decrement the reference count by\ncalling pci_dev_put().\n\nSince \u0027dma_dev\u0027 is only used to filter the channel in filter(), we can\ncall pci_dev_put() before exiting from pch_request_dma(). Add the\nmissing pci_dev_put() for the normal and error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:30.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90ff030ca10b69feeebda1427550ebf9ed2ad868"
},
{
"url": "https://git.kernel.org/stable/c/56e5a7c5ee3f0dc8978b5df2b1a98a1b060c5e2a"
},
{
"url": "https://git.kernel.org/stable/c/dfd15c5550b9190d5b0f9bcacb3e6436322f3854"
},
{
"url": "https://git.kernel.org/stable/c/d165388227aa7e46a9751b90bae6337b5335cdbb"
},
{
"url": "https://git.kernel.org/stable/c/07f4ca68b0f6bf84b6b391c14b59fd179fcde9c5"
},
{
"url": "https://git.kernel.org/stable/c/6f7d82380fbeaed3a940efc33c23f0c4bbd0fc02"
},
{
"url": "https://git.kernel.org/stable/c/4f5d28865c665c9064de631a518f9bc8099d9ce4"
},
{
"url": "https://git.kernel.org/stable/c/516614a371c26e3334625b4bca19a5362bf658d6"
},
{
"url": "https://git.kernel.org/stable/c/8be3a7bf773700534a6e8f87f6ed2ed111254be5"
}
],
"title": "serial: pch: Fix PCI device refcount leak in pch_request_dma()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50576",
"datePublished": "2025-10-22T13:23:30.250Z",
"dateReserved": "2025-10-22T13:20:23.761Z",
"dateUpdated": "2025-10-22T13:23:30.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53179 (GCVE-0-2023-53179)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-15 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
The missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can
lead to the use of wrong `CIDR_POS(c)` for calculating array offsets,
which can lead to integer underflow. As a result, it leads to slab
out-of-bound access.
This patch adds back the IP_SET_HASH_WITH_NET0 macro to
ip_set_hash_netportnet to address the issue.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0d5d0b5c41f766355f2b42c47d13ea001f754c7d Version: cb3e590df429ce151d5041884a4947099b8ad6a7 Version: 886503f34d63e681662057448819edb5b1057a97 Version: 886503f34d63e681662057448819edb5b1057a97 Version: 886503f34d63e681662057448819edb5b1057a97 Version: 886503f34d63e681662057448819edb5b1057a97 Version: 886503f34d63e681662057448819edb5b1057a97 Version: 886503f34d63e681662057448819edb5b1057a97 Version: 886503f34d63e681662057448819edb5b1057a97 Version: 186642845b02e1a7944ef33c3a3ac41eba77517f Version: 919560afc21f91ca352a20394d5249aba1799690 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipset/ip_set_hash_netportnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7935b636dd693dfe4483cfef4a1e91366c8103fa",
"status": "affected",
"version": "0d5d0b5c41f766355f2b42c47d13ea001f754c7d",
"versionType": "git"
},
{
"lessThan": "e632d09dffc68b9602d6893a99bfe3001d36cefc",
"status": "affected",
"version": "cb3e590df429ce151d5041884a4947099b8ad6a7",
"versionType": "git"
},
{
"lessThan": "109e830585e89a03d554bf8ad0e668630d0a6260",
"status": "affected",
"version": "886503f34d63e681662057448819edb5b1057a97",
"versionType": "git"
},
{
"lessThan": "83091f8ac03f118086596f17c9a52d31d6ca94b3",
"status": "affected",
"version": "886503f34d63e681662057448819edb5b1057a97",
"versionType": "git"
},
{
"lessThan": "a9e6142e5f8f6ac7d1bca45c1b2b13b084ea9e14",
"status": "affected",
"version": "886503f34d63e681662057448819edb5b1057a97",
"versionType": "git"
},
{
"lessThan": "7ca0706c68adadf86a36b60dca090f5e9481e808",
"status": "affected",
"version": "886503f34d63e681662057448819edb5b1057a97",
"versionType": "git"
},
{
"lessThan": "d59b6fc405549f7caf31f6aa5da1d6bef746b166",
"status": "affected",
"version": "886503f34d63e681662057448819edb5b1057a97",
"versionType": "git"
},
{
"lessThan": "d95c8420efe684b964e3aa28108e9a354bcd7225",
"status": "affected",
"version": "886503f34d63e681662057448819edb5b1057a97",
"versionType": "git"
},
{
"lessThan": "050d91c03b28ca479df13dfb02bcd2c60dd6a878",
"status": "affected",
"version": "886503f34d63e681662057448819edb5b1057a97",
"versionType": "git"
},
{
"status": "affected",
"version": "186642845b02e1a7944ef33c3a3ac41eba77517f",
"versionType": "git"
},
{
"status": "affected",
"version": "919560afc21f91ca352a20394d5249aba1799690",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipset/ip_set_hash_netportnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.14.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.19.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.141",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c\n\nThe missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can\nlead to the use of wrong `CIDR_POS(c)` for calculating array offsets,\nwhich can lead to integer underflow. As a result, it leads to slab\nout-of-bound access.\nThis patch adds back the IP_SET_HASH_WITH_NET0 macro to\nip_set_hash_netportnet to address the issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:04:26.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7935b636dd693dfe4483cfef4a1e91366c8103fa"
},
{
"url": "https://git.kernel.org/stable/c/e632d09dffc68b9602d6893a99bfe3001d36cefc"
},
{
"url": "https://git.kernel.org/stable/c/109e830585e89a03d554bf8ad0e668630d0a6260"
},
{
"url": "https://git.kernel.org/stable/c/83091f8ac03f118086596f17c9a52d31d6ca94b3"
},
{
"url": "https://git.kernel.org/stable/c/a9e6142e5f8f6ac7d1bca45c1b2b13b084ea9e14"
},
{
"url": "https://git.kernel.org/stable/c/7ca0706c68adadf86a36b60dca090f5e9481e808"
},
{
"url": "https://git.kernel.org/stable/c/d59b6fc405549f7caf31f6aa5da1d6bef746b166"
},
{
"url": "https://git.kernel.org/stable/c/d95c8420efe684b964e3aa28108e9a354bcd7225"
},
{
"url": "https://git.kernel.org/stable/c/050d91c03b28ca479df13dfb02bcd2c60dd6a878"
}
],
"title": "netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53179",
"datePublished": "2025-09-15T14:04:26.782Z",
"dateReserved": "2025-09-15T13:59:19.065Z",
"dateUpdated": "2025-09-15T14:04:26.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53421 (GCVE-0-2023-53421)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()
When blkg_alloc() is called to allocate a blkcg_gq structure
with the associated blkg_iostat_set's, there are 2 fields within
blkg_iostat_set that requires proper initialization - blkg & sync.
The former field was introduced by commit 3b8cc6298724 ("blk-cgroup:
Optimize blkcg_rstat_flush()") while the later one was introduced by
commit f73316482977 ("blk-cgroup: reimplement basic IO stats using
cgroup rstat").
Unfortunately those fields in the blkg_iostat_set's are not properly
re-initialized when they are cleared in v1's blkcg_reset_stats(). This
can lead to a kernel panic due to NULL pointer access of the blkg
pointer. The missing initialization of sync is less problematic and
can be a problem in a debug kernel due to missing lockdep initialization.
Fix these problems by re-initializing them after memory clearing.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b0d26283af612b9e0cc3188b0b88ad7fdea447e8",
"status": "affected",
"version": "f73316482977ac401ac37245c9df48079d4e11f3",
"versionType": "git"
},
{
"lessThan": "abbce7f82613ea5eeefd0fc3c1c8e449b9cef2a2",
"status": "affected",
"version": "f73316482977ac401ac37245c9df48079d4e11f3",
"versionType": "git"
},
{
"lessThan": "3d2af77e31ade05ff7ccc3658c3635ec1bea0979",
"status": "affected",
"version": "f73316482977ac401ac37245c9df48079d4e11f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()\n\nWhen blkg_alloc() is called to allocate a blkcg_gq structure\nwith the associated blkg_iostat_set\u0027s, there are 2 fields within\nblkg_iostat_set that requires proper initialization - blkg \u0026 sync.\nThe former field was introduced by commit 3b8cc6298724 (\"blk-cgroup:\nOptimize blkcg_rstat_flush()\") while the later one was introduced by\ncommit f73316482977 (\"blk-cgroup: reimplement basic IO stats using\ncgroup rstat\").\n\nUnfortunately those fields in the blkg_iostat_set\u0027s are not properly\nre-initialized when they are cleared in v1\u0027s blkcg_reset_stats(). This\ncan lead to a kernel panic due to NULL pointer access of the blkg\npointer. The missing initialization of sync is less problematic and\ncan be a problem in a debug kernel due to missing lockdep initialization.\n\nFix these problems by re-initializing them after memory clearing."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:04.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b0d26283af612b9e0cc3188b0b88ad7fdea447e8"
},
{
"url": "https://git.kernel.org/stable/c/abbce7f82613ea5eeefd0fc3c1c8e449b9cef2a2"
},
{
"url": "https://git.kernel.org/stable/c/3d2af77e31ade05ff7ccc3658c3635ec1bea0979"
}
],
"title": "blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53421",
"datePublished": "2025-09-18T16:04:04.526Z",
"dateReserved": "2025-09-17T14:54:09.741Z",
"dateUpdated": "2025-09-18T16:04:04.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37797 (GCVE-0-2025-37797)
Vulnerability from cvelistv5
Published
2025-05-02 14:16
Modified
2025-11-03 19:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Fix a UAF vulnerability in class handling
This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class
handling. The issue occurs due to a time-of-check/time-of-use condition
in hfsc_change_class() when working with certain child qdiscs like netem
or codel.
The vulnerability works as follows:
1. hfsc_change_class() checks if a class has packets (q.qlen != 0)
2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,
codel, netem) might drop packets and empty the queue
3. The code continues assuming the queue is still non-empty, adding
the class to vttree
4. This breaks HFSC scheduler assumptions that only non-empty classes
are in vttree
5. Later, when the class is destroyed, this can lead to a Use-After-Free
The fix adds a second queue length check after qdisc_peek_len() to verify
the queue wasn't emptied.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 Version: 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 Version: 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 Version: 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 Version: 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 Version: 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 Version: 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 Version: 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:55:28.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "28b09a067831f7317c3841812276022d6c940677",
"status": "affected",
"version": "21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14",
"versionType": "git"
},
{
"lessThan": "39b9095dd3b55d9b2743df038c32138efa34a9de",
"status": "affected",
"version": "21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14",
"versionType": "git"
},
{
"lessThan": "fcc8ede663569c704fb00a702973bd6c00373283",
"status": "affected",
"version": "21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14",
"versionType": "git"
},
{
"lessThan": "20d584a33e480ae80d105f43e0e7b56784da41b9",
"status": "affected",
"version": "21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14",
"versionType": "git"
},
{
"lessThan": "3aa852e3605000d5c47035c3fc3a986d14ccfa9f",
"status": "affected",
"version": "21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14",
"versionType": "git"
},
{
"lessThan": "86cd4641c713455a4f1c8e54c370c598c2b1cee0",
"status": "affected",
"version": "21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14",
"versionType": "git"
},
{
"lessThan": "bb583c88d23b72d8d16453d24856c99bd93dadf5",
"status": "affected",
"version": "21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14",
"versionType": "git"
},
{
"lessThan": "3df275ef0a6ae181e8428a6589ef5d5231e58b5c",
"status": "affected",
"version": "21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.293",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.136",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.89",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.26",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.5",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class handling\n\nThis patch fixes a Use-After-Free vulnerability in the HFSC qdisc class\nhandling. The issue occurs due to a time-of-check/time-of-use condition\nin hfsc_change_class() when working with certain child qdiscs like netem\nor codel.\n\nThe vulnerability works as follows:\n1. hfsc_change_class() checks if a class has packets (q.qlen != 0)\n2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,\n codel, netem) might drop packets and empty the queue\n3. The code continues assuming the queue is still non-empty, adding\n the class to vttree\n4. This breaks HFSC scheduler assumptions that only non-empty classes\n are in vttree\n5. Later, when the class is destroyed, this can lead to a Use-After-Free\n\nThe fix adds a second queue length check after qdisc_peek_len() to verify\nthe queue wasn\u0027t emptied."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-26T05:21:05.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/28b09a067831f7317c3841812276022d6c940677"
},
{
"url": "https://git.kernel.org/stable/c/39b9095dd3b55d9b2743df038c32138efa34a9de"
},
{
"url": "https://git.kernel.org/stable/c/fcc8ede663569c704fb00a702973bd6c00373283"
},
{
"url": "https://git.kernel.org/stable/c/20d584a33e480ae80d105f43e0e7b56784da41b9"
},
{
"url": "https://git.kernel.org/stable/c/3aa852e3605000d5c47035c3fc3a986d14ccfa9f"
},
{
"url": "https://git.kernel.org/stable/c/86cd4641c713455a4f1c8e54c370c598c2b1cee0"
},
{
"url": "https://git.kernel.org/stable/c/bb583c88d23b72d8d16453d24856c99bd93dadf5"
},
{
"url": "https://git.kernel.org/stable/c/3df275ef0a6ae181e8428a6589ef5d5231e58b5c"
}
],
"title": "net_sched: hfsc: Fix a UAF vulnerability in class handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37797",
"datePublished": "2025-05-02T14:16:01.905Z",
"dateReserved": "2025-04-16T04:51:23.941Z",
"dateUpdated": "2025-11-03T19:55:28.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26584 (GCVE-0-2024-26584)
Vulnerability from cvelistv5
Published
2024-02-21 14:59
Modified
2025-11-04 18:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: tls: handle backlogging of crypto requests
Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our
requests to the crypto API, crypto_aead_{encrypt,decrypt} can return
-EBUSY instead of -EINPROGRESS in valid situations. For example, when
the cryptd queue for AESNI is full (easy to trigger with an
artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued
to the backlog but still processed. In that case, the async callback
will also be called twice: first with err == -EINPROGRESS, which it
seems we can just ignore, then with err == 0.
Compared to Sabrina's original patch this version uses the new
tls_*crypt_async_wait() helpers and converts the EBUSY to
EINPROGRESS to avoid having to modify all the error handling
paths. The handling is identical.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-26T17:14:36.035758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:03.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:29:47.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cd1bbca03f3c1d845ce274c0d0a66de8e5929f72"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ade391adc584f17b5570fd205de3ad029090368",
"status": "affected",
"version": "a54667f6728c2714a400f3c884727da74b6d1717",
"versionType": "git"
},
{
"lessThan": "cd1bbca03f3c1d845ce274c0d0a66de8e5929f72",
"status": "affected",
"version": "a54667f6728c2714a400f3c884727da74b6d1717",
"versionType": "git"
},
{
"lessThan": "13eca403876bbea3716e82cdfe6f1e6febb38754",
"status": "affected",
"version": "a54667f6728c2714a400f3c884727da74b6d1717",
"versionType": "git"
},
{
"lessThan": "ab6397f072e5097f267abf5cb08a8004e6b17694",
"status": "affected",
"version": "a54667f6728c2714a400f3c884727da74b6d1717",
"versionType": "git"
},
{
"lessThan": "8590541473188741055d27b955db0777569438e3",
"status": "affected",
"version": "a54667f6728c2714a400f3c884727da74b6d1717",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.160",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: handle backlogging of crypto requests\n\nSince we\u0027re setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our\nrequests to the crypto API, crypto_aead_{encrypt,decrypt} can return\n -EBUSY instead of -EINPROGRESS in valid situations. For example, when\nthe cryptd queue for AESNI is full (easy to trigger with an\nartificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued\nto the backlog but still processed. In that case, the async callback\nwill also be called twice: first with err == -EINPROGRESS, which it\nseems we can just ignore, then with err == 0.\n\nCompared to Sabrina\u0027s original patch this version uses the new\ntls_*crypt_async_wait() helpers and converts the EBUSY to\nEINPROGRESS to avoid having to modify all the error handling\npaths. The handling is identical."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:51:35.535Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368"
},
{
"url": "https://git.kernel.org/stable/c/cd1bbca03f3c1d845ce274c0d0a66de8e5929f72"
},
{
"url": "https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754"
},
{
"url": "https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694"
},
{
"url": "https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3"
}
],
"title": "net: tls: handle backlogging of crypto requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26584",
"datePublished": "2024-02-21T14:59:12.452Z",
"dateReserved": "2024-02-19T14:20:24.125Z",
"dateUpdated": "2025-11-04T18:29:47.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53725 (GCVE-0-2023-53725)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
Smatch reports:
drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe()
warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516.
timer_baseaddr may have the problem of not being released after use,
I replaced it with the devm_of_iomap() function and added the clk_put()
function to cleanup the "clk_ce" and "clk_cs".
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e932900a3279b5dbb6d8f43c7b369003620e137c Version: e932900a3279b5dbb6d8f43c7b369003620e137c Version: e932900a3279b5dbb6d8f43c7b369003620e137c Version: e932900a3279b5dbb6d8f43c7b369003620e137c Version: e932900a3279b5dbb6d8f43c7b369003620e137c Version: e932900a3279b5dbb6d8f43c7b369003620e137c Version: e932900a3279b5dbb6d8f43c7b369003620e137c Version: e932900a3279b5dbb6d8f43c7b369003620e137c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clocksource/timer-cadence-ttc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e0a9cc90ea44a50d76a84f9f9bf1703d31fe45e9",
"status": "affected",
"version": "e932900a3279b5dbb6d8f43c7b369003620e137c",
"versionType": "git"
},
{
"lessThan": "54cc10a0f4b01b522e9519014200f1b33bf7e4aa",
"status": "affected",
"version": "e932900a3279b5dbb6d8f43c7b369003620e137c",
"versionType": "git"
},
{
"lessThan": "ebdff0986513a29be242aace0ef89b6c105b0bf0",
"status": "affected",
"version": "e932900a3279b5dbb6d8f43c7b369003620e137c",
"versionType": "git"
},
{
"lessThan": "289e2054eeb63c9e133960731c342eeffad218d3",
"status": "affected",
"version": "e932900a3279b5dbb6d8f43c7b369003620e137c",
"versionType": "git"
},
{
"lessThan": "919dd531ebb7514f205ae7aab87994337ebce1f6",
"status": "affected",
"version": "e932900a3279b5dbb6d8f43c7b369003620e137c",
"versionType": "git"
},
{
"lessThan": "67d7eebbc424935dec61fb352d1ccae5d16cf429",
"status": "affected",
"version": "e932900a3279b5dbb6d8f43c7b369003620e137c",
"versionType": "git"
},
{
"lessThan": "99744200f28b2cf5f50767447e51b4b4a977d145",
"status": "affected",
"version": "e932900a3279b5dbb6d8f43c7b369003620e137c",
"versionType": "git"
},
{
"lessThan": "8b5bf64c89c7100c921bd807ba39b2eb003061ab",
"status": "affected",
"version": "e932900a3279b5dbb6d8f43c7b369003620e137c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clocksource/timer-cadence-ttc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe\n\nSmatch reports:\ndrivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe()\nwarn: \u0027timer_baseaddr\u0027 from of_iomap() not released on lines: 498,508,516.\n\ntimer_baseaddr may have the problem of not being released after use,\nI replaced it with the devm_of_iomap() function and added the clk_put()\nfunction to cleanup the \"clk_ce\" and \"clk_cs\"."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:55.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e0a9cc90ea44a50d76a84f9f9bf1703d31fe45e9"
},
{
"url": "https://git.kernel.org/stable/c/54cc10a0f4b01b522e9519014200f1b33bf7e4aa"
},
{
"url": "https://git.kernel.org/stable/c/ebdff0986513a29be242aace0ef89b6c105b0bf0"
},
{
"url": "https://git.kernel.org/stable/c/289e2054eeb63c9e133960731c342eeffad218d3"
},
{
"url": "https://git.kernel.org/stable/c/919dd531ebb7514f205ae7aab87994337ebce1f6"
},
{
"url": "https://git.kernel.org/stable/c/67d7eebbc424935dec61fb352d1ccae5d16cf429"
},
{
"url": "https://git.kernel.org/stable/c/99744200f28b2cf5f50767447e51b4b4a977d145"
},
{
"url": "https://git.kernel.org/stable/c/8b5bf64c89c7100c921bd807ba39b2eb003061ab"
}
],
"title": "clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53725",
"datePublished": "2025-10-22T13:23:55.200Z",
"dateReserved": "2025-10-22T13:21:37.348Z",
"dateUpdated": "2025-10-22T13:23:55.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40088 (GCVE-0-2025-40088)
Vulnerability from cvelistv5
Published
2025-10-30 09:47
Modified
2025-10-30 09:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
The hfsplus_strcasecmp() logic can trigger the issue:
[ 117.317703][ T9855] ==================================================================
[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490
[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855
[ 117.319577][ T9855]
[ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)
[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 117.319783][ T9855] Call Trace:
[ 117.319785][ T9855] <TASK>
[ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0
[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10
[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0
[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0
[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40
[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0
[ 117.319842][ T9855] print_report+0x17e/0x7e0
[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0
[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180
[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490
[ 117.319876][ T9855] kasan_report+0x147/0x180
[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490
[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490
[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10
[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0
[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470
[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10
[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10
[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10
[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510
[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10
[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10
[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510
[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0
[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120
[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890
[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10
[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0
[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80
[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10
[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100
[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150
[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0
[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10
[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0
[ 117.320055][ T9855] lookup_slow+0x53/0x70
[ 117.320065][ T9855] walk_component+0x2f0/0x430
[ 117.320073][ T9855] path_lookupat+0x169/0x440
[ 117.320081][ T9855] filename_lookup+0x212/0x590
[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10
[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290
[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540
[ 117.320112][ T9855] user_path_at+0x3a/0x60
[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160
[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10
[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0
[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0
[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0
[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07
[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08
[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "603158d4efa98a13a746bd586c20f194f4a31ec8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef250c3edd995d7bb5a5e5122ffad1c28a8686eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ab44236b32ed41eb0636797e8e8e885a2f3b18a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b47a75b6f762321f9eb6f31aab7bce47a37063b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "586c75dfd1d265c4150f6529debb85c9d62e101f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4bc081ba6c52b0c88c92701e3fbc33c7e2277afb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "42520df65bf67189541a425f7d36b0b3e7bd7844",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()\n\nThe hfsplus_strcasecmp() logic can trigger the issue:\n\n[ 117.317703][ T9855] ==================================================================\n[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490\n[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855\n[ 117.319577][ T9855]\n[ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)\n[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 117.319783][ T9855] Call Trace:\n[ 117.319785][ T9855] \u003cTASK\u003e\n[ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0\n[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10\n[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0\n[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0\n[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40\n[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0\n[ 117.319842][ T9855] print_report+0x17e/0x7e0\n[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0\n[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180\n[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319876][ T9855] kasan_report+0x147/0x180\n[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10\n[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0\n[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470\n[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10\n[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10\n[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510\n[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10\n[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510\n[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0\n[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120\n[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890\n[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10\n[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0\n[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80\n[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10\n[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100\n[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150\n[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0\n[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10\n[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0\n[ 117.320055][ T9855] lookup_slow+0x53/0x70\n[ 117.320065][ T9855] walk_component+0x2f0/0x430\n[ 117.320073][ T9855] path_lookupat+0x169/0x440\n[ 117.320081][ T9855] filename_lookup+0x212/0x590\n[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10\n[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290\n[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540\n[ 117.320112][ T9855] user_path_at+0x3a/0x60\n[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160\n[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10\n[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0\n[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0\n[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0\n[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07\n[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08\n[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T09:47:57.333Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/603158d4efa98a13a746bd586c20f194f4a31ec8"
},
{
"url": "https://git.kernel.org/stable/c/ef250c3edd995d7bb5a5e5122ffad1c28a8686eb"
},
{
"url": "https://git.kernel.org/stable/c/7ab44236b32ed41eb0636797e8e8e885a2f3b18a"
},
{
"url": "https://git.kernel.org/stable/c/b47a75b6f762321f9eb6f31aab7bce47a37063b7"
},
{
"url": "https://git.kernel.org/stable/c/4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241"
},
{
"url": "https://git.kernel.org/stable/c/586c75dfd1d265c4150f6529debb85c9d62e101f"
},
{
"url": "https://git.kernel.org/stable/c/4bc081ba6c52b0c88c92701e3fbc33c7e2277afb"
},
{
"url": "https://git.kernel.org/stable/c/42520df65bf67189541a425f7d36b0b3e7bd7844"
}
],
"title": "hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40088",
"datePublished": "2025-10-30T09:47:57.333Z",
"dateReserved": "2025-04-16T07:20:57.162Z",
"dateUpdated": "2025-10-30T09:47:57.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39920 (GCVE-0-2025-39920)
Vulnerability from cvelistv5
Published
2025-10-01 07:55
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pcmcia: Add error handling for add_interval() in do_validate_mem()
In the do_validate_mem(), the call to add_interval() does not
handle errors. If kmalloc() fails in add_interval(), it could
result in a null pointer being inserted into the linked list,
leading to illegal memory access when sub_interval() is called
next.
This patch adds an error handling for the add_interval(). If
add_interval() returns an error, the function will return early
with the error code.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:40.739Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_nonstatic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b60ed401b47897352c520bc724c85aa908dedcc",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "ae184024ef31423e5beb44cf4f52999bbcf2fe5b",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "85be7ef8c8e792a414940a38d94565dd48d2f236",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "06b26e3099207c94b3d1be8565aedc6edc4f0a60",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "8699358b6ac99b8ccc97ed9e6e3669ef8958ef7b",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "289b58f8ff3198d091074a751d6b8f6827726f3e",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "369bf6e241506583f4ee7593c53b92e5a9f271b4",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "4a81f78caa53e0633cf311ca1526377d9bff7479",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_nonstatic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Add error handling for add_interval() in do_validate_mem()\n\nIn the do_validate_mem(), the call to add_interval() does not\nhandle errors. If kmalloc() fails in add_interval(), it could\nresult in a null pointer being inserted into the linked list,\nleading to illegal memory access when sub_interval() is called\nnext.\n\nThis patch adds an error handling for the add_interval(). If\nadd_interval() returns an error, the function will return early\nwith the error code."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:15.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b60ed401b47897352c520bc724c85aa908dedcc"
},
{
"url": "https://git.kernel.org/stable/c/ae184024ef31423e5beb44cf4f52999bbcf2fe5b"
},
{
"url": "https://git.kernel.org/stable/c/85be7ef8c8e792a414940a38d94565dd48d2f236"
},
{
"url": "https://git.kernel.org/stable/c/06b26e3099207c94b3d1be8565aedc6edc4f0a60"
},
{
"url": "https://git.kernel.org/stable/c/8699358b6ac99b8ccc97ed9e6e3669ef8958ef7b"
},
{
"url": "https://git.kernel.org/stable/c/289b58f8ff3198d091074a751d6b8f6827726f3e"
},
{
"url": "https://git.kernel.org/stable/c/369bf6e241506583f4ee7593c53b92e5a9f271b4"
},
{
"url": "https://git.kernel.org/stable/c/4a81f78caa53e0633cf311ca1526377d9bff7479"
}
],
"title": "pcmcia: Add error handling for add_interval() in do_validate_mem()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39920",
"datePublished": "2025-10-01T07:55:15.731Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:40.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53726 (GCVE-0-2023-53726)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: csum: Fix OoB access in IP checksum code for negative lengths
Although commit c2c24edb1d9c ("arm64: csum: Fix pathological zero-length
calls") added an early return for zero-length input, syzkaller has
popped up with an example of a _negative_ length which causes an
undefined shift and an out-of-bounds read:
| BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39
| Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975
|
| CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
| Call trace:
| dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
| show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
| __dump_stack lib/dump_stack.c:88 [inline]
| dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
| print_address_description mm/kasan/report.c:351 [inline]
| print_report+0x174/0x514 mm/kasan/report.c:462
| kasan_report+0xd4/0x130 mm/kasan/report.c:572
| kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187
| __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31
| do_csum+0x44/0x254 arch/arm64/lib/csum.c:39
| csum_partial+0x30/0x58 lib/checksum.c:128
| gso_make_checksum include/linux/skbuff.h:4928 [inline]
| __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332
| udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47
| ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119
| skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141
| __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401
| skb_gso_segment include/linux/netdevice.h:4859 [inline]
| validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659
| validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709
| sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327
| __dev_xmit_skb net/core/dev.c:3805 [inline]
| __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210
| dev_queue_xmit include/linux/netdevice.h:3085 [inline]
| packet_xmit+0x6c/0x318 net/packet/af_packet.c:276
| packet_snd net/packet/af_packet.c:3081 [inline]
| packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113
| sock_sendmsg_nosec net/socket.c:724 [inline]
| sock_sendmsg net/socket.c:747 [inline]
| __sys_sendto+0x3b4/0x538 net/socket.c:2144
Extend the early return to reject negative lengths as well, aligning our
implementation with the generic code in lib/checksum.c
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5777eaed566a1d63e344d3dd8f2b5e33be20643e Version: 5777eaed566a1d63e344d3dd8f2b5e33be20643e Version: 5777eaed566a1d63e344d3dd8f2b5e33be20643e Version: 5777eaed566a1d63e344d3dd8f2b5e33be20643e Version: 5777eaed566a1d63e344d3dd8f2b5e33be20643e Version: 5777eaed566a1d63e344d3dd8f2b5e33be20643e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/lib/csum.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a85727239a23de1cc8d93985f1056308128f3e2",
"status": "affected",
"version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e",
"versionType": "git"
},
{
"lessThan": "9a43563cfd6b9200ff2f76b3f9fcdcb217ceb523",
"status": "affected",
"version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e",
"versionType": "git"
},
{
"lessThan": "ba0b46166b8e547024d02345a68b747841931ad2",
"status": "affected",
"version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e",
"versionType": "git"
},
{
"lessThan": "a5ad2f87d8e74e351d3f500ad9d5b3a5653e1c6f",
"status": "affected",
"version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e",
"versionType": "git"
},
{
"lessThan": "fcdf904e866de0e3715835e50409fda3b2590527",
"status": "affected",
"version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e",
"versionType": "git"
},
{
"lessThan": "8bd795fedb8450ecbef18eeadbd23ed8fc7630f5",
"status": "affected",
"version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/lib/csum.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: csum: Fix OoB access in IP checksum code for negative lengths\n\nAlthough commit c2c24edb1d9c (\"arm64: csum: Fix pathological zero-length\ncalls\") added an early return for zero-length input, syzkaller has\npopped up with an example of a _negative_ length which causes an\nundefined shift and an out-of-bounds read:\n\n | BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39\n | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975\n |\n | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0\n | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023\n | Call trace:\n | dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233\n | show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240\n | __dump_stack lib/dump_stack.c:88 [inline]\n | dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\n | print_address_description mm/kasan/report.c:351 [inline]\n | print_report+0x174/0x514 mm/kasan/report.c:462\n | kasan_report+0xd4/0x130 mm/kasan/report.c:572\n | kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187\n | __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31\n | do_csum+0x44/0x254 arch/arm64/lib/csum.c:39\n | csum_partial+0x30/0x58 lib/checksum.c:128\n | gso_make_checksum include/linux/skbuff.h:4928 [inline]\n | __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332\n | udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47\n | ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119\n | skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141\n | __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401\n | skb_gso_segment include/linux/netdevice.h:4859 [inline]\n | validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659\n | validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709\n | sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327\n | __dev_xmit_skb net/core/dev.c:3805 [inline]\n | __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210\n | dev_queue_xmit include/linux/netdevice.h:3085 [inline]\n | packet_xmit+0x6c/0x318 net/packet/af_packet.c:276\n | packet_snd net/packet/af_packet.c:3081 [inline]\n | packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113\n | sock_sendmsg_nosec net/socket.c:724 [inline]\n | sock_sendmsg net/socket.c:747 [inline]\n | __sys_sendto+0x3b4/0x538 net/socket.c:2144\n\nExtend the early return to reject negative lengths as well, aligning our\nimplementation with the generic code in lib/checksum.c"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:55.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a85727239a23de1cc8d93985f1056308128f3e2"
},
{
"url": "https://git.kernel.org/stable/c/9a43563cfd6b9200ff2f76b3f9fcdcb217ceb523"
},
{
"url": "https://git.kernel.org/stable/c/ba0b46166b8e547024d02345a68b747841931ad2"
},
{
"url": "https://git.kernel.org/stable/c/a5ad2f87d8e74e351d3f500ad9d5b3a5653e1c6f"
},
{
"url": "https://git.kernel.org/stable/c/fcdf904e866de0e3715835e50409fda3b2590527"
},
{
"url": "https://git.kernel.org/stable/c/8bd795fedb8450ecbef18eeadbd23ed8fc7630f5"
}
],
"title": "arm64: csum: Fix OoB access in IP checksum code for negative lengths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53726",
"datePublished": "2025-10-22T13:23:55.896Z",
"dateReserved": "2025-10-22T13:21:37.348Z",
"dateUpdated": "2025-10-22T13:23:55.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39685 (GCVE-0-2025-39685)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: pcl726: Prevent invalid irq number
The reproducer passed in an irq number(0x80008000) that was too large,
which triggered the oob.
Added an interrupt number check to prevent users from passing in an irq
number that was too large.
If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid
because it shifts a 1-bit into the sign bit (which is UB in C).
Possible solutions include reducing the upper bound on the
`it->options[1]` value to 30 or lower, or using `1U << it->options[1]`.
The old code would just not attempt to request the IRQ if the
`options[1]` value were invalid. And it would still configure the
device without interrupts even if the call to `request_irq` returned an
error. So it would be better to combine this test with the test below.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fff46207245cd9e39c05b638afaee2478e64914b Version: fff46207245cd9e39c05b638afaee2478e64914b Version: fff46207245cd9e39c05b638afaee2478e64914b Version: fff46207245cd9e39c05b638afaee2478e64914b Version: fff46207245cd9e39c05b638afaee2478e64914b Version: fff46207245cd9e39c05b638afaee2478e64914b |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:17.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl726.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bab220b0bb5af652007e278e8e8357f952b0e1ea",
"status": "affected",
"version": "fff46207245cd9e39c05b638afaee2478e64914b",
"versionType": "git"
},
{
"lessThan": "5a33d07c94ba91306093e823112a7aa9727549f6",
"status": "affected",
"version": "fff46207245cd9e39c05b638afaee2478e64914b",
"versionType": "git"
},
{
"lessThan": "0eb4ed2aa261dee228f1668dbfa6d87353e8162d",
"status": "affected",
"version": "fff46207245cd9e39c05b638afaee2478e64914b",
"versionType": "git"
},
{
"lessThan": "a3cfcd0c78c80ca7cd80372dc28f77d01be57bf6",
"status": "affected",
"version": "fff46207245cd9e39c05b638afaee2478e64914b",
"versionType": "git"
},
{
"lessThan": "d8992c9a01f81128f36acb7c5755530e21fcd059",
"status": "affected",
"version": "fff46207245cd9e39c05b638afaee2478e64914b",
"versionType": "git"
},
{
"lessThan": "96cb948408b3adb69df7e451ba7da9d21f814d00",
"status": "affected",
"version": "fff46207245cd9e39c05b638afaee2478e64914b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl726.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl726: Prevent invalid irq number\n\nThe reproducer passed in an irq number(0x80008000) that was too large,\nwhich triggered the oob.\n\nAdded an interrupt number check to prevent users from passing in an irq\nnumber that was too large.\n\nIf `it-\u003eoptions[1]` is 31, then `1 \u003c\u003c it-\u003eoptions[1]` is still invalid\nbecause it shifts a 1-bit into the sign bit (which is UB in C).\nPossible solutions include reducing the upper bound on the\n`it-\u003eoptions[1]` value to 30 or lower, or using `1U \u003c\u003c it-\u003eoptions[1]`.\n\nThe old code would just not attempt to request the IRQ if the\n`options[1]` value were invalid. And it would still configure the\ndevice without interrupts even if the call to `request_irq` returned an\nerror. So it would be better to combine this test with the test below."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:23.254Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bab220b0bb5af652007e278e8e8357f952b0e1ea"
},
{
"url": "https://git.kernel.org/stable/c/5a33d07c94ba91306093e823112a7aa9727549f6"
},
{
"url": "https://git.kernel.org/stable/c/0eb4ed2aa261dee228f1668dbfa6d87353e8162d"
},
{
"url": "https://git.kernel.org/stable/c/a3cfcd0c78c80ca7cd80372dc28f77d01be57bf6"
},
{
"url": "https://git.kernel.org/stable/c/d8992c9a01f81128f36acb7c5755530e21fcd059"
},
{
"url": "https://git.kernel.org/stable/c/96cb948408b3adb69df7e451ba7da9d21f814d00"
}
],
"title": "comedi: pcl726: Prevent invalid irq number",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39685",
"datePublished": "2025-09-05T17:20:51.954Z",
"dateReserved": "2025-04-16T07:20:57.113Z",
"dateUpdated": "2025-11-03T17:42:17.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53658 (GCVE-0-2023-53658)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
If neither a "hif_mspi" nor "mspi" resource is present, the driver will
just early exit in probe but still return success. Apart from not doing
anything meaningful, this would then also lead to a null pointer access
on removal, as platform_get_drvdata() would return NULL, which it would
then try to dereference when trying to unregister the spi master.
Fix this by unconditionally calling devm_ioremap_resource(), as it can
handle a NULL res and will then return a viable ERR_PTR() if we get one.
The "return 0;" was previously a "goto qspi_resource_err;" where then
ret was returned, but since ret was still initialized to 0 at this place
this was a valid conversion in 63c5395bb7a9 ("spi: bcm-qspi: Fix
use-after-free on unbind"). The issue was not introduced by this commit,
only made more obvious.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 Version: fa236a7ef24048bafaeed13f68df35a819794758 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-bcm-qspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a91c34357afcfaa5307e254f22a8452550a07b34",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "d20db3c58a7f9361e370a7850ceb60dbdf62eea3",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "398e6a015877d44327f754aeb48ff3354945c78c",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "32b9c8f7892c19f7f5c9fed5fb410b9fd5990bb6",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "217b6ea8cf7b819477bca597a6ae2d43d38ba283",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "d3dcdb43c872a3b967345144151a2c9bb9124c9b",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "22ae32d80ef590d12a2364e4621f90f7c58445c7",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
},
{
"lessThan": "7c1f23ad34fcdace50275a6aa1e1969b41c6233f",
"status": "affected",
"version": "fa236a7ef24048bafaeed13f68df35a819794758",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-bcm-qspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: bcm-qspi: return error if neither hif_mspi nor mspi is available\n\nIf neither a \"hif_mspi\" nor \"mspi\" resource is present, the driver will\njust early exit in probe but still return success. Apart from not doing\nanything meaningful, this would then also lead to a null pointer access\non removal, as platform_get_drvdata() would return NULL, which it would\nthen try to dereference when trying to unregister the spi master.\n\nFix this by unconditionally calling devm_ioremap_resource(), as it can\nhandle a NULL res and will then return a viable ERR_PTR() if we get one.\n\nThe \"return 0;\" was previously a \"goto qspi_resource_err;\" where then\nret was returned, but since ret was still initialized to 0 at this place\nthis was a valid conversion in 63c5395bb7a9 (\"spi: bcm-qspi: Fix\nuse-after-free on unbind\"). The issue was not introduced by this commit,\nonly made more obvious."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:18.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a91c34357afcfaa5307e254f22a8452550a07b34"
},
{
"url": "https://git.kernel.org/stable/c/d20db3c58a7f9361e370a7850ceb60dbdf62eea3"
},
{
"url": "https://git.kernel.org/stable/c/398e6a015877d44327f754aeb48ff3354945c78c"
},
{
"url": "https://git.kernel.org/stable/c/32b9c8f7892c19f7f5c9fed5fb410b9fd5990bb6"
},
{
"url": "https://git.kernel.org/stable/c/217b6ea8cf7b819477bca597a6ae2d43d38ba283"
},
{
"url": "https://git.kernel.org/stable/c/d3dcdb43c872a3b967345144151a2c9bb9124c9b"
},
{
"url": "https://git.kernel.org/stable/c/22ae32d80ef590d12a2364e4621f90f7c58445c7"
},
{
"url": "https://git.kernel.org/stable/c/7c1f23ad34fcdace50275a6aa1e1969b41c6233f"
}
],
"title": "spi: bcm-qspi: return error if neither hif_mspi nor mspi is available",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53658",
"datePublished": "2025-10-07T15:21:18.950Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:21:18.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40018 (GCVE-0-2025-40018)
Vulnerability from cvelistv5
Published
2025-10-24 11:44
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: Defer ip_vs_ftp unregister during netns cleanup
On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp
before connections with valid cp->app pointers are flushed, leading to a
use-after-free.
Fix this by introducing a global `exiting_module` flag, set to true in
ip_vs_ftp_exit() before unregistering the pernet subsystem. In
__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns
cleanup (when exiting_module is false) and defer it to
__ip_vs_cleanup_batch(), which unregisters all apps after all connections
are flushed. If called during module exit, unregister ip_vs_ftp
immediately.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 61b1ab4583e275af216c8454b9256de680499b19 Version: 61b1ab4583e275af216c8454b9256de680499b19 Version: 61b1ab4583e275af216c8454b9256de680499b19 Version: 61b1ab4583e275af216c8454b9256de680499b19 Version: 61b1ab4583e275af216c8454b9256de680499b19 Version: 61b1ab4583e275af216c8454b9256de680499b19 Version: 61b1ab4583e275af216c8454b9256de680499b19 Version: 61b1ab4583e275af216c8454b9256de680499b19 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_ftp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a6ecab3847c213ce2855b0378e63ce839085de3",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "421b1ae1574dfdda68b835c15ac4921ec0030182",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "1d79471414d7b9424d699afff2aa79fff322f52d",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "53717f8a4347b78eac6488072ad8e5adbaff38d9",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "8cbe2a21d85727b66d7c591fd5d83df0d8c4f757",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "dc1a481359a72ee7e548f1f5da671282a7c13b8f",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "a343811ef138a265407167294275201621e9ebb2",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "134121bfd99a06d44ef5ba15a9beb075297c0821",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_ftp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: Defer ip_vs_ftp unregister during netns cleanup\n\nOn the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp\nbefore connections with valid cp-\u003eapp pointers are flushed, leading to a\nuse-after-free.\n\nFix this by introducing a global `exiting_module` flag, set to true in\nip_vs_ftp_exit() before unregistering the pernet subsystem. In\n__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns\ncleanup (when exiting_module is false) and defer it to\n__ip_vs_cleanup_batch(), which unregisters all apps after all connections\nare flushed. If called during module exit, unregister ip_vs_ftp\nimmediately."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:22.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a6ecab3847c213ce2855b0378e63ce839085de3"
},
{
"url": "https://git.kernel.org/stable/c/421b1ae1574dfdda68b835c15ac4921ec0030182"
},
{
"url": "https://git.kernel.org/stable/c/1d79471414d7b9424d699afff2aa79fff322f52d"
},
{
"url": "https://git.kernel.org/stable/c/53717f8a4347b78eac6488072ad8e5adbaff38d9"
},
{
"url": "https://git.kernel.org/stable/c/8cbe2a21d85727b66d7c591fd5d83df0d8c4f757"
},
{
"url": "https://git.kernel.org/stable/c/dc1a481359a72ee7e548f1f5da671282a7c13b8f"
},
{
"url": "https://git.kernel.org/stable/c/a343811ef138a265407167294275201621e9ebb2"
},
{
"url": "https://git.kernel.org/stable/c/134121bfd99a06d44ef5ba15a9beb075297c0821"
}
],
"title": "ipvs: Defer ip_vs_ftp unregister during netns cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40018",
"datePublished": "2025-10-24T11:44:28.955Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-10-29T13:19:22.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53374 (GCVE-0-2023-53374)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: fail SCO/ISO via hci_conn_failed if ACL gone early
Not calling hci_(dis)connect_cfm before deleting conn referred to by a
socket generally results to use-after-free.
When cleaning up SCO connections when the parent ACL is deleted too
early, use hci_conn_failed to do the connection cleanup properly.
We also need to clean up ISO connections in a similar situation when
connecting has started but LE Create CIS is not yet sent, so do it too
here.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "397d58007532644b35fad746da48c41161f32a57",
"status": "affected",
"version": "ca1fd42e7dbfcb34890ffbf1f2f4b356776dab6f",
"versionType": "git"
},
{
"lessThan": "e94b898463a62b72a2a8b75dea8936bf4db78e00",
"status": "affected",
"version": "ca1fd42e7dbfcb34890ffbf1f2f4b356776dab6f",
"versionType": "git"
},
{
"lessThan": "3344d318337d9dca928fd448e966557ec5063f85",
"status": "affected",
"version": "ca1fd42e7dbfcb34890ffbf1f2f4b356776dab6f",
"versionType": "git"
},
{
"status": "affected",
"version": "75e35bd4b7935ceed2aacd82f55940e73bf0b63b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: fail SCO/ISO via hci_conn_failed if ACL gone early\n\nNot calling hci_(dis)connect_cfm before deleting conn referred to by a\nsocket generally results to use-after-free.\n\nWhen cleaning up SCO connections when the parent ACL is deleted too\nearly, use hci_conn_failed to do the connection cleanup properly.\n\nWe also need to clean up ISO connections in a similar situation when\nconnecting has started but LE Create CIS is not yet sent, so do it too\nhere."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:20.965Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/397d58007532644b35fad746da48c41161f32a57"
},
{
"url": "https://git.kernel.org/stable/c/e94b898463a62b72a2a8b75dea8936bf4db78e00"
},
{
"url": "https://git.kernel.org/stable/c/3344d318337d9dca928fd448e966557ec5063f85"
}
],
"title": "Bluetooth: hci_conn: fail SCO/ISO via hci_conn_failed if ACL gone early",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53374",
"datePublished": "2025-09-18T13:33:20.965Z",
"dateReserved": "2025-09-17T14:54:09.734Z",
"dateUpdated": "2025-09-18T13:33:20.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53500 (GCVE-0-2023-53500)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: fix slab-use-after-free in decode_session6
When the xfrm device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when the xfrm device sends IPv6 packets.
The stack information is as follows:
BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
Read of size 1 at addr ffff8881111458ef by task swapper/3/0
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xd9/0x150
print_address_description.constprop.0+0x2c/0x3c0
kasan_report+0x11d/0x130
decode_session6+0x103f/0x1890
__xfrm_decode_session+0x54/0xb0
xfrmi_xmit+0x173/0x1ca0
dev_hard_start_xmit+0x187/0x700
sch_direct_xmit+0x1a3/0xc30
__qdisc_run+0x510/0x17a0
__dev_queue_xmit+0x2215/0x3b10
neigh_connected_output+0x3c2/0x550
ip6_finish_output2+0x55a/0x1550
ip6_finish_output+0x6b9/0x1270
ip6_output+0x1f1/0x540
ndisc_send_skb+0xa63/0x1890
ndisc_send_rs+0x132/0x6f0
addrconf_rs_timer+0x3f1/0x870
call_timer_fn+0x1a0/0x580
expire_timers+0x29b/0x4b0
run_timer_softirq+0x326/0x910
__do_softirq+0x1d4/0x905
irq_exit_rcu+0xb7/0x120
sysvec_apic_timer_interrupt+0x97/0xc0
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:intel_idle_hlt+0x23/0x30
Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 <fa> 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4
RSP: 0018:ffffc90000197d78 EFLAGS: 00000246
RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5
RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50
RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d
R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000
cpuidle_enter_state+0xd3/0x6f0
cpuidle_enter+0x4e/0xa0
do_idle+0x2fe/0x3c0
cpu_startup_entry+0x18/0x20
start_secondary+0x200/0x290
secondary_startup_64_no_verify+0x167/0x16b
</TASK>
Allocated by task 939:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x7f/0x90
kmem_cache_alloc_node+0x1cd/0x410
kmalloc_reserve+0x165/0x270
__alloc_skb+0x129/0x330
inet6_ifa_notify+0x118/0x230
__ipv6_ifa_notify+0x177/0xbe0
addrconf_dad_completed+0x133/0xe00
addrconf_dad_work+0x764/0x1390
process_one_work+0xa32/0x16f0
worker_thread+0x67d/0x10c0
kthread+0x344/0x440
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff888111145800
which belongs to the cache skbuff_small_head of size 640
The buggy address is located 239 bytes inside of
freed 640-byte region [ffff888111145800, ffff888111145a80)
As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 Version: f855691975bb06373a98711e4cfe2c224244b536 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_interface_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da4cbaa75ed088b6d70db77b9103a27e2359e243",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "db0e50741f0387f388e9ec824ea7ae8456554d5b",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "bafa236380816b41b2c4c6970d9067fefa4a6c9e",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "44b3d40967009304617a7a6486490c1d6c12f899",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "0d27567fde5be5f0edc2db5c110142b7915b8fa8",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "86f15300a22656db3fa8c8967defbcd24fac4d37",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "53223f2ed1ef5c90dad814daaaefea4e68a933c8",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_interface_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix slab-use-after-free in decode_session6\n\nWhen the xfrm device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when the xfrm device sends IPv6 packets.\n\nThe stack information is as follows:\nBUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890\nRead of size 1 at addr ffff8881111458ef by task swapper/3/0\nCPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\nCall Trace:\n\u003cIRQ\u003e\ndump_stack_lvl+0xd9/0x150\nprint_address_description.constprop.0+0x2c/0x3c0\nkasan_report+0x11d/0x130\ndecode_session6+0x103f/0x1890\n__xfrm_decode_session+0x54/0xb0\nxfrmi_xmit+0x173/0x1ca0\ndev_hard_start_xmit+0x187/0x700\nsch_direct_xmit+0x1a3/0xc30\n__qdisc_run+0x510/0x17a0\n__dev_queue_xmit+0x2215/0x3b10\nneigh_connected_output+0x3c2/0x550\nip6_finish_output2+0x55a/0x1550\nip6_finish_output+0x6b9/0x1270\nip6_output+0x1f1/0x540\nndisc_send_skb+0xa63/0x1890\nndisc_send_rs+0x132/0x6f0\naddrconf_rs_timer+0x3f1/0x870\ncall_timer_fn+0x1a0/0x580\nexpire_timers+0x29b/0x4b0\nrun_timer_softirq+0x326/0x910\n__do_softirq+0x1d4/0x905\nirq_exit_rcu+0xb7/0x120\nsysvec_apic_timer_interrupt+0x97/0xc0\n\u003c/IRQ\u003e\n\u003cTASK\u003e\nasm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:intel_idle_hlt+0x23/0x30\nCode: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 \u003cfa\u003e 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4\nRSP: 0018:ffffc90000197d78 EFLAGS: 00000246\nRAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5\nRDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50\nRBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d\nR10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001\nR13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000\ncpuidle_enter_state+0xd3/0x6f0\ncpuidle_enter+0x4e/0xa0\ndo_idle+0x2fe/0x3c0\ncpu_startup_entry+0x18/0x20\nstart_secondary+0x200/0x290\nsecondary_startup_64_no_verify+0x167/0x16b\n\u003c/TASK\u003e\nAllocated by task 939:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\n__kasan_slab_alloc+0x7f/0x90\nkmem_cache_alloc_node+0x1cd/0x410\nkmalloc_reserve+0x165/0x270\n__alloc_skb+0x129/0x330\ninet6_ifa_notify+0x118/0x230\n__ipv6_ifa_notify+0x177/0xbe0\naddrconf_dad_completed+0x133/0xe00\naddrconf_dad_work+0x764/0x1390\nprocess_one_work+0xa32/0x16f0\nworker_thread+0x67d/0x10c0\nkthread+0x344/0x440\nret_from_fork+0x1f/0x30\nThe buggy address belongs to the object at ffff888111145800\nwhich belongs to the cache skbuff_small_head of size 640\nThe buggy address is located 239 bytes inside of\nfreed 640-byte region [ffff888111145800, ffff888111145a80)\n\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)-\u003enhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:51.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da4cbaa75ed088b6d70db77b9103a27e2359e243"
},
{
"url": "https://git.kernel.org/stable/c/db0e50741f0387f388e9ec824ea7ae8456554d5b"
},
{
"url": "https://git.kernel.org/stable/c/bafa236380816b41b2c4c6970d9067fefa4a6c9e"
},
{
"url": "https://git.kernel.org/stable/c/44b3d40967009304617a7a6486490c1d6c12f899"
},
{
"url": "https://git.kernel.org/stable/c/0d27567fde5be5f0edc2db5c110142b7915b8fa8"
},
{
"url": "https://git.kernel.org/stable/c/86f15300a22656db3fa8c8967defbcd24fac4d37"
},
{
"url": "https://git.kernel.org/stable/c/53223f2ed1ef5c90dad814daaaefea4e68a933c8"
}
],
"title": "xfrm: fix slab-use-after-free in decode_session6",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53500",
"datePublished": "2025-10-01T11:45:51.182Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:51.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53314 (GCVE-0-2023-53314)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
Do not assing the Linux device to struct fb_info.dev. The call to
register_framebuffer() initializes the field to the fbdev device.
Drivers should not override its value.
Fixes a bug where the driver incorrectly decreases the hardware
device's reference counter and leaks the fbdev device.
v2:
* add Fixes tag (Dan)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/ep93xx-fb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ffdf2b020db717853167391a3a8d912e13428fa6",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "1c6ff2a7c593db851f23e31ace2baf557ea9d0ff",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "8ffa40ff64aa43a9a28fcf209b48d86a3e0f4972",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "4aade6c9100a3537788b6a9c7ac481037d19efdf",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "309c27162afea79b3c7f8747bb650faf6923b639",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "f83c1b13f8154e0284448912756d0a351a1a602a",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "0517fc5a71333b315164736bbd32608894fbb872",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "f90a0e5265b60cdd3c77990e8105f79aa2fac994",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/ep93xx-fb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev/ep93xx-fb: Do not assign to struct fb_info.dev\n\nDo not assing the Linux device to struct fb_info.dev. The call to\nregister_framebuffer() initializes the field to the fbdev device.\nDrivers should not override its value.\n\nFixes a bug where the driver incorrectly decreases the hardware\ndevice\u0027s reference counter and leaks the fbdev device.\n\nv2:\n\t* add Fixes tag (Dan)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:51.435Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ffdf2b020db717853167391a3a8d912e13428fa6"
},
{
"url": "https://git.kernel.org/stable/c/1c6ff2a7c593db851f23e31ace2baf557ea9d0ff"
},
{
"url": "https://git.kernel.org/stable/c/8ffa40ff64aa43a9a28fcf209b48d86a3e0f4972"
},
{
"url": "https://git.kernel.org/stable/c/4aade6c9100a3537788b6a9c7ac481037d19efdf"
},
{
"url": "https://git.kernel.org/stable/c/309c27162afea79b3c7f8747bb650faf6923b639"
},
{
"url": "https://git.kernel.org/stable/c/f83c1b13f8154e0284448912756d0a351a1a602a"
},
{
"url": "https://git.kernel.org/stable/c/0517fc5a71333b315164736bbd32608894fbb872"
},
{
"url": "https://git.kernel.org/stable/c/f90a0e5265b60cdd3c77990e8105f79aa2fac994"
}
],
"title": "fbdev/ep93xx-fb: Do not assign to struct fb_info.dev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53314",
"datePublished": "2025-09-16T16:11:51.435Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:51.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53448 (GCVE-0-2023-53448)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: imxfb: Removed unneeded release_mem_region
Remove unnecessary release_mem_region from the error path to prevent
mem region from being released twice, which could avoid resource leak
or other unexpected issues.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/imxfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6aa851f6276fa08cd59b044bc2b803c49edf58a2",
"status": "affected",
"version": "b083c22d51148f3d3028291343196471be5d9f36",
"versionType": "git"
},
{
"lessThan": "38282a92c30422836d49e519bd109237f86a0888",
"status": "affected",
"version": "b083c22d51148f3d3028291343196471be5d9f36",
"versionType": "git"
},
{
"lessThan": "45fcc058a75bf5d65cf4c32da44a252fbe873cd4",
"status": "affected",
"version": "b083c22d51148f3d3028291343196471be5d9f36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/imxfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imxfb: Removed unneeded release_mem_region\n\nRemove unnecessary release_mem_region from the error path to prevent\nmem region from being released twice, which could avoid resource leak\nor other unexpected issues."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:20.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6aa851f6276fa08cd59b044bc2b803c49edf58a2"
},
{
"url": "https://git.kernel.org/stable/c/38282a92c30422836d49e519bd109237f86a0888"
},
{
"url": "https://git.kernel.org/stable/c/45fcc058a75bf5d65cf4c32da44a252fbe873cd4"
}
],
"title": "fbdev: imxfb: Removed unneeded release_mem_region",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53448",
"datePublished": "2025-10-01T11:42:20.557Z",
"dateReserved": "2025-09-17T14:54:09.753Z",
"dateUpdated": "2025-10-01T11:42:20.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50480 (GCVE-0-2022-50480)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()
The break of for_each_available_child_of_node() needs a
corresponding of_node_put() when the reference 'child' is not
used anymore. Here we do not need to call of_node_put() in
fail path as '!match' means no break.
While the of_platform_device_create() will created a new
reference by 'child' but it has considered the refcounting.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fee10bd2267868f2a3e7ba008ef7665aac5e4412 Version: fee10bd2267868f2a3e7ba008ef7665aac5e4412 Version: fee10bd2267868f2a3e7ba008ef7665aac5e4412 Version: fee10bd2267868f2a3e7ba008ef7665aac5e4412 Version: fee10bd2267868f2a3e7ba008ef7665aac5e4412 Version: fee10bd2267868f2a3e7ba008ef7665aac5e4412 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/memory/pl353-smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b37f4a711e5d4bf3608ccbc6de82b52e92b441a0",
"status": "affected",
"version": "fee10bd2267868f2a3e7ba008ef7665aac5e4412",
"versionType": "git"
},
{
"lessThan": "fde46754d5483bc398018bbec3c8ef5c55219e67",
"status": "affected",
"version": "fee10bd2267868f2a3e7ba008ef7665aac5e4412",
"versionType": "git"
},
{
"lessThan": "566b143aa5112a0c2784e20603778518bb799537",
"status": "affected",
"version": "fee10bd2267868f2a3e7ba008ef7665aac5e4412",
"versionType": "git"
},
{
"lessThan": "44db35ceb94756ba513dcf6b69bf9e949b28469c",
"status": "affected",
"version": "fee10bd2267868f2a3e7ba008ef7665aac5e4412",
"versionType": "git"
},
{
"lessThan": "49605dc25e7fb33bf8b671279d4468531da90f89",
"status": "affected",
"version": "fee10bd2267868f2a3e7ba008ef7665aac5e4412",
"versionType": "git"
},
{
"lessThan": "61b3c876c1cbdb1efd1f52a1f348580e6e14efb6",
"status": "affected",
"version": "fee10bd2267868f2a3e7ba008ef7665aac5e4412",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/memory/pl353-smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()\n\nThe break of for_each_available_child_of_node() needs a\ncorresponding of_node_put() when the reference \u0027child\u0027 is not\nused anymore. Here we do not need to call of_node_put() in\nfail path as \u0027!match\u0027 means no break.\n\nWhile the of_platform_device_create() will created a new\nreference by \u0027child\u0027 but it has considered the refcounting."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:39.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b37f4a711e5d4bf3608ccbc6de82b52e92b441a0"
},
{
"url": "https://git.kernel.org/stable/c/fde46754d5483bc398018bbec3c8ef5c55219e67"
},
{
"url": "https://git.kernel.org/stable/c/566b143aa5112a0c2784e20603778518bb799537"
},
{
"url": "https://git.kernel.org/stable/c/44db35ceb94756ba513dcf6b69bf9e949b28469c"
},
{
"url": "https://git.kernel.org/stable/c/49605dc25e7fb33bf8b671279d4468531da90f89"
},
{
"url": "https://git.kernel.org/stable/c/61b3c876c1cbdb1efd1f52a1f348580e6e14efb6"
}
],
"title": "memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50480",
"datePublished": "2025-10-04T15:16:39.704Z",
"dateReserved": "2025-10-04T15:13:33.467Z",
"dateUpdated": "2025-10-04T15:16:39.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53600 (GCVE-0-2023-53600)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tunnels: fix kasan splat when generating ipv4 pmtu error
If we try to emit an icmp error in response to a nonliner skb, we get
BUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220
Read of size 4 at addr ffff88811c50db00 by task iperf3/1691
CPU: 2 PID: 1691 Comm: iperf3 Not tainted 6.5.0-rc3+ #309
[..]
kasan_report+0x105/0x140
ip_compute_csum+0x134/0x220
iptunnel_pmtud_build_icmp+0x554/0x1020
skb_tunnel_check_pmtu+0x513/0xb80
vxlan_xmit_one+0x139e/0x2ef0
vxlan_xmit+0x1867/0x2760
dev_hard_start_xmit+0x1ee/0x4f0
br_dev_queue_push_xmit+0x4d1/0x660
[..]
ip_compute_csum() cannot deal with nonlinear skbs, so avoid it.
After this change, splat is gone and iperf3 is no longer stuck.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_tunnel_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5850c391fd7e25662334cb3cbf29a62bcbff1084",
"status": "affected",
"version": "4cb47a8644cc9eb8ec81190a50e79e6530d0297f",
"versionType": "git"
},
{
"lessThan": "e95808121953410db8c59f0abfde70ac0d34222c",
"status": "affected",
"version": "4cb47a8644cc9eb8ec81190a50e79e6530d0297f",
"versionType": "git"
},
{
"lessThan": "da5f42a6e7485fbb7a6dbd6a2b3045e19e4df5cc",
"status": "affected",
"version": "4cb47a8644cc9eb8ec81190a50e79e6530d0297f",
"versionType": "git"
},
{
"lessThan": "fe6a9f7516735be9fdabab00e47ef7a3403a174d",
"status": "affected",
"version": "4cb47a8644cc9eb8ec81190a50e79e6530d0297f",
"versionType": "git"
},
{
"lessThan": "6a7ac3d20593865209dceb554d8b3f094c6bd940",
"status": "affected",
"version": "4cb47a8644cc9eb8ec81190a50e79e6530d0297f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_tunnel_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: fix kasan splat when generating ipv4 pmtu error\n\nIf we try to emit an icmp error in response to a nonliner skb, we get\n\nBUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220\nRead of size 4 at addr ffff88811c50db00 by task iperf3/1691\nCPU: 2 PID: 1691 Comm: iperf3 Not tainted 6.5.0-rc3+ #309\n[..]\n kasan_report+0x105/0x140\n ip_compute_csum+0x134/0x220\n iptunnel_pmtud_build_icmp+0x554/0x1020\n skb_tunnel_check_pmtu+0x513/0xb80\n vxlan_xmit_one+0x139e/0x2ef0\n vxlan_xmit+0x1867/0x2760\n dev_hard_start_xmit+0x1ee/0x4f0\n br_dev_queue_push_xmit+0x4d1/0x660\n [..]\n\nip_compute_csum() cannot deal with nonlinear skbs, so avoid it.\nAfter this change, splat is gone and iperf3 is no longer stuck."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:11.775Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5850c391fd7e25662334cb3cbf29a62bcbff1084"
},
{
"url": "https://git.kernel.org/stable/c/e95808121953410db8c59f0abfde70ac0d34222c"
},
{
"url": "https://git.kernel.org/stable/c/da5f42a6e7485fbb7a6dbd6a2b3045e19e4df5cc"
},
{
"url": "https://git.kernel.org/stable/c/fe6a9f7516735be9fdabab00e47ef7a3403a174d"
},
{
"url": "https://git.kernel.org/stable/c/6a7ac3d20593865209dceb554d8b3f094c6bd940"
}
],
"title": "tunnels: fix kasan splat when generating ipv4 pmtu error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53600",
"datePublished": "2025-10-04T15:44:11.775Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-04T15:44:11.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53333 (GCVE-0-2023-53333)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-16 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one
Eric Dumazet says:
nf_conntrack_dccp_packet() has an unique:
dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
And nothing more is 'pulled' from the packet, depending on the content.
dh->dccph_doff, and/or dh->dccph_x ...)
So dccp_ack_seq() is happily reading stuff past the _dh buffer.
BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0
Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371
[..]
Fix this by increasing the stack buffer to also include room for
the extra sequence numbers and all the known dccp packet type headers,
then pull again after the initial validation of the basic header.
While at it, mark packets invalid that lack 48bit sequence bit but
where RFC says the type MUST use them.
Compile tested only.
v2: first skb_header_pointer() now needs to adjust the size to
only pull the generic header. (Eric)
Heads-up: I intend to remove dccp conntrack support later this year.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_proto_dccp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "337fdce450637ea663bc816edc2ba81e5cdad02e",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "c052797ac36813419ad3bfa54cb8615db4b41f15",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "5c618daa5038712c4a4ef8923905a2ea1b8836a1",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "26bd1f210d3783a691052c51d76bb8a8bbd24c67",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "8c0980493beed3a80d6329c44ab293dc8c032927",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_proto_dccp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one\n\nEric Dumazet says:\n nf_conntrack_dccp_packet() has an unique:\n\n dh = skb_header_pointer(skb, dataoff, sizeof(_dh), \u0026_dh);\n\n And nothing more is \u0027pulled\u0027 from the packet, depending on the content.\n dh-\u003edccph_doff, and/or dh-\u003edccph_x ...)\n So dccp_ack_seq() is happily reading stuff past the _dh buffer.\n\nBUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0\nRead of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371\n[..]\n\nFix this by increasing the stack buffer to also include room for\nthe extra sequence numbers and all the known dccp packet type headers,\nthen pull again after the initial validation of the basic header.\n\nWhile at it, mark packets invalid that lack 48bit sequence bit but\nwhere RFC says the type MUST use them.\n\nCompile tested only.\n\nv2: first skb_header_pointer() now needs to adjust the size to\n only pull the generic header. (Eric)\n\nHeads-up: I intend to remove dccp conntrack support later this year."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:08.427Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/337fdce450637ea663bc816edc2ba81e5cdad02e"
},
{
"url": "https://git.kernel.org/stable/c/9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8"
},
{
"url": "https://git.kernel.org/stable/c/c052797ac36813419ad3bfa54cb8615db4b41f15"
},
{
"url": "https://git.kernel.org/stable/c/5c618daa5038712c4a4ef8923905a2ea1b8836a1"
},
{
"url": "https://git.kernel.org/stable/c/26bd1f210d3783a691052c51d76bb8a8bbd24c67"
},
{
"url": "https://git.kernel.org/stable/c/8c0980493beed3a80d6329c44ab293dc8c032927"
},
{
"url": "https://git.kernel.org/stable/c/ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30"
}
],
"title": "netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53333",
"datePublished": "2025-09-16T16:12:08.427Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-16T16:12:08.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38683 (GCVE-0-2025-38683)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hv_netvsc: Fix panic during namespace deletion with VF
The existing code move the VF NIC to new namespace when NETDEV_REGISTER is
received on netvsc NIC. During deletion of the namespace,
default_device_exit_batch() >> default_device_exit_net() is called. When
netvsc NIC is moved back and registered to the default namespace, it
automatically brings VF NIC back to the default namespace. This will cause
the default_device_exit_net() >> for_each_netdev_safe loop unable to detect
the list end, and hit NULL ptr:
[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0
[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 231.450246] #PF: supervisor read access in kernel mode
[ 231.450579] #PF: error_code(0x0000) - not-present page
[ 231.450916] PGD 17b8a8067 P4D 0
[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI
[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY
[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024
[ 231.452692] Workqueue: netns cleanup_net
[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0
[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00
[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246
[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb
[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564
[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000
[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340
[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340
[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000
[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0
[ 231.458434] Call Trace:
[ 231.458600] <TASK>
[ 231.458777] ops_undo_list+0x100/0x220
[ 231.459015] cleanup_net+0x1b8/0x300
[ 231.459285] process_one_work+0x184/0x340
To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid
changing the netdev list when default_device_exit_net() is using it.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3eb6aa870057da9f1304db660f68b9c2eb7e856d Version: b7a396f76ada277d049558db648389456458af65 Version: 4faa6e3e66b3251eb4bf5761d2f3f0f14095aaca Version: 62c85b9a0dd7471a362170323e1211ad98ff7b4b Version: 4c262801ea60c518b5bebc22a09f5b78b3147da2 Version: 4c262801ea60c518b5bebc22a09f5b78b3147da2 Version: 4c262801ea60c518b5bebc22a09f5b78b3147da2 Version: 4c262801ea60c518b5bebc22a09f5b78b3147da2 Version: 7abd221a55a61b6b2bf0e80f850bfc0ae75c7e01 Version: 31a38a908c98aebc7a1104dab5f1ba199f234b7b Version: 04d748d4bd2d86739b159563f257e3dc5492c88d |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:09.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/hyperv/hyperv_net.h",
"drivers/net/hyperv/netvsc_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ca41ab55d23a0aa71661a5a56a8f06c11db90dc",
"status": "affected",
"version": "3eb6aa870057da9f1304db660f68b9c2eb7e856d",
"versionType": "git"
},
{
"lessThan": "3467c4ebb334658c6fcf3eabb64a6e8b2135e010",
"status": "affected",
"version": "b7a396f76ada277d049558db648389456458af65",
"versionType": "git"
},
{
"lessThan": "4eff1e57a8ef98d70451b94e8437e458b27dd234",
"status": "affected",
"version": "4faa6e3e66b3251eb4bf5761d2f3f0f14095aaca",
"versionType": "git"
},
{
"lessThan": "2a70cbd1aef8b8be39992ab7b776ce1390091774",
"status": "affected",
"version": "62c85b9a0dd7471a362170323e1211ad98ff7b4b",
"versionType": "git"
},
{
"lessThan": "d036104947176d030bec64792d54e1b4f4c7f318",
"status": "affected",
"version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
"versionType": "git"
},
{
"lessThan": "5276896e6923ebe8c68573779d784aaf7d987cce",
"status": "affected",
"version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
"versionType": "git"
},
{
"lessThan": "4293f6c5ccf735b26afeb6825def14d830e0367b",
"status": "affected",
"version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
"versionType": "git"
},
{
"lessThan": "33caa208dba6fa639e8a92fd0c8320b652e5550c",
"status": "affected",
"version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
"versionType": "git"
},
{
"status": "affected",
"version": "7abd221a55a61b6b2bf0e80f850bfc0ae75c7e01",
"versionType": "git"
},
{
"status": "affected",
"version": "31a38a908c98aebc7a1104dab5f1ba199f234b7b",
"versionType": "git"
},
{
"status": "affected",
"version": "04d748d4bd2d86739b159563f257e3dc5492c88d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/hyperv/hyperv_net.h",
"drivers/net/hyperv/netvsc_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.10.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.15.170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "6.1.115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.6.59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.323",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix panic during namespace deletion with VF\n\nThe existing code move the VF NIC to new namespace when NETDEV_REGISTER is\nreceived on netvsc NIC. During deletion of the namespace,\ndefault_device_exit_batch() \u003e\u003e default_device_exit_net() is called. When\nnetvsc NIC is moved back and registered to the default namespace, it\nautomatically brings VF NIC back to the default namespace. This will cause\nthe default_device_exit_net() \u003e\u003e for_each_netdev_safe loop unable to detect\nthe list end, and hit NULL ptr:\n\n[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0\n[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[ 231.450246] #PF: supervisor read access in kernel mode\n[ 231.450579] #PF: error_code(0x0000) - not-present page\n[ 231.450916] PGD 17b8a8067 P4D 0\n[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY\n[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024\n[ 231.452692] Workqueue: netns cleanup_net\n[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0\n[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 \u003c48\u003e 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00\n[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246\n[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb\n[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564\n[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000\n[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340\n[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340\n[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000\n[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0\n[ 231.458434] Call Trace:\n[ 231.458600] \u003cTASK\u003e\n[ 231.458777] ops_undo_list+0x100/0x220\n[ 231.459015] cleanup_net+0x1b8/0x300\n[ 231.459285] process_one_work+0x184/0x340\n\nTo fix it, move the ns change to a workqueue, and take rtnl_lock to avoid\nchanging the netdev list when default_device_exit_net() is using it."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:54.951Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ca41ab55d23a0aa71661a5a56a8f06c11db90dc"
},
{
"url": "https://git.kernel.org/stable/c/3467c4ebb334658c6fcf3eabb64a6e8b2135e010"
},
{
"url": "https://git.kernel.org/stable/c/4eff1e57a8ef98d70451b94e8437e458b27dd234"
},
{
"url": "https://git.kernel.org/stable/c/2a70cbd1aef8b8be39992ab7b776ce1390091774"
},
{
"url": "https://git.kernel.org/stable/c/d036104947176d030bec64792d54e1b4f4c7f318"
},
{
"url": "https://git.kernel.org/stable/c/5276896e6923ebe8c68573779d784aaf7d987cce"
},
{
"url": "https://git.kernel.org/stable/c/4293f6c5ccf735b26afeb6825def14d830e0367b"
},
{
"url": "https://git.kernel.org/stable/c/33caa208dba6fa639e8a92fd0c8320b652e5550c"
}
],
"title": "hv_netvsc: Fix panic during namespace deletion with VF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38683",
"datePublished": "2025-09-04T15:32:38.215Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:09.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50471 (GCVE-0-2022-50471)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/gntdev: Accommodate VMA splitting
Prior to this commit, the gntdev driver code did not handle the
following scenario correctly with paravirtualized (PV) Xen domains:
* User process sets up a gntdev mapping composed of two grant mappings
(i.e., two pages shared by another Xen domain).
* User process munmap()s one of the pages.
* User process munmap()s the remaining page.
* User process exits.
In the scenario above, the user process would cause the kernel to log
the following messages in dmesg for the first munmap(), and the second
munmap() call would result in similar log messages:
BUG: Bad page map in process doublemap.test pte:... pmd:...
page:0000000057c97bff refcount:1 mapcount:-1 \
mapping:0000000000000000 index:0x0 pfn:...
...
page dumped because: bad pte
...
file:gntdev fault:0x0 mmap:gntdev_mmap [xen_gntdev] readpage:0x0
...
Call Trace:
<TASK>
dump_stack_lvl+0x46/0x5e
print_bad_pte.cold+0x66/0xb6
unmap_page_range+0x7e5/0xdc0
unmap_vmas+0x78/0xf0
unmap_region+0xa8/0x110
__do_munmap+0x1ea/0x4e0
__vm_munmap+0x75/0x120
__x64_sys_munmap+0x28/0x40
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x61/0xcb
...
For each munmap() call, the Xen hypervisor (if built with CONFIG_DEBUG)
would print out the following and trigger a general protection fault in
the affected Xen PV domain:
(XEN) d0v... Attempt to implicitly unmap d0's grant PTE ...
(XEN) d0v... Attempt to implicitly unmap d0's grant PTE ...
As of this writing, gntdev_grant_map structure's vma field (referred to
as map->vma below) is mainly used for checking the start and end
addresses of mappings. However, with split VMAs, these may change, and
there could be more than one VMA associated with a gntdev mapping.
Hence, remove the use of map->vma and rely on map->pages_vm_start for
the original start address and on (map->count << PAGE_SHIFT) for the
original mapping size. Let the invalidate() and find_special_page()
hooks use these.
Also, given that there can be multiple VMAs associated with a gntdev
mapping, move the "mmu_interval_notifier_remove(&map->notifier)" call to
the end of gntdev_put_map, so that the MMU notifier is only removed
after the closing of the last remaining VMA.
Finally, use an atomic to prevent inadvertent gntdev mapping re-use,
instead of using the map->live_grants atomic counter and/or the map->vma
pointer (the latter of which is now removed). This prevents the
userspace from mmap()'ing (with MAP_FIXED) a gntdev mapping over the
same address range as a previously set up gntdev mapping. This scenario
can be summarized with the following call-trace, which was valid prior
to this commit:
mmap
gntdev_mmap
mmap (repeat mmap with MAP_FIXED over the same address range)
gntdev_invalidate
unmap_grant_pages (sets 'being_removed' entries to true)
gnttab_unmap_refs_async
unmap_single_vma
gntdev_mmap (maps the shared pages again)
munmap
gntdev_invalidate
unmap_grant_pages
(no-op because 'being_removed' entries are true)
unmap_single_vma (For PV domains, Xen reports that a granted page
is being unmapped and triggers a general protection fault in the
affected domain, if Xen was built with CONFIG_DEBUG)
The fix for this last scenario could be worth its own commit, but we
opted for a single commit, because removing the gntdev_grant_map
structure's vma field requires guarding the entry to gntdev_mmap(), and
the live_grants atomic counter is not sufficient on its own to prevent
the mmap() over a pre-existing mapping.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/gntdev-common.h",
"drivers/xen/gntdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c6a888e352283a14f37b9b433cd598a1a3a7dd0",
"status": "affected",
"version": "ab31523c2fcac557226bac72cbdf5fafe01f9a26",
"versionType": "git"
},
{
"lessThan": "7c16d0a4e6a436b4e7c92bead3fab55aaa4c1141",
"status": "affected",
"version": "ab31523c2fcac557226bac72cbdf5fafe01f9a26",
"versionType": "git"
},
{
"lessThan": "4fb4053d90caa9985b87ec0e0c32c66a55bdfa3a",
"status": "affected",
"version": "ab31523c2fcac557226bac72cbdf5fafe01f9a26",
"versionType": "git"
},
{
"lessThan": "cdafa219ace013c594e2491158ad1b51f9923dde",
"status": "affected",
"version": "ab31523c2fcac557226bac72cbdf5fafe01f9a26",
"versionType": "git"
},
{
"lessThan": "5c13a4a0291b30191eff9ead8d010e1ca43a4d0c",
"status": "affected",
"version": "ab31523c2fcac557226bac72cbdf5fafe01f9a26",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/gntdev-common.h",
"drivers/xen/gntdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/gntdev: Accommodate VMA splitting\n\nPrior to this commit, the gntdev driver code did not handle the\nfollowing scenario correctly with paravirtualized (PV) Xen domains:\n\n* User process sets up a gntdev mapping composed of two grant mappings\n (i.e., two pages shared by another Xen domain).\n* User process munmap()s one of the pages.\n* User process munmap()s the remaining page.\n* User process exits.\n\nIn the scenario above, the user process would cause the kernel to log\nthe following messages in dmesg for the first munmap(), and the second\nmunmap() call would result in similar log messages:\n\n BUG: Bad page map in process doublemap.test pte:... pmd:...\n page:0000000057c97bff refcount:1 mapcount:-1 \\\n mapping:0000000000000000 index:0x0 pfn:...\n ...\n page dumped because: bad pte\n ...\n file:gntdev fault:0x0 mmap:gntdev_mmap [xen_gntdev] readpage:0x0\n ...\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x46/0x5e\n print_bad_pte.cold+0x66/0xb6\n unmap_page_range+0x7e5/0xdc0\n unmap_vmas+0x78/0xf0\n unmap_region+0xa8/0x110\n __do_munmap+0x1ea/0x4e0\n __vm_munmap+0x75/0x120\n __x64_sys_munmap+0x28/0x40\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\n ...\n\nFor each munmap() call, the Xen hypervisor (if built with CONFIG_DEBUG)\nwould print out the following and trigger a general protection fault in\nthe affected Xen PV domain:\n\n (XEN) d0v... Attempt to implicitly unmap d0\u0027s grant PTE ...\n (XEN) d0v... Attempt to implicitly unmap d0\u0027s grant PTE ...\n\nAs of this writing, gntdev_grant_map structure\u0027s vma field (referred to\nas map-\u003evma below) is mainly used for checking the start and end\naddresses of mappings. However, with split VMAs, these may change, and\nthere could be more than one VMA associated with a gntdev mapping.\nHence, remove the use of map-\u003evma and rely on map-\u003epages_vm_start for\nthe original start address and on (map-\u003ecount \u003c\u003c PAGE_SHIFT) for the\noriginal mapping size. Let the invalidate() and find_special_page()\nhooks use these.\n\nAlso, given that there can be multiple VMAs associated with a gntdev\nmapping, move the \"mmu_interval_notifier_remove(\u0026map-\u003enotifier)\" call to\nthe end of gntdev_put_map, so that the MMU notifier is only removed\nafter the closing of the last remaining VMA.\n\nFinally, use an atomic to prevent inadvertent gntdev mapping re-use,\ninstead of using the map-\u003elive_grants atomic counter and/or the map-\u003evma\npointer (the latter of which is now removed). This prevents the\nuserspace from mmap()\u0027ing (with MAP_FIXED) a gntdev mapping over the\nsame address range as a previously set up gntdev mapping. This scenario\ncan be summarized with the following call-trace, which was valid prior\nto this commit:\n\n mmap\n gntdev_mmap\n mmap (repeat mmap with MAP_FIXED over the same address range)\n gntdev_invalidate\n unmap_grant_pages (sets \u0027being_removed\u0027 entries to true)\n gnttab_unmap_refs_async\n unmap_single_vma\n gntdev_mmap (maps the shared pages again)\n munmap\n gntdev_invalidate\n unmap_grant_pages\n (no-op because \u0027being_removed\u0027 entries are true)\n unmap_single_vma (For PV domains, Xen reports that a granted page\n is being unmapped and triggers a general protection fault in the\n affected domain, if Xen was built with CONFIG_DEBUG)\n\nThe fix for this last scenario could be worth its own commit, but we\nopted for a single commit, because removing the gntdev_grant_map\nstructure\u0027s vma field requires guarding the entry to gntdev_mmap(), and\nthe live_grants atomic counter is not sufficient on its own to prevent\nthe mmap() over a pre-existing mapping."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:33.489Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c6a888e352283a14f37b9b433cd598a1a3a7dd0"
},
{
"url": "https://git.kernel.org/stable/c/7c16d0a4e6a436b4e7c92bead3fab55aaa4c1141"
},
{
"url": "https://git.kernel.org/stable/c/4fb4053d90caa9985b87ec0e0c32c66a55bdfa3a"
},
{
"url": "https://git.kernel.org/stable/c/cdafa219ace013c594e2491158ad1b51f9923dde"
},
{
"url": "https://git.kernel.org/stable/c/5c13a4a0291b30191eff9ead8d010e1ca43a4d0c"
}
],
"title": "xen/gntdev: Accommodate VMA splitting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50471",
"datePublished": "2025-10-04T15:16:33.489Z",
"dateReserved": "2025-10-04T15:13:33.466Z",
"dateUpdated": "2025-10-04T15:16:33.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50520 (GCVE-0-2022-50520)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
As comment of pci_get_class() says, it returns a pci_device with its
refcount increased and decreased the refcount for the input parameter
@from if it is not NULL.
If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we
need to call pci_dev_put() to decrease the refcount. Add the missing
pci_dev_put() to avoid refcount leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: c61e2775873f603148e8e998a938721b7d222d24 Version: 61ebf0a926149cc161131470cf848cb70b3d6fe6 Version: 0a1d9a860832a5ca43114cdebf0e8650463cc1f0 Version: 5f54f145719f453dccc73304cd427096bf7b806c Version: 063ab9cb6308a0806d623c8d6dda5cb2b3b87fce |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_bios.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f28c7f67af4ef9bca580ab67ae2d4511797af56",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "e738f82e5b1311e8fb3d1409491a6fcce6418fbe",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "1079df6acf56f99d86b0081a38c84701412cc90e",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "470a77989037c3ab2b08bf2d026d2c0ddc35ff5b",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "3991d98a8a07b71c02f3a39f77d6d9a7f575a5c4",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "88c6e0995c04b170563b5c894c50a3b2152e18c2",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "b9decada8749b606fd8b4f04a3d6c74f7983d7bc",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "a6cffe54064a5f6c2162a85af3c16c6b453eac4e",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"lessThan": "725a521a18734f65de05b8d353b5bd0d3ca4c37a",
"status": "affected",
"version": "c61e2775873f603148e8e998a938721b7d222d24",
"versionType": "git"
},
{
"status": "affected",
"version": "61ebf0a926149cc161131470cf848cb70b3d6fe6",
"versionType": "git"
},
{
"status": "affected",
"version": "0a1d9a860832a5ca43114cdebf0e8650463cc1f0",
"versionType": "git"
},
{
"status": "affected",
"version": "5f54f145719f453dccc73304cd427096bf7b806c",
"versionType": "git"
},
{
"status": "affected",
"version": "063ab9cb6308a0806d623c8d6dda5cb2b3b87fce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_bios.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.60",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()\n\nAs comment of pci_get_class() says, it returns a pci_device with its\nrefcount increased and decreased the refcount for the input parameter\n@from if it is not NULL.\n\nIf we break the loop in radeon_atrm_get_bios() with \u0027pdev\u0027 not NULL, we\nneed to call pci_dev_put() to decrease the refcount. Add the missing\npci_dev_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:14.528Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f28c7f67af4ef9bca580ab67ae2d4511797af56"
},
{
"url": "https://git.kernel.org/stable/c/e738f82e5b1311e8fb3d1409491a6fcce6418fbe"
},
{
"url": "https://git.kernel.org/stable/c/1079df6acf56f99d86b0081a38c84701412cc90e"
},
{
"url": "https://git.kernel.org/stable/c/470a77989037c3ab2b08bf2d026d2c0ddc35ff5b"
},
{
"url": "https://git.kernel.org/stable/c/3991d98a8a07b71c02f3a39f77d6d9a7f575a5c4"
},
{
"url": "https://git.kernel.org/stable/c/88c6e0995c04b170563b5c894c50a3b2152e18c2"
},
{
"url": "https://git.kernel.org/stable/c/b9decada8749b606fd8b4f04a3d6c74f7983d7bc"
},
{
"url": "https://git.kernel.org/stable/c/a6cffe54064a5f6c2162a85af3c16c6b453eac4e"
},
{
"url": "https://git.kernel.org/stable/c/725a521a18734f65de05b8d353b5bd0d3ca4c37a"
}
],
"title": "drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50520",
"datePublished": "2025-10-07T15:19:14.528Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:14.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50575 (GCVE-0-2022-50575)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()
As 'kdata.num' is user-controlled data, if user tries to allocate
memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it
creates a stack trace and messes up dmesg with a warning.
Call trace:
-> privcmd_ioctl
--> privcmd_ioctl_mmap_resource
Add __GFP_NOWARN in order to avoid too large allocation warning.
This is detected by static analysis using smatch.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3ad0876554cafa368f574d4d408468510543e9ff Version: 3ad0876554cafa368f574d4d408468510543e9ff Version: 3ad0876554cafa368f574d4d408468510543e9ff Version: 3ad0876554cafa368f574d4d408468510543e9ff Version: 3ad0876554cafa368f574d4d408468510543e9ff Version: 3ad0876554cafa368f574d4d408468510543e9ff Version: 3ad0876554cafa368f574d4d408468510543e9ff |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d68ae32d132ea2af73bc223fd64c46f85302a8b",
"status": "affected",
"version": "3ad0876554cafa368f574d4d408468510543e9ff",
"versionType": "git"
},
{
"lessThan": "4f983ee5e5de924d93a7bbb4e6f68f38c6256cd5",
"status": "affected",
"version": "3ad0876554cafa368f574d4d408468510543e9ff",
"versionType": "git"
},
{
"lessThan": "46026bb057c35f5bb111bf95e00cd8366d2e34d4",
"status": "affected",
"version": "3ad0876554cafa368f574d4d408468510543e9ff",
"versionType": "git"
},
{
"lessThan": "0bf874183b32eae2cc20e3c5be38ec3d33e7e564",
"status": "affected",
"version": "3ad0876554cafa368f574d4d408468510543e9ff",
"versionType": "git"
},
{
"lessThan": "e0c5f1058ed96f2b7487560c4c4cbd768d13d065",
"status": "affected",
"version": "3ad0876554cafa368f574d4d408468510543e9ff",
"versionType": "git"
},
{
"lessThan": "4da411086f5ab32f811a89ef804980ec106ebb65",
"status": "affected",
"version": "3ad0876554cafa368f574d4d408468510543e9ff",
"versionType": "git"
},
{
"lessThan": "8b997b2bb2c53b76a6db6c195930e9ab8e4b0c79",
"status": "affected",
"version": "3ad0876554cafa368f574d4d408468510543e9ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()\n\nAs \u0027kdata.num\u0027 is user-controlled data, if user tries to allocate\nmemory larger than(\u003e=) MAX_ORDER, then kcalloc() will fail, it\ncreates a stack trace and messes up dmesg with a warning.\n\nCall trace:\n-\u003e privcmd_ioctl\n--\u003e privcmd_ioctl_mmap_resource\n\nAdd __GFP_NOWARN in order to avoid too large allocation warning.\nThis is detected by static analysis using smatch."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:29.595Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d68ae32d132ea2af73bc223fd64c46f85302a8b"
},
{
"url": "https://git.kernel.org/stable/c/4f983ee5e5de924d93a7bbb4e6f68f38c6256cd5"
},
{
"url": "https://git.kernel.org/stable/c/46026bb057c35f5bb111bf95e00cd8366d2e34d4"
},
{
"url": "https://git.kernel.org/stable/c/0bf874183b32eae2cc20e3c5be38ec3d33e7e564"
},
{
"url": "https://git.kernel.org/stable/c/e0c5f1058ed96f2b7487560c4c4cbd768d13d065"
},
{
"url": "https://git.kernel.org/stable/c/4da411086f5ab32f811a89ef804980ec106ebb65"
},
{
"url": "https://git.kernel.org/stable/c/8b997b2bb2c53b76a6db6c195930e9ab8e4b0c79"
}
],
"title": "xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50575",
"datePublished": "2025-10-22T13:23:29.595Z",
"dateReserved": "2025-10-22T13:20:23.761Z",
"dateUpdated": "2025-10-22T13:23:29.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39870 (GCVE-0-2025-39870)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Fix double free in idxd_setup_wqs()
The clean up in idxd_setup_wqs() has had a couple bugs because the error
handling is a bit subtle. It's simpler to just re-write it in a cleaner
way. The issues here are:
1) If "idxd->max_wqs" is <= 0 then we call put_device(conf_dev) when
"conf_dev" hasn't been initialized.
2) If kzalloc_node() fails then again "conf_dev" is invalid. It's
either uninitialized or it points to the "conf_dev" from the
previous iteration so it leads to a double free.
It's better to free partial loop iterations within the loop and then
the unwinding at the end can handle whole loop iterations. I also
renamed the labels to describe what the goto does and not where the goto
was located.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d584acdf54f409cb7eae1359ae6c12aaabedeed8 Version: 47846211998a9ffb0fcc08092eb95ac783d2b11a Version: 5fcd392dae6d6aba7dc64ffdbb838ff191315da3 Version: 3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4 Version: 3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4 Version: ed2c66000aa64c0d2621864831f0d04c820a1441 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:19.166Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25e6146c2812487a88f619d5ff6efbdcd5b2bc31",
"status": "affected",
"version": "d584acdf54f409cb7eae1359ae6c12aaabedeed8",
"versionType": "git"
},
{
"lessThan": "df82c7901513fd0fc738052a8e6a330d92cc8ec9",
"status": "affected",
"version": "47846211998a9ffb0fcc08092eb95ac783d2b11a",
"versionType": "git"
},
{
"lessThan": "ec5430d090d0b6ace8fefa290fc37e88930017d2",
"status": "affected",
"version": "5fcd392dae6d6aba7dc64ffdbb838ff191315da3",
"versionType": "git"
},
{
"lessThan": "9f0e225635475b2285b966271d5e82cba74295b1",
"status": "affected",
"version": "3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4",
"versionType": "git"
},
{
"lessThan": "39aaa337449e71a41d4813be0226a722827ba606",
"status": "affected",
"version": "3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4",
"versionType": "git"
},
{
"status": "affected",
"version": "ed2c66000aa64c0d2621864831f0d04c820a1441",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "6.1.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.6.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.12.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix double free in idxd_setup_wqs()\n\nThe clean up in idxd_setup_wqs() has had a couple bugs because the error\nhandling is a bit subtle. It\u0027s simpler to just re-write it in a cleaner\nway. The issues here are:\n\n1) If \"idxd-\u003emax_wqs\" is \u003c= 0 then we call put_device(conf_dev) when\n \"conf_dev\" hasn\u0027t been initialized.\n2) If kzalloc_node() fails then again \"conf_dev\" is invalid. It\u0027s\n either uninitialized or it points to the \"conf_dev\" from the\n previous iteration so it leads to a double free.\n\nIt\u0027s better to free partial loop iterations within the loop and then\nthe unwinding at the end can handle whole loop iterations. I also\nrenamed the labels to describe what the goto does and not where the goto\nwas located."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:26.463Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25e6146c2812487a88f619d5ff6efbdcd5b2bc31"
},
{
"url": "https://git.kernel.org/stable/c/df82c7901513fd0fc738052a8e6a330d92cc8ec9"
},
{
"url": "https://git.kernel.org/stable/c/ec5430d090d0b6ace8fefa290fc37e88930017d2"
},
{
"url": "https://git.kernel.org/stable/c/9f0e225635475b2285b966271d5e82cba74295b1"
},
{
"url": "https://git.kernel.org/stable/c/39aaa337449e71a41d4813be0226a722827ba606"
}
],
"title": "dmaengine: idxd: Fix double free in idxd_setup_wqs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39870",
"datePublished": "2025-09-23T06:00:44.369Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:19.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53207 (GCVE-0-2023-53207)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: fail to recover device if queue setup is interrupted
In ublk_ctrl_end_recovery(), if wait_for_completion_interruptible() is
interrupted by signal, queues aren't setup successfully yet, so we
have to fail UBLK_CMD_END_USER_RECOVERY, otherwise kernel oops can be
triggered.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84415f934ad4e96f3507fd09b831953d60fb04ec",
"status": "affected",
"version": "c732a852b419fa057b53657e2daaf9433940391c",
"versionType": "git"
},
{
"lessThan": "b3a1e243a74632f88b22e713f1c7256754017d58",
"status": "affected",
"version": "c732a852b419fa057b53657e2daaf9433940391c",
"versionType": "git"
},
{
"lessThan": "0c0cbd4ebc375ceebc75c89df04b74f215fab23a",
"status": "affected",
"version": "c732a852b419fa057b53657e2daaf9433940391c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fail to recover device if queue setup is interrupted\n\nIn ublk_ctrl_end_recovery(), if wait_for_completion_interruptible() is\ninterrupted by signal, queues aren\u0027t setup successfully yet, so we\nhave to fail UBLK_CMD_END_USER_RECOVERY, otherwise kernel oops can be\ntriggered."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:35.378Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84415f934ad4e96f3507fd09b831953d60fb04ec"
},
{
"url": "https://git.kernel.org/stable/c/b3a1e243a74632f88b22e713f1c7256754017d58"
},
{
"url": "https://git.kernel.org/stable/c/0c0cbd4ebc375ceebc75c89df04b74f215fab23a"
}
],
"title": "ublk: fail to recover device if queue setup is interrupted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53207",
"datePublished": "2025-09-15T14:21:35.378Z",
"dateReserved": "2025-09-15T13:59:19.068Z",
"dateUpdated": "2025-09-15T14:21:35.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50525 (GCVE-0-2022-50525)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
The fsl_pamu_probe() returns directly when create_csd() failed, leaving
irq and memories unreleased.
Fix by jumping to error if create_csd() returns error.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 Version: 695093e38c3ef63fcb43a2840ed865efa20671d5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/fsl_pamu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c93983230562883e0b5f122040efbb3d478c36d4",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "a305d0e4d0ce3166e31d7dbcb4c98b09cad6d49a",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "9fbccdf2fefa3944dd8ba8c6a808b387787f3917",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "17fd440594961c5e2ea0f58591bc1bdba0629c75",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "0d240ac0e4c35d3f64fc782c11433138c1bd016e",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "e42b543d08052c3b223bcfb48f05cbaf0b767f86",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "9238b687fd62cde14c6e2e8576a40e4246de7ebe",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "de7eb55009796687fc0a1670e0b944fa8ed54e9b",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
},
{
"lessThan": "73f5fc5f884ad0c5f7d57f66303af64f9f002526",
"status": "affected",
"version": "695093e38c3ef63fcb43a2840ed865efa20671d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/fsl_pamu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()\n\nThe fsl_pamu_probe() returns directly when create_csd() failed, leaving\nirq and memories unreleased.\nFix by jumping to error if create_csd() returns error."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:17.929Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c93983230562883e0b5f122040efbb3d478c36d4"
},
{
"url": "https://git.kernel.org/stable/c/a305d0e4d0ce3166e31d7dbcb4c98b09cad6d49a"
},
{
"url": "https://git.kernel.org/stable/c/9fbccdf2fefa3944dd8ba8c6a808b387787f3917"
},
{
"url": "https://git.kernel.org/stable/c/17fd440594961c5e2ea0f58591bc1bdba0629c75"
},
{
"url": "https://git.kernel.org/stable/c/0d240ac0e4c35d3f64fc782c11433138c1bd016e"
},
{
"url": "https://git.kernel.org/stable/c/e42b543d08052c3b223bcfb48f05cbaf0b767f86"
},
{
"url": "https://git.kernel.org/stable/c/9238b687fd62cde14c6e2e8576a40e4246de7ebe"
},
{
"url": "https://git.kernel.org/stable/c/de7eb55009796687fc0a1670e0b944fa8ed54e9b"
},
{
"url": "https://git.kernel.org/stable/c/73f5fc5f884ad0c5f7d57f66303af64f9f002526"
}
],
"title": "iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50525",
"datePublished": "2025-10-07T15:19:17.929Z",
"dateReserved": "2025-10-07T15:15:38.663Z",
"dateUpdated": "2025-10-07T15:19:17.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39923 (GCVE-0-2025-39923)
Vulnerability from cvelistv5
Published
2025-10-01 08:07
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
When we don't have a clock specified in the device tree, we have no way to
ensure the BAM is on. This is often the case for remotely-controlled or
remotely-powered BAM instances. In this case, we need to read num-channels
from the DT to have all the necessary information to complete probing.
However, at the moment invalid device trees without clock and without
num-channels still continue probing, because the error handling is missing
return statements. The driver will then later try to read the number of
channels from the registers. This is unsafe, because it relies on boot
firmware and lucky timing to succeed. Unfortunately, the lack of proper
error handling here has been abused for several Qualcomm SoCs upstream,
causing early boot crashes in several situations [1, 2].
Avoid these early crashes by erroring out when any of the required DT
properties are missing. Note that this will break some of the existing DTs
upstream (mainly BAM instances related to the crypto engine). However,
clearly these DTs have never been tested properly, since the error in the
kernel log was just ignored. It's safer to disable the crypto engine for
these broken DTBs.
[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/
[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: cecf8a69042b3a54cb843223756c10ee8a8665e3 Version: 909474cd384cb206f33461fbd18089cf170533f8 Version: 5e0986f7caf17d7b1acd2092975360bf8e88a57d |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:41.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e257a6125c63350f00dc42b9674f20fd3cf4a9f",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "555bd16351a35c79efb029a196975a5a27f7fbc4",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "ebf6c7c908e5999531c3517289598f187776124f",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "1fc14731f0be4885e60702b9596d14d9a79cf053",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "0ff9df758af7022d749718fb6b8385cc5693acf3",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "5068b5254812433e841a40886e695633148d362d",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"status": "affected",
"version": "cecf8a69042b3a54cb843223756c10ee8a8665e3",
"versionType": "git"
},
{
"status": "affected",
"version": "909474cd384cb206f33461fbd18089cf170533f8",
"versionType": "git"
},
{
"status": "affected",
"version": "5e0986f7caf17d7b1acd2092975360bf8e88a57d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees\n\nWhen we don\u0027t have a clock specified in the device tree, we have no way to\nensure the BAM is on. This is often the case for remotely-controlled or\nremotely-powered BAM instances. In this case, we need to read num-channels\nfrom the DT to have all the necessary information to complete probing.\n\nHowever, at the moment invalid device trees without clock and without\nnum-channels still continue probing, because the error handling is missing\nreturn statements. The driver will then later try to read the number of\nchannels from the registers. This is unsafe, because it relies on boot\nfirmware and lucky timing to succeed. Unfortunately, the lack of proper\nerror handling here has been abused for several Qualcomm SoCs upstream,\ncausing early boot crashes in several situations [1, 2].\n\nAvoid these early crashes by erroring out when any of the required DT\nproperties are missing. Note that this will break some of the existing DTs\nupstream (mainly BAM instances related to the crypto engine). However,\nclearly these DTs have never been tested properly, since the error in the\nkernel log was just ignored. It\u0027s safer to disable the crypto engine for\nthese broken DTBs.\n\n[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/\n[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:52.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e257a6125c63350f00dc42b9674f20fd3cf4a9f"
},
{
"url": "https://git.kernel.org/stable/c/1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2"
},
{
"url": "https://git.kernel.org/stable/c/6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c"
},
{
"url": "https://git.kernel.org/stable/c/555bd16351a35c79efb029a196975a5a27f7fbc4"
},
{
"url": "https://git.kernel.org/stable/c/ebf6c7c908e5999531c3517289598f187776124f"
},
{
"url": "https://git.kernel.org/stable/c/1fc14731f0be4885e60702b9596d14d9a79cf053"
},
{
"url": "https://git.kernel.org/stable/c/0ff9df758af7022d749718fb6b8385cc5693acf3"
},
{
"url": "https://git.kernel.org/stable/c/5068b5254812433e841a40886e695633148d362d"
}
],
"title": "dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39923",
"datePublished": "2025-10-01T08:07:11.469Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:41.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38008 (GCVE-0-2025-38008)
Vulnerability from cvelistv5
Published
2025-06-18 09:28
Modified
2025-06-18 09:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/page_alloc: fix race condition in unaccepted memory handling
The page allocator tracks the number of zones that have unaccepted memory
using static_branch_enc/dec() and uses that static branch in hot paths to
determine if it needs to deal with unaccepted memory.
Borislav and Thomas pointed out that the tracking is racy: operations on
static_branch are not serialized against adding/removing unaccepted pages
to/from the zone.
Sanity checks inside static_branch machinery detects it:
WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0
The comment around the WARN() explains the problem:
/*
* Warn about the '-1' case though; since that means a
* decrement is concurrent with a first (0->1) increment. IOW
* people are trying to disable something that wasn't yet fully
* enabled. This suggests an ordering problem on the user side.
*/
The effect of this static_branch optimization is only visible on
microbenchmark.
Instead of adding more complexity around it, remove it altogether.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/internal.h",
"mm/mm_init.c",
"mm/page_alloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98fdd2f612e949c652693f6df00442c81037776d",
"status": "affected",
"version": "dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6",
"versionType": "git"
},
{
"lessThan": "74953f93f47a45296cc2a3fd04e2a3202ff3fa53",
"status": "affected",
"version": "dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6",
"versionType": "git"
},
{
"lessThan": "71dda1cb10702dc2859f00eb789b0502de2176a9",
"status": "affected",
"version": "dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6",
"versionType": "git"
},
{
"lessThan": "fefc075182275057ce607effaa3daa9e6e3bdc73",
"status": "affected",
"version": "dcdfdd40fa82b6704d2841938e5c8ec3051eb0d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/internal.h",
"mm/mm_init.c",
"mm/page_alloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.92",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.30",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.8",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: fix race condition in unaccepted memory handling\n\nThe page allocator tracks the number of zones that have unaccepted memory\nusing static_branch_enc/dec() and uses that static branch in hot paths to\ndetermine if it needs to deal with unaccepted memory.\n\nBorislav and Thomas pointed out that the tracking is racy: operations on\nstatic_branch are not serialized against adding/removing unaccepted pages\nto/from the zone.\n\nSanity checks inside static_branch machinery detects it:\n\nWARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0\n\nThe comment around the WARN() explains the problem:\n\n\t/*\n\t * Warn about the \u0027-1\u0027 case though; since that means a\n\t * decrement is concurrent with a first (0-\u003e1) increment. IOW\n\t * people are trying to disable something that wasn\u0027t yet fully\n\t * enabled. This suggests an ordering problem on the user side.\n\t */\n\nThe effect of this static_branch optimization is only visible on\nmicrobenchmark.\n\nInstead of adding more complexity around it, remove it altogether."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T09:28:19.358Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98fdd2f612e949c652693f6df00442c81037776d"
},
{
"url": "https://git.kernel.org/stable/c/74953f93f47a45296cc2a3fd04e2a3202ff3fa53"
},
{
"url": "https://git.kernel.org/stable/c/71dda1cb10702dc2859f00eb789b0502de2176a9"
},
{
"url": "https://git.kernel.org/stable/c/fefc075182275057ce607effaa3daa9e6e3bdc73"
}
],
"title": "mm/page_alloc: fix race condition in unaccepted memory handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38008",
"datePublished": "2025-06-18T09:28:19.358Z",
"dateReserved": "2025-04-16T04:51:23.977Z",
"dateUpdated": "2025-06-18T09:28:19.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50279 (GCVE-0-2024-50279)
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2025-11-03 22:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm cache: fix out-of-bounds access to the dirty bitset when resizing
dm-cache checks the dirty bits of the cache blocks to be dropped when
shrinking the fast device, but an index bug in bitset iteration causes
out-of-bounds access.
Reproduce steps:
1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. shrink the fast device to 512 cache blocks, triggering out-of-bounds
access to the dirty bitset (offset 0x80)
dmsetup suspend cache
dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup resume cdata
dmsetup resume cache
KASAN reports:
BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0
Read of size 8 at addr ffffc900000f3080 by task dmsetup/131
(...snip...)
The buggy address belongs to the virtual mapping at
[ffffc900000f3000, ffffc900000f5000) created by:
cache_ctr+0x176a/0x35f0
(...snip...)
Memory state around the buggy address:
ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Fix by making the index post-incremented.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:14:43.545051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:22.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:27:58.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4fa4feb873cea0e9d6ff883b37cca6f33169d8b4",
"status": "affected",
"version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498",
"versionType": "git"
},
{
"lessThan": "8501e38dc9e0060814c4085815fc83da3e6d43bf",
"status": "affected",
"version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498",
"versionType": "git"
},
{
"lessThan": "ee1f74925717ab36f6a091104c170639501ce818",
"status": "affected",
"version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498",
"versionType": "git"
},
{
"lessThan": "ff1dd8a04c30e8d4e2fd5c83198ca672eb6a9e7f",
"status": "affected",
"version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498",
"versionType": "git"
},
{
"lessThan": "56507203e1b6127967ec2b51fb0b23a0d4af1334",
"status": "affected",
"version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498",
"versionType": "git"
},
{
"lessThan": "e57648ce325fa405fe6bbd0e6a618ced7c301a2d",
"status": "affected",
"version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498",
"versionType": "git"
},
{
"lessThan": "3b02c40ff10fdf83cc545850db208de855ebe22c",
"status": "affected",
"version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498",
"versionType": "git"
},
{
"lessThan": "792227719725497ce10a8039803bec13f89f8910",
"status": "affected",
"version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.324",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.286",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.230",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.172",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.117",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.61",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.8",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: fix out-of-bounds access to the dirty bitset when resizing\n\ndm-cache checks the dirty bits of the cache blocks to be dropped when\nshrinking the fast device, but an index bug in bitset iteration causes\nout-of-bounds access.\n\nReproduce steps:\n\n1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 131072 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\n\n2. shrink the fast device to 512 cache blocks, triggering out-of-bounds\n access to the dirty bitset (offset 0x80)\n\ndmsetup suspend cache\ndmsetup reload cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup resume cdata\ndmsetup resume cache\n\nKASAN reports:\n\n BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0\n Read of size 8 at addr ffffc900000f3080 by task dmsetup/131\n\n (...snip...)\n The buggy address belongs to the virtual mapping at\n [ffffc900000f3000, ffffc900000f5000) created by:\n cache_ctr+0x176a/0x35f0\n\n (...snip...)\n Memory state around the buggy address:\n ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u003effffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n\nFix by making the index post-incremented."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:50:36.310Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4fa4feb873cea0e9d6ff883b37cca6f33169d8b4"
},
{
"url": "https://git.kernel.org/stable/c/8501e38dc9e0060814c4085815fc83da3e6d43bf"
},
{
"url": "https://git.kernel.org/stable/c/ee1f74925717ab36f6a091104c170639501ce818"
},
{
"url": "https://git.kernel.org/stable/c/ff1dd8a04c30e8d4e2fd5c83198ca672eb6a9e7f"
},
{
"url": "https://git.kernel.org/stable/c/56507203e1b6127967ec2b51fb0b23a0d4af1334"
},
{
"url": "https://git.kernel.org/stable/c/e57648ce325fa405fe6bbd0e6a618ced7c301a2d"
},
{
"url": "https://git.kernel.org/stable/c/3b02c40ff10fdf83cc545850db208de855ebe22c"
},
{
"url": "https://git.kernel.org/stable/c/792227719725497ce10a8039803bec13f89f8910"
}
],
"title": "dm cache: fix out-of-bounds access to the dirty bitset when resizing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50279",
"datePublished": "2024-11-19T01:30:20.712Z",
"dateReserved": "2024-10-21T19:36:19.983Z",
"dateUpdated": "2025-11-03T22:27:58.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53322 (GCVE-0-2023-53322)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Wait for io return on terminate rport
System crash due to use after free.
Current code allows terminate_rport_io to exit before making
sure all IOs has returned. For FCP-2 device, IO's can hang
on in HW because driver has not tear down the session in FW at
first sign of cable pull. When dev_loss_tmo timer pops,
terminate_rport_io is called and upper layer is about to
free various resources. Terminate_rport_io trigger qla to do
the final cleanup, but the cleanup might not be fast enough where it
leave qla still holding on to the same resource.
Wait for IO's to return to upper layer before resources are freed.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a55556cd7e0220486163b1285ce11a8be2ce5fa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4647d2e88918a078359d1532d90c417a38542c9e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d25fded78d88e1515439b3ba581684d683e0b6ab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9fe97fb7b4ee21bffb76f2acb05769bad27ae70",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "079c8264ed9fea8cbcac01ad29040f901cbc3692",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "90770dad1eb30967ebd8d37d82830bcf270b3293",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5bcdaafd92be6035ddc77fa76650cf9dd5b864c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fc0cba0c7be8261a1625098bd1d695077ec621c9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Wait for io return on terminate rport\n\nSystem crash due to use after free.\nCurrent code allows terminate_rport_io to exit before making\nsure all IOs has returned. For FCP-2 device, IO\u0027s can hang\non in HW because driver has not tear down the session in FW at\nfirst sign of cable pull. When dev_loss_tmo timer pops,\nterminate_rport_io is called and upper layer is about to\nfree various resources. Terminate_rport_io trigger qla to do\nthe final cleanup, but the cleanup might not be fast enough where it\nleave qla still holding on to the same resource.\n\nWait for IO\u0027s to return to upper layer before resources are freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:58.062Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a55556cd7e0220486163b1285ce11a8be2ce5fa"
},
{
"url": "https://git.kernel.org/stable/c/4647d2e88918a078359d1532d90c417a38542c9e"
},
{
"url": "https://git.kernel.org/stable/c/d25fded78d88e1515439b3ba581684d683e0b6ab"
},
{
"url": "https://git.kernel.org/stable/c/a9fe97fb7b4ee21bffb76f2acb05769bad27ae70"
},
{
"url": "https://git.kernel.org/stable/c/079c8264ed9fea8cbcac01ad29040f901cbc3692"
},
{
"url": "https://git.kernel.org/stable/c/90770dad1eb30967ebd8d37d82830bcf270b3293"
},
{
"url": "https://git.kernel.org/stable/c/5bcdaafd92be6035ddc77fa76650cf9dd5b864c4"
},
{
"url": "https://git.kernel.org/stable/c/fc0cba0c7be8261a1625098bd1d695077ec621c9"
}
],
"title": "scsi: qla2xxx: Wait for io return on terminate rport",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53322",
"datePublished": "2025-09-16T16:11:58.062Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:58.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39934 (GCVE-0-2025-39934)
Vulnerability from cvelistv5
Published
2025-10-04 07:30
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ
If the interrupt occurs before resource initialization is complete, the
interrupt handler/worker may access uninitialized data such as the I2C
tcpc_client device, potentially leading to NULL pointer dereference.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/analogix/anx7625.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "51a501e990a353a4f15da6bab295b28e5d118f64",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "f9a089d0a6d537d0f2061c8a37a7de535ce0310e",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "15a77e1ab0a994d69b471c76b8d01117128dda26",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "0da73f7827691a5e2265b110d5fe12f29535ec92",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "1a7ea294d57fb61485d11b3f2241d631d73025cb",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "a10f910c77f280327b481e77eab909934ec508f0",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/analogix/anx7625.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: anx7625: Fix NULL pointer dereference with early IRQ\n\nIf the interrupt occurs before resource initialization is complete, the\ninterrupt handler/worker may access uninitialized data such as the I2C\ntcpc_client device, potentially leading to NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:00.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/51a501e990a353a4f15da6bab295b28e5d118f64"
},
{
"url": "https://git.kernel.org/stable/c/f9a089d0a6d537d0f2061c8a37a7de535ce0310e"
},
{
"url": "https://git.kernel.org/stable/c/15a77e1ab0a994d69b471c76b8d01117128dda26"
},
{
"url": "https://git.kernel.org/stable/c/0da73f7827691a5e2265b110d5fe12f29535ec92"
},
{
"url": "https://git.kernel.org/stable/c/1a7ea294d57fb61485d11b3f2241d631d73025cb"
},
{
"url": "https://git.kernel.org/stable/c/a10f910c77f280327b481e77eab909934ec508f0"
}
],
"title": "drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39934",
"datePublished": "2025-10-04T07:30:58.284Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:00.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53209 (GCVE-0-2023-53209)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211_hwsim: Fix possible NULL dereference
In a call to mac80211_hwsim_select_tx_link() the sta pointer might
be NULL, thus need to check that it is not NULL before accessing it.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/virtual/mac80211_hwsim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0124848c7940aba73492e282506b32a13f2e30e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a8a20fed3e05b3a6866c5c58855deaf3c217ccd6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0cc80943ef518a1c51a1111e9346d1daf11dd545",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/virtual/mac80211_hwsim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211_hwsim: Fix possible NULL dereference\n\nIn a call to mac80211_hwsim_select_tx_link() the sta pointer might\nbe NULL, thus need to check that it is not NULL before accessing it."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:37.415Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0124848c7940aba73492e282506b32a13f2e30e"
},
{
"url": "https://git.kernel.org/stable/c/a8a20fed3e05b3a6866c5c58855deaf3c217ccd6"
},
{
"url": "https://git.kernel.org/stable/c/0cc80943ef518a1c51a1111e9346d1daf11dd545"
}
],
"title": "wifi: mac80211_hwsim: Fix possible NULL dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53209",
"datePublished": "2025-09-15T14:21:37.415Z",
"dateReserved": "2025-09-15T13:59:19.068Z",
"dateUpdated": "2025-09-15T14:21:37.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53505 (GCVE-0-2023-53505)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: tegra: tegra124-emc: Fix potential memory leak
The tegra and tegra needs to be freed in the error handling path, otherwise
it will be leaked.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 Version: 2db04f16b589c6c96bd07df3f1ef8558bfdb6810 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/tegra/clk-tegra124-emc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "801c8341f7aff07c494b53e627970b72635af5d3",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "404e9f741acfb188212f7142d91e247630dd77cc",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "fd1c117bb5d7e033bf1aa25ac97ff421f81a1199",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "96bafece6ff380138896f009141fd7337070e680",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "e969c144d908ea9387442659f103d374c8ff682d",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "4e59e355f9fcccd9edf65d09f769bb4c163a1c36",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
},
{
"lessThan": "53a06e5924c0d43c11379a08c5a78529c3e61595",
"status": "affected",
"version": "2db04f16b589c6c96bd07df3f1ef8558bfdb6810",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/tegra/clk-tegra124-emc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra: tegra124-emc: Fix potential memory leak\n\nThe tegra and tegra needs to be freed in the error handling path, otherwise\nit will be leaked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:55.859Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/801c8341f7aff07c494b53e627970b72635af5d3"
},
{
"url": "https://git.kernel.org/stable/c/404e9f741acfb188212f7142d91e247630dd77cc"
},
{
"url": "https://git.kernel.org/stable/c/fd1c117bb5d7e033bf1aa25ac97ff421f81a1199"
},
{
"url": "https://git.kernel.org/stable/c/96bafece6ff380138896f009141fd7337070e680"
},
{
"url": "https://git.kernel.org/stable/c/e969c144d908ea9387442659f103d374c8ff682d"
},
{
"url": "https://git.kernel.org/stable/c/4e59e355f9fcccd9edf65d09f769bb4c163a1c36"
},
{
"url": "https://git.kernel.org/stable/c/53a06e5924c0d43c11379a08c5a78529c3e61595"
}
],
"title": "clk: tegra: tegra124-emc: Fix potential memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53505",
"datePublished": "2025-10-01T11:45:55.859Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:55.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40000 (GCVE-0-2025-40000)
Vulnerability from cvelistv5
Published
2025-10-15 07:59
Modified
2025-10-15 07:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()
There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to
access already freed skb_data:
BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110
CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025
Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]
Use-after-free write at 0x0000000020309d9d (in kfence-#251):
rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110
rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338
rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979
rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165
rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141
rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012
rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059
rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758
process_one_work kernel/workqueue.c:3241
worker_thread kernel/workqueue.c:3400
kthread kernel/kthread.c:463
ret_from_fork arch/x86/kernel/process.c:154
ret_from_fork_asm arch/x86/entry/entry_64.S:258
kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache
allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):
__alloc_skb net/core/skbuff.c:659
__netdev_alloc_skb net/core/skbuff.c:734
ieee80211_nullfunc_get net/mac80211/tx.c:5844
rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431
rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338
rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979
rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165
rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194
rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012
rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059
rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758
process_one_work kernel/workqueue.c:3241
worker_thread kernel/workqueue.c:3400
kthread kernel/kthread.c:463
ret_from_fork arch/x86/kernel/process.c:154
ret_from_fork_asm arch/x86/entry/entry_64.S:258
freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):
ieee80211_tx_status_skb net/mac80211/status.c:1117
rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564
rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651
rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676
rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238
__napi_poll net/core/dev.c:7495
net_rx_action net/core/dev.c:7557 net/core/dev.c:7684
handle_softirqs kernel/softirq.c:580
do_softirq.part.0 kernel/softirq.c:480
__local_bh_enable_ip kernel/softirq.c:407
rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927
irq_thread_fn kernel/irq/manage.c:1133
irq_thread kernel/irq/manage.c:1257
kthread kernel/kthread.c:463
ret_from_fork arch/x86/kernel/process.c:154
ret_from_fork_asm arch/x86/entry/entry_64.S:258
It is a consequence of a race between the waiting and the signaling side
of the completion:
Waiting thread Completing thread
rtw89_core_tx_kick_off_and_wait()
rcu_assign_pointer(skb_data->wait, wait)
/* start waiting */
wait_for_completion_timeout()
rtw89_pci_tx_status()
rtw89_core_tx_wait_complete()
rcu_read_lock()
/* signals completion and
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c",
"drivers/net/wireless/realtek/rtw89/core.h",
"drivers/net/wireless/realtek/rtw89/pci.c",
"drivers/net/wireless/realtek/rtw89/ser.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "895cccf639ac015f3d5f993218cf098db82ac145",
"status": "affected",
"version": "1ae5ca615285d5d4f72d1de464716d85dffef19f",
"versionType": "git"
},
{
"lessThan": "f21f530b03b4b23448edb531a0cfea434cb76bb4",
"status": "affected",
"version": "1ae5ca615285d5d4f72d1de464716d85dffef19f",
"versionType": "git"
},
{
"lessThan": "bdb3c41b358cf87d99e39d393e164f9e4a6088e6",
"status": "affected",
"version": "1ae5ca615285d5d4f72d1de464716d85dffef19f",
"versionType": "git"
},
{
"lessThan": "3e31a6bc07312b448fad3b45de578471f86f0e77",
"status": "affected",
"version": "1ae5ca615285d5d4f72d1de464716d85dffef19f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c",
"drivers/net/wireless/realtek/rtw89/core.h",
"drivers/net/wireless/realtek/rtw89/pci.c",
"drivers/net/wireless/realtek/rtw89/ser.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()\n\nThere is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to\naccess already freed skb_data:\n\n BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110\n\n CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025\n Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]\n\n Use-after-free write at 0x0000000020309d9d (in kfence-#251):\n rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110\n rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338\n rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979\n rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165\n rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141\n rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012\n rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059\n rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758\n process_one_work kernel/workqueue.c:3241\n worker_thread kernel/workqueue.c:3400\n kthread kernel/kthread.c:463\n ret_from_fork arch/x86/kernel/process.c:154\n ret_from_fork_asm arch/x86/entry/entry_64.S:258\n\n kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache\n\n allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):\n __alloc_skb net/core/skbuff.c:659\n __netdev_alloc_skb net/core/skbuff.c:734\n ieee80211_nullfunc_get net/mac80211/tx.c:5844\n rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431\n rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338\n rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979\n rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165\n rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194\n rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012\n rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059\n rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758\n process_one_work kernel/workqueue.c:3241\n worker_thread kernel/workqueue.c:3400\n kthread kernel/kthread.c:463\n ret_from_fork arch/x86/kernel/process.c:154\n ret_from_fork_asm arch/x86/entry/entry_64.S:258\n\n freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):\n ieee80211_tx_status_skb net/mac80211/status.c:1117\n rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564\n rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651\n rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676\n rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238\n __napi_poll net/core/dev.c:7495\n net_rx_action net/core/dev.c:7557 net/core/dev.c:7684\n handle_softirqs kernel/softirq.c:580\n do_softirq.part.0 kernel/softirq.c:480\n __local_bh_enable_ip kernel/softirq.c:407\n rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927\n irq_thread_fn kernel/irq/manage.c:1133\n irq_thread kernel/irq/manage.c:1257\n kthread kernel/kthread.c:463\n ret_from_fork arch/x86/kernel/process.c:154\n ret_from_fork_asm arch/x86/entry/entry_64.S:258\n\nIt is a consequence of a race between the waiting and the signaling side\nof the completion:\n\n Waiting thread Completing thread\n\nrtw89_core_tx_kick_off_and_wait()\n rcu_assign_pointer(skb_data-\u003ewait, wait)\n /* start waiting */\n wait_for_completion_timeout()\n rtw89_pci_tx_status()\n rtw89_core_tx_wait_complete()\n rcu_read_lock()\n /* signals completion and\n \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:59:14.606Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/895cccf639ac015f3d5f993218cf098db82ac145"
},
{
"url": "https://git.kernel.org/stable/c/f21f530b03b4b23448edb531a0cfea434cb76bb4"
},
{
"url": "https://git.kernel.org/stable/c/bdb3c41b358cf87d99e39d393e164f9e4a6088e6"
},
{
"url": "https://git.kernel.org/stable/c/3e31a6bc07312b448fad3b45de578471f86f0e77"
}
],
"title": "wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40000",
"datePublished": "2025-10-15T07:59:14.606Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-15T07:59:14.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39710 (GCVE-0-2025-39710)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: venus: Add a check for packet size after reading from shared memory
Add a check to ensure that the packet size does not exceed the number of
available words after reading the packet header from shared memory. This
ensures that the size provided by the firmware is safe to process and
prevent potential out-of-bounds memory access.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb Version: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:37.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/venus/hfi_venus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0520c89f6280d2b60ab537d5743601185ee7d8ab",
"status": "affected",
"version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
"versionType": "git"
},
{
"lessThan": "f5b7a943055a4a106d40a03bacd940e28cc1955f",
"status": "affected",
"version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
"versionType": "git"
},
{
"lessThan": "ef09b96665f16f3f0bac4e111160e6f24f1f8791",
"status": "affected",
"version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
"versionType": "git"
},
{
"lessThan": "7638bae4539dcebc3f68fda74ac35d73618ec440",
"status": "affected",
"version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
"versionType": "git"
},
{
"lessThan": "ba567c2e52fbcf0e20502746bdaa79e911c2e8cf",
"status": "affected",
"version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
"versionType": "git"
},
{
"lessThan": "2d8cea8310a245730816a1fd0c9fa4a5a3bdc68c",
"status": "affected",
"version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
"versionType": "git"
},
{
"lessThan": "f0cbd9386f974d310a0d20a02e4a1323e95ea654",
"status": "affected",
"version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
"versionType": "git"
},
{
"lessThan": "49befc830daa743e051a65468c05c2ff9e8580e6",
"status": "affected",
"version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/venus/hfi_venus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: Add a check for packet size after reading from shared memory\n\nAdd a check to ensure that the packet size does not exceed the number of\navailable words after reading the packet header from shared memory. This\nensures that the size provided by the firmware is safe to process and\nprevent potential out-of-bounds memory access."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:54.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0520c89f6280d2b60ab537d5743601185ee7d8ab"
},
{
"url": "https://git.kernel.org/stable/c/f5b7a943055a4a106d40a03bacd940e28cc1955f"
},
{
"url": "https://git.kernel.org/stable/c/ef09b96665f16f3f0bac4e111160e6f24f1f8791"
},
{
"url": "https://git.kernel.org/stable/c/7638bae4539dcebc3f68fda74ac35d73618ec440"
},
{
"url": "https://git.kernel.org/stable/c/ba567c2e52fbcf0e20502746bdaa79e911c2e8cf"
},
{
"url": "https://git.kernel.org/stable/c/2d8cea8310a245730816a1fd0c9fa4a5a3bdc68c"
},
{
"url": "https://git.kernel.org/stable/c/f0cbd9386f974d310a0d20a02e4a1323e95ea654"
},
{
"url": "https://git.kernel.org/stable/c/49befc830daa743e051a65468c05c2ff9e8580e6"
}
],
"title": "media: venus: Add a check for packet size after reading from shared memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39710",
"datePublished": "2025-09-05T17:21:17.243Z",
"dateReserved": "2025-04-16T07:20:57.116Z",
"dateUpdated": "2025-11-03T17:42:37.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38079 (GCVE-0-2025-38079)
Vulnerability from cvelistv5
Published
2025-06-18 09:33
Modified
2025-11-03 17:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_hash - fix double free in hash_accept
If accept(2) is called on socket type algif_hash with
MSG_MORE flag set and crypto_ahash_import fails,
sk2 is freed. However, it is also freed in af_alg_release,
leading to slab-use-after-free error.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:48.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/algif_hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5bff312b59b3f2a54ff504e4f4e47272b64f3633",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "bf7bba75b91539e93615f560893a599c1e1c98bf",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "c3059d58f79fdfb2201249c2741514e34562b547",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "f0f3d09f53534ea385d55ced408f2b67059b16e4",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "134daaba93193df9e988524b5cd2f52d15eb1993",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "2f45a8d64fb4ed4830a4b3273834ecd6ca504896",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "0346f4b742345d1c733c977f3a7aef5a6419a967",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "b2df03ed4052e97126267e8c13ad4204ea6ba9b6",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/algif_hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_hash - fix double free in hash_accept\n\nIf accept(2) is called on socket type algif_hash with\nMSG_MORE flag set and crypto_ahash_import fails,\nsk2 is freed. However, it is also freed in af_alg_release,\nleading to slab-use-after-free error."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T09:33:53.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5bff312b59b3f2a54ff504e4f4e47272b64f3633"
},
{
"url": "https://git.kernel.org/stable/c/bf7bba75b91539e93615f560893a599c1e1c98bf"
},
{
"url": "https://git.kernel.org/stable/c/c3059d58f79fdfb2201249c2741514e34562b547"
},
{
"url": "https://git.kernel.org/stable/c/f0f3d09f53534ea385d55ced408f2b67059b16e4"
},
{
"url": "https://git.kernel.org/stable/c/134daaba93193df9e988524b5cd2f52d15eb1993"
},
{
"url": "https://git.kernel.org/stable/c/2f45a8d64fb4ed4830a4b3273834ecd6ca504896"
},
{
"url": "https://git.kernel.org/stable/c/0346f4b742345d1c733c977f3a7aef5a6419a967"
},
{
"url": "https://git.kernel.org/stable/c/b2df03ed4052e97126267e8c13ad4204ea6ba9b6"
}
],
"title": "crypto: algif_hash - fix double free in hash_accept",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38079",
"datePublished": "2025-06-18T09:33:53.251Z",
"dateReserved": "2025-04-16T04:51:23.980Z",
"dateUpdated": "2025-11-03T17:33:48.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50501 (GCVE-0-2022-50501)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: coda: Add check for dcoda_iram_alloc
As the coda_iram_alloc may return NULL pointer,
it should be better to check the return value
in order to avoid NULL poineter dereference,
same as the others.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b313bcc9a46795c0233a765411cef9a15caaa7fb Version: b313bcc9a46795c0233a765411cef9a15caaa7fb Version: b313bcc9a46795c0233a765411cef9a15caaa7fb Version: b313bcc9a46795c0233a765411cef9a15caaa7fb Version: b313bcc9a46795c0233a765411cef9a15caaa7fb Version: b313bcc9a46795c0233a765411cef9a15caaa7fb Version: b313bcc9a46795c0233a765411cef9a15caaa7fb Version: b313bcc9a46795c0233a765411cef9a15caaa7fb Version: b313bcc9a46795c0233a765411cef9a15caaa7fb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/chips-media/coda-bit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5688d33aa293dfa122d66bef9c0258ddf7ef11e7",
"status": "affected",
"version": "b313bcc9a46795c0233a765411cef9a15caaa7fb",
"versionType": "git"
},
{
"lessThan": "2c6887d5a29024bada6928d1d0959c9990401384",
"status": "affected",
"version": "b313bcc9a46795c0233a765411cef9a15caaa7fb",
"versionType": "git"
},
{
"lessThan": "45f57abaee136a1e39d2b04443a1bd5311ba7d94",
"status": "affected",
"version": "b313bcc9a46795c0233a765411cef9a15caaa7fb",
"versionType": "git"
},
{
"lessThan": "2b436f1410245412ea5e4c356a175a928d73eed3",
"status": "affected",
"version": "b313bcc9a46795c0233a765411cef9a15caaa7fb",
"versionType": "git"
},
{
"lessThan": "35ddd00b36589cf948875b825eedaab1aefd5ad5",
"status": "affected",
"version": "b313bcc9a46795c0233a765411cef9a15caaa7fb",
"versionType": "git"
},
{
"lessThan": "b99872178e7473f21904fdeea38109275aad8ae8",
"status": "affected",
"version": "b313bcc9a46795c0233a765411cef9a15caaa7fb",
"versionType": "git"
},
{
"lessThan": "532417dc98cb9c1185ada4ea4e7ccf965c06bcb5",
"status": "affected",
"version": "b313bcc9a46795c0233a765411cef9a15caaa7fb",
"versionType": "git"
},
{
"lessThan": "05f165ded4a7baec31b65aba88e2cd1fb9b91db2",
"status": "affected",
"version": "b313bcc9a46795c0233a765411cef9a15caaa7fb",
"versionType": "git"
},
{
"lessThan": "6b8082238fb8bb20f67e46388123e67a5bbc558d",
"status": "affected",
"version": "b313bcc9a46795c0233a765411cef9a15caaa7fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/chips-media/coda-bit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: coda: Add check for dcoda_iram_alloc\n\nAs the coda_iram_alloc may return NULL pointer,\nit should be better to check the return value\nin order to avoid NULL poineter dereference,\nsame as the others."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:51.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5688d33aa293dfa122d66bef9c0258ddf7ef11e7"
},
{
"url": "https://git.kernel.org/stable/c/2c6887d5a29024bada6928d1d0959c9990401384"
},
{
"url": "https://git.kernel.org/stable/c/45f57abaee136a1e39d2b04443a1bd5311ba7d94"
},
{
"url": "https://git.kernel.org/stable/c/2b436f1410245412ea5e4c356a175a928d73eed3"
},
{
"url": "https://git.kernel.org/stable/c/35ddd00b36589cf948875b825eedaab1aefd5ad5"
},
{
"url": "https://git.kernel.org/stable/c/b99872178e7473f21904fdeea38109275aad8ae8"
},
{
"url": "https://git.kernel.org/stable/c/532417dc98cb9c1185ada4ea4e7ccf965c06bcb5"
},
{
"url": "https://git.kernel.org/stable/c/05f165ded4a7baec31b65aba88e2cd1fb9b91db2"
},
{
"url": "https://git.kernel.org/stable/c/6b8082238fb8bb20f67e46388123e67a5bbc558d"
}
],
"title": "media: coda: Add check for dcoda_iram_alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50501",
"datePublished": "2025-10-04T15:43:51.498Z",
"dateReserved": "2025-10-04T15:39:19.465Z",
"dateUpdated": "2025-10-04T15:43:51.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53724 (GCVE-0-2023-53724)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()
`req` is allocated in pcf50633_adc_async_read(), but
adc_enqueue_request() could fail to insert the `req` into queue.
We need to check the return value and free it in the case of failure.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 08c3e06a5eb27d43b712adef18379f8464425e71 Version: 08c3e06a5eb27d43b712adef18379f8464425e71 Version: 08c3e06a5eb27d43b712adef18379f8464425e71 Version: 08c3e06a5eb27d43b712adef18379f8464425e71 Version: 08c3e06a5eb27d43b712adef18379f8464425e71 Version: 08c3e06a5eb27d43b712adef18379f8464425e71 Version: 08c3e06a5eb27d43b712adef18379f8464425e71 Version: 08c3e06a5eb27d43b712adef18379f8464425e71 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mfd/pcf50633-adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66616eed76dfa6f3e442907760325a023c6da7e2",
"status": "affected",
"version": "08c3e06a5eb27d43b712adef18379f8464425e71",
"versionType": "git"
},
{
"lessThan": "41cdf082ae006ea002135dfaf43b2897de3bded8",
"status": "affected",
"version": "08c3e06a5eb27d43b712adef18379f8464425e71",
"versionType": "git"
},
{
"lessThan": "588edb4fb1f1e6487a0f60a5f7b9a24d2d0c9f8e",
"status": "affected",
"version": "08c3e06a5eb27d43b712adef18379f8464425e71",
"versionType": "git"
},
{
"lessThan": "3ee13bdf0d25ae8752ae6185b6d13bbb0d5a8e30",
"status": "affected",
"version": "08c3e06a5eb27d43b712adef18379f8464425e71",
"versionType": "git"
},
{
"lessThan": "6a8a02dcfae13ab07dc7bed2b409cec7f3d32e92",
"status": "affected",
"version": "08c3e06a5eb27d43b712adef18379f8464425e71",
"versionType": "git"
},
{
"lessThan": "9cca3a4933ca365cc664d5eefb0f942374ea8b41",
"status": "affected",
"version": "08c3e06a5eb27d43b712adef18379f8464425e71",
"versionType": "git"
},
{
"lessThan": "a62a5e79202967176a9c1a04e477860779accd6c",
"status": "affected",
"version": "08c3e06a5eb27d43b712adef18379f8464425e71",
"versionType": "git"
},
{
"lessThan": "8b450dcff23aa254844492831a8e2b508a9d522d",
"status": "affected",
"version": "08c3e06a5eb27d43b712adef18379f8464425e71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mfd/pcf50633-adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()\n\n`req` is allocated in pcf50633_adc_async_read(), but\nadc_enqueue_request() could fail to insert the `req` into queue.\nWe need to check the return value and free it in the case of failure."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:54.542Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66616eed76dfa6f3e442907760325a023c6da7e2"
},
{
"url": "https://git.kernel.org/stable/c/41cdf082ae006ea002135dfaf43b2897de3bded8"
},
{
"url": "https://git.kernel.org/stable/c/588edb4fb1f1e6487a0f60a5f7b9a24d2d0c9f8e"
},
{
"url": "https://git.kernel.org/stable/c/3ee13bdf0d25ae8752ae6185b6d13bbb0d5a8e30"
},
{
"url": "https://git.kernel.org/stable/c/6a8a02dcfae13ab07dc7bed2b409cec7f3d32e92"
},
{
"url": "https://git.kernel.org/stable/c/9cca3a4933ca365cc664d5eefb0f942374ea8b41"
},
{
"url": "https://git.kernel.org/stable/c/a62a5e79202967176a9c1a04e477860779accd6c"
},
{
"url": "https://git.kernel.org/stable/c/8b450dcff23aa254844492831a8e2b508a9d522d"
}
],
"title": "mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53724",
"datePublished": "2025-10-22T13:23:54.542Z",
"dateReserved": "2025-10-22T13:21:37.348Z",
"dateUpdated": "2025-10-22T13:23:54.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53675 (GCVE-0-2023-53675)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ses: Fix possible desc_ptr out-of-bounds accesses
Sanitize possible desc_ptr out-of-bounds accesses in
ses_enclosure_data_process().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72021ae61a2bc6ca73cd593e255a10ed5f5dc5e7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cffe09ca0555e235a42d6fa065e463c4b3d5b657",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "79ec5dd5fb07ecaea2f978c2d7a9f2f3526e4d19",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c315560e3ef77c1d822249f1743e647dc9c9912a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "584892fd29a41ef424a148118a3103b16b94fb8c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "414418abc19fa4ccf730d273061a426c07a061d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b8cae410472653a59e15af62c57c49b8e0a1201",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "801ab13d50cf3d26170ee073ea8bb4eececb76ab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix possible desc_ptr out-of-bounds accesses\n\nSanitize possible desc_ptr out-of-bounds accesses in\nses_enclosure_data_process()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:31.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72021ae61a2bc6ca73cd593e255a10ed5f5dc5e7"
},
{
"url": "https://git.kernel.org/stable/c/cffe09ca0555e235a42d6fa065e463c4b3d5b657"
},
{
"url": "https://git.kernel.org/stable/c/79ec5dd5fb07ecaea2f978c2d7a9f2f3526e4d19"
},
{
"url": "https://git.kernel.org/stable/c/c315560e3ef77c1d822249f1743e647dc9c9912a"
},
{
"url": "https://git.kernel.org/stable/c/584892fd29a41ef424a148118a3103b16b94fb8c"
},
{
"url": "https://git.kernel.org/stable/c/414418abc19fa4ccf730d273061a426c07a061d6"
},
{
"url": "https://git.kernel.org/stable/c/4b8cae410472653a59e15af62c57c49b8e0a1201"
},
{
"url": "https://git.kernel.org/stable/c/801ab13d50cf3d26170ee073ea8bb4eececb76ab"
}
],
"title": "scsi: ses: Fix possible desc_ptr out-of-bounds accesses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53675",
"datePublished": "2025-10-07T15:21:31.018Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:31.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39993 (GCVE-0-2025-39993)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rc: fix races with imon_disconnect()
Syzbot reports a KASAN issue as below:
BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]
BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627
Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465
CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
__create_pipe include/linux/usb.h:1945 [inline]
send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627
vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991
vfs_write+0x2d7/0xdd0 fs/read_write.c:576
ksys_write+0x127/0x250 fs/read_write.c:631
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The iMON driver improperly releases the usb_device reference in
imon_disconnect without coordinating with active users of the
device.
Specifically, the fields usbdev_intf0 and usbdev_intf1 are not
protected by the users counter (ictx->users). During probe,
imon_init_intf0 or imon_init_intf1 increments the usb_device
reference count depending on the interface. However, during
disconnect, usb_put_dev is called unconditionally, regardless of
actual usage.
As a result, if vfd_write or other operations are still in
progress after disconnect, this can lead to a use-after-free of
the usb_device pointer.
Thread 1 vfd_write Thread 2 imon_disconnect
...
if
usb_put_dev(ictx->usbdev_intf0)
else
usb_put_dev(ictx->usbdev_intf1)
...
while
send_packet
if
pipe = usb_sndintpipe(
ictx->usbdev_intf0) UAF
else
pipe = usb_sndctrlpipe(
ictx->usbdev_intf0, 0) UAF
Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by
checking ictx->disconnected in all writer paths. Add early return
with -ENODEV in send_packet(), vfd_write(), lcd_write() and
display_open() if the device is no longer present.
Set and read ictx->disconnected under ictx->lock to ensure memory
synchronization. Acquire the lock in imon_disconnect() before setting
the flag to synchronize with any ongoing operations.
Ensure writers exit early and safely after disconnect before the USB
core proceeds with cleanup.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9348976003e39754af344949579e824a0a210fc4",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "b03fac6e2a38331faf8510b480becfa90cea1c9f",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "71c52b073922d05e79e6de7fc7f5f38f927929a4",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "71096a6161a25e84acddb89a9d77f138502d26ab",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "71da40648741d15b302700b68973fe8b382aef3c",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "d9f6ce99624a41c3bcb29a8d7d79b800665229dd",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "2e7fd93b9cc565b839bc55a6662475718963e156",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "fa0f61cc1d828178aa921475a9b786e7fbb65ccb",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: fix races with imon_disconnect()\n\nSyzbot reports a KASAN issue as below:\nBUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]\nBUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nRead of size 4 at addr ffff8880256fb000 by task syz-executor314/4465\n\nCPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433\nkasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n__create_pipe include/linux/usb.h:1945 [inline]\nsend_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nvfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991\nvfs_write+0x2d7/0xdd0 fs/read_write.c:576\nksys_write+0x127/0x250 fs/read_write.c:631\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe iMON driver improperly releases the usb_device reference in\nimon_disconnect without coordinating with active users of the\ndevice.\n\nSpecifically, the fields usbdev_intf0 and usbdev_intf1 are not\nprotected by the users counter (ictx-\u003eusers). During probe,\nimon_init_intf0 or imon_init_intf1 increments the usb_device\nreference count depending on the interface. However, during\ndisconnect, usb_put_dev is called unconditionally, regardless of\nactual usage.\n\nAs a result, if vfd_write or other operations are still in\nprogress after disconnect, this can lead to a use-after-free of\nthe usb_device pointer.\n\nThread 1 vfd_write Thread 2 imon_disconnect\n ...\n if\n usb_put_dev(ictx-\u003eusbdev_intf0)\n else\n usb_put_dev(ictx-\u003eusbdev_intf1)\n...\nwhile\n send_packet\n if\n pipe = usb_sndintpipe(\n ictx-\u003eusbdev_intf0) UAF\n else\n pipe = usb_sndctrlpipe(\n ictx-\u003eusbdev_intf0, 0) UAF\n\nGuard access to usbdev_intf0 and usbdev_intf1 after disconnect by\nchecking ictx-\u003edisconnected in all writer paths. Add early return\nwith -ENODEV in send_packet(), vfd_write(), lcd_write() and\ndisplay_open() if the device is no longer present.\n\nSet and read ictx-\u003edisconnected under ictx-\u003elock to ensure memory\nsynchronization. Acquire the lock in imon_disconnect() before setting\nthe flag to synchronize with any ongoing operations.\n\nEnsure writers exit early and safely after disconnect before the USB\ncore proceeds with cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:08.432Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9348976003e39754af344949579e824a0a210fc4"
},
{
"url": "https://git.kernel.org/stable/c/b03fac6e2a38331faf8510b480becfa90cea1c9f"
},
{
"url": "https://git.kernel.org/stable/c/71c52b073922d05e79e6de7fc7f5f38f927929a4"
},
{
"url": "https://git.kernel.org/stable/c/71096a6161a25e84acddb89a9d77f138502d26ab"
},
{
"url": "https://git.kernel.org/stable/c/71da40648741d15b302700b68973fe8b382aef3c"
},
{
"url": "https://git.kernel.org/stable/c/fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5"
},
{
"url": "https://git.kernel.org/stable/c/d9f6ce99624a41c3bcb29a8d7d79b800665229dd"
},
{
"url": "https://git.kernel.org/stable/c/2e7fd93b9cc565b839bc55a6662475718963e156"
},
{
"url": "https://git.kernel.org/stable/c/fa0f61cc1d828178aa921475a9b786e7fbb65ccb"
}
],
"title": "media: rc: fix races with imon_disconnect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39993",
"datePublished": "2025-10-15T07:58:18.621Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-29T13:19:08.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53598 (GCVE-0-2023-53598)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bus: mhi: host: Range check CHDBOFF and ERDBOFF
If the value read from the CHDBOFF and ERDBOFF registers is outside the
range of the MHI register space then an invalid address might be computed
which later causes a kernel panic. Range check the read value to prevent
a crash due to bad data from the device.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6cd330ae76ffd5c8f6294c423cabde7eeef1b40c Version: 6cd330ae76ffd5c8f6294c423cabde7eeef1b40c Version: 6cd330ae76ffd5c8f6294c423cabde7eeef1b40c Version: 6cd330ae76ffd5c8f6294c423cabde7eeef1b40c Version: 6cd330ae76ffd5c8f6294c423cabde7eeef1b40c Version: 6cd330ae76ffd5c8f6294c423cabde7eeef1b40c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bus/mhi/host/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "372f1752b74572b0a9d2288841eab7db17daccae",
"status": "affected",
"version": "6cd330ae76ffd5c8f6294c423cabde7eeef1b40c",
"versionType": "git"
},
{
"lessThan": "2343385fe6eed11d0432ab42a97b3ca4aef06a99",
"status": "affected",
"version": "6cd330ae76ffd5c8f6294c423cabde7eeef1b40c",
"versionType": "git"
},
{
"lessThan": "a2cbb1a45a0c86ce77839c0875414efe1a89315e",
"status": "affected",
"version": "6cd330ae76ffd5c8f6294c423cabde7eeef1b40c",
"versionType": "git"
},
{
"lessThan": "83bf6b87e2dd053d95d89eb2f01ae885f9e568db",
"status": "affected",
"version": "6cd330ae76ffd5c8f6294c423cabde7eeef1b40c",
"versionType": "git"
},
{
"lessThan": "4e584127ec2bd42a37c88badb49df409f21fa40a",
"status": "affected",
"version": "6cd330ae76ffd5c8f6294c423cabde7eeef1b40c",
"versionType": "git"
},
{
"lessThan": "6a0c637bfee69a74c104468544d9f2a6579626d0",
"status": "affected",
"version": "6cd330ae76ffd5c8f6294c423cabde7eeef1b40c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bus/mhi/host/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Range check CHDBOFF and ERDBOFF\n\nIf the value read from the CHDBOFF and ERDBOFF registers is outside the\nrange of the MHI register space then an invalid address might be computed\nwhich later causes a kernel panic. Range check the read value to prevent\na crash due to bad data from the device."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:10.380Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/372f1752b74572b0a9d2288841eab7db17daccae"
},
{
"url": "https://git.kernel.org/stable/c/2343385fe6eed11d0432ab42a97b3ca4aef06a99"
},
{
"url": "https://git.kernel.org/stable/c/a2cbb1a45a0c86ce77839c0875414efe1a89315e"
},
{
"url": "https://git.kernel.org/stable/c/83bf6b87e2dd053d95d89eb2f01ae885f9e568db"
},
{
"url": "https://git.kernel.org/stable/c/4e584127ec2bd42a37c88badb49df409f21fa40a"
},
{
"url": "https://git.kernel.org/stable/c/6a0c637bfee69a74c104468544d9f2a6579626d0"
}
],
"title": "bus: mhi: host: Range check CHDBOFF and ERDBOFF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53598",
"datePublished": "2025-10-04T15:44:10.380Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-04T15:44:10.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53465 (GCVE-0-2023-53465)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soundwire: qcom: fix storing port config out-of-bounds
The 'qcom_swrm_ctrl->pconfig' has size of QCOM_SDW_MAX_PORTS (14),
however we index it starting from 1, not 0, to match real port numbers.
This can lead to writing port config past 'pconfig' bounds and
overwriting next member of 'qcom_swrm_ctrl' struct. Reported also by
smatch:
drivers/soundwire/qcom.c:1269 qcom_swrm_get_port_config() error: buffer overflow 'ctrl->pconfig' 14 <= 14
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soundwire/qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20f7c4d51c94abb1a1a7c21900db4fb5afe5c8ff",
"status": "affected",
"version": "9916c02ccd74e672b62dd1a9017ac2f237ebf512",
"versionType": "git"
},
{
"lessThan": "801daff0078087b5df9145c9f5e643c28129734b",
"status": "affected",
"version": "9916c02ccd74e672b62dd1a9017ac2f237ebf512",
"versionType": "git"
},
{
"lessThan": "32eb67d7360d48c15883e0d21b29c0aab9da022e",
"status": "affected",
"version": "9916c02ccd74e672b62dd1a9017ac2f237ebf512",
"versionType": "git"
},
{
"lessThan": "490937d479abe5f6584e69b96df066bc87be92e9",
"status": "affected",
"version": "9916c02ccd74e672b62dd1a9017ac2f237ebf512",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soundwire/qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: qcom: fix storing port config out-of-bounds\n\nThe \u0027qcom_swrm_ctrl-\u003epconfig\u0027 has size of QCOM_SDW_MAX_PORTS (14),\nhowever we index it starting from 1, not 0, to match real port numbers.\nThis can lead to writing port config past \u0027pconfig\u0027 bounds and\noverwriting next member of \u0027qcom_swrm_ctrl\u0027 struct. Reported also by\nsmatch:\n\n drivers/soundwire/qcom.c:1269 qcom_swrm_get_port_config() error: buffer overflow \u0027ctrl-\u003epconfig\u0027 14 \u003c= 14"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:36.007Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20f7c4d51c94abb1a1a7c21900db4fb5afe5c8ff"
},
{
"url": "https://git.kernel.org/stable/c/801daff0078087b5df9145c9f5e643c28129734b"
},
{
"url": "https://git.kernel.org/stable/c/32eb67d7360d48c15883e0d21b29c0aab9da022e"
},
{
"url": "https://git.kernel.org/stable/c/490937d479abe5f6584e69b96df066bc87be92e9"
}
],
"title": "soundwire: qcom: fix storing port config out-of-bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53465",
"datePublished": "2025-10-01T11:42:36.007Z",
"dateReserved": "2025-10-01T11:39:39.400Z",
"dateUpdated": "2025-10-01T11:42:36.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40044 (GCVE-0-2025-40044)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: udf: fix OOB read in lengthAllocDescs handling
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
on-disk data and must be validated against the block size. Crafted or
corrupted images may set lengthAllocDescs so that the total descriptor
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
trigger a KASAN use-after-free read.
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
udf_release_file+0xc1/0x120 fs/udf/file.c:185
__fput+0x23f/0x880 fs/file_table.c:431
task_work_run+0x24f/0x310 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa2f/0x28e0 kernel/exit.c:939
do_group_exit+0x207/0x2c0 kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Validate the computed total length against epos->bh->b_size.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14496175b264d30c2045584ee31d062af2e3a660",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1d1847812a1a5375c10a2a779338df643f79c047",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "918649364fbca7d5df72522ca795479edcd25f91",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a70dcfa8d0a0cc530a6af59483dfca260b652c1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "459404f858213967ccfff336c41747d8dd186d38",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3bd5e45c2ce30e239d596becd5db720f7eb83c99",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: udf: fix OOB read in lengthAllocDescs handling\n\nWhen parsing Allocation Extent Descriptor, lengthAllocDescs comes from\non-disk data and must be validated against the block size. Crafted or\ncorrupted images may set lengthAllocDescs so that the total descriptor\nlength (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,\nleading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and\ntrigger a KASAN use-after-free read.\n\nBUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60\nRead of size 1 at addr ffff888041e7d000 by task syz-executor317/5309\n\nCPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60\n udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261\n udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179\n extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46\n udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106\n udf_release_file+0xc1/0x120 fs/udf/file.c:185\n __fput+0x23f/0x880 fs/file_table.c:431\n task_work_run+0x24f/0x310 kernel/task_work.c:239\n exit_task_work include/linux/task_work.h:43 [inline]\n do_exit+0xa2f/0x28e0 kernel/exit.c:939\n do_group_exit+0x207/0x2c0 kernel/exit.c:1088\n __do_sys_exit_group kernel/exit.c:1099 [inline]\n __se_sys_exit_group kernel/exit.c:1097 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097\n x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nValidate the computed total length against epos-\u003ebh-\u003eb_size.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:45.879Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14496175b264d30c2045584ee31d062af2e3a660"
},
{
"url": "https://git.kernel.org/stable/c/d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818"
},
{
"url": "https://git.kernel.org/stable/c/1d1847812a1a5375c10a2a779338df643f79c047"
},
{
"url": "https://git.kernel.org/stable/c/918649364fbca7d5df72522ca795479edcd25f91"
},
{
"url": "https://git.kernel.org/stable/c/a70dcfa8d0a0cc530a6af59483dfca260b652c1b"
},
{
"url": "https://git.kernel.org/stable/c/b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24"
},
{
"url": "https://git.kernel.org/stable/c/459404f858213967ccfff336c41747d8dd186d38"
},
{
"url": "https://git.kernel.org/stable/c/3bd5e45c2ce30e239d596becd5db720f7eb83c99"
}
],
"title": "fs: udf: fix OOB read in lengthAllocDescs handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40044",
"datePublished": "2025-10-28T11:48:22.827Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-10-29T13:19:45.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53181 (GCVE-0-2023-53181)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-15 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dma-buf/dma-resv: Stop leaking on krealloc() failure
Currently dma_resv_get_fences() will leak the previously
allocated array if the fence iteration got restarted and
the krealloc_array() fails.
Free the old array by hand, and make sure we still clear
the returned *fences so the caller won't end up accessing
freed memory. Some (but not all) of the callers of
dma_resv_get_fences() seem to still trawl through the
array even when dma_resv_get_fences() failed. And let's
zero out *num_fences as well for good measure.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma-buf/dma-resv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19e7b9f1f7e1cb92a4cc53b4c064f7fb4b1f1983",
"status": "affected",
"version": "d3c80698c9f58a0683badf78793eebaa0c71afbd",
"versionType": "git"
},
{
"lessThan": "819656cc03dec7f7f7800274dfbc8eb49f888e9f",
"status": "affected",
"version": "d3c80698c9f58a0683badf78793eebaa0c71afbd",
"versionType": "git"
},
{
"lessThan": "05abb3be91d8788328231ee02973ab3d47f5e3d2",
"status": "affected",
"version": "d3c80698c9f58a0683badf78793eebaa0c71afbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma-buf/dma-resv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/dma-resv: Stop leaking on krealloc() failure\n\nCurrently dma_resv_get_fences() will leak the previously\nallocated array if the fence iteration got restarted and\nthe krealloc_array() fails.\n\nFree the old array by hand, and make sure we still clear\nthe returned *fences so the caller won\u0027t end up accessing\nfreed memory. Some (but not all) of the callers of\ndma_resv_get_fences() seem to still trawl through the\narray even when dma_resv_get_fences() failed. And let\u0027s\nzero out *num_fences as well for good measure."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:04:32.098Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19e7b9f1f7e1cb92a4cc53b4c064f7fb4b1f1983"
},
{
"url": "https://git.kernel.org/stable/c/819656cc03dec7f7f7800274dfbc8eb49f888e9f"
},
{
"url": "https://git.kernel.org/stable/c/05abb3be91d8788328231ee02973ab3d47f5e3d2"
}
],
"title": "dma-buf/dma-resv: Stop leaking on krealloc() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53181",
"datePublished": "2025-09-15T14:04:32.098Z",
"dateReserved": "2025-09-15T13:59:19.065Z",
"dateUpdated": "2025-09-15T14:04:32.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53380 (GCVE-0-2023-53380)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
There are two check of 'mreplace' in raid10_sync_request(). In the first
check, 'need_replace' will be set and 'mreplace' will be used later if
no-Faulty 'mreplace' exists, In the second check, 'mreplace' will be
set to NULL if it is Faulty, but 'need_replace' will not be changed
accordingly. null-ptr-deref occurs if Faulty is set between two check.
Fix it by merging two checks into one. And replace 'need_replace' with
'mreplace' because their values are always the same.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ee37d7314a32ab6809eacc3389bad0406c69a81f Version: ee37d7314a32ab6809eacc3389bad0406c69a81f Version: ee37d7314a32ab6809eacc3389bad0406c69a81f Version: ee37d7314a32ab6809eacc3389bad0406c69a81f Version: ee37d7314a32ab6809eacc3389bad0406c69a81f Version: ee37d7314a32ab6809eacc3389bad0406c69a81f Version: ee37d7314a32ab6809eacc3389bad0406c69a81f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "45fa023b3334a7ae6f6c4eb977295804222dfa28",
"status": "affected",
"version": "ee37d7314a32ab6809eacc3389bad0406c69a81f",
"versionType": "git"
},
{
"lessThan": "2990e2ece18dd4cca71b3109c80517ad94adb065",
"status": "affected",
"version": "ee37d7314a32ab6809eacc3389bad0406c69a81f",
"versionType": "git"
},
{
"lessThan": "f4368a462b1f9a8ecc2fdb09a28c3d4cad302a4f",
"status": "affected",
"version": "ee37d7314a32ab6809eacc3389bad0406c69a81f",
"versionType": "git"
},
{
"lessThan": "222cc459d59857ee28a5366dc225ab42b22f9272",
"status": "affected",
"version": "ee37d7314a32ab6809eacc3389bad0406c69a81f",
"versionType": "git"
},
{
"lessThan": "b5015b97adda6a24dd3e713c63e521ecbeff25c6",
"status": "affected",
"version": "ee37d7314a32ab6809eacc3389bad0406c69a81f",
"versionType": "git"
},
{
"lessThan": "144c7fd008e0072b0b565f1157eec618de54ca8a",
"status": "affected",
"version": "ee37d7314a32ab6809eacc3389bad0406c69a81f",
"versionType": "git"
},
{
"lessThan": "34817a2441747b48e444cb0e05d84e14bc9443da",
"status": "affected",
"version": "ee37d7314a32ab6809eacc3389bad0406c69a81f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix null-ptr-deref of mreplace in raid10_sync_request\n\nThere are two check of \u0027mreplace\u0027 in raid10_sync_request(). In the first\ncheck, \u0027need_replace\u0027 will be set and \u0027mreplace\u0027 will be used later if\nno-Faulty \u0027mreplace\u0027 exists, In the second check, \u0027mreplace\u0027 will be\nset to NULL if it is Faulty, but \u0027need_replace\u0027 will not be changed\naccordingly. null-ptr-deref occurs if Faulty is set between two check.\n\nFix it by merging two checks into one. And replace \u0027need_replace\u0027 with\n\u0027mreplace\u0027 because their values are always the same."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:25.383Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/45fa023b3334a7ae6f6c4eb977295804222dfa28"
},
{
"url": "https://git.kernel.org/stable/c/2990e2ece18dd4cca71b3109c80517ad94adb065"
},
{
"url": "https://git.kernel.org/stable/c/f4368a462b1f9a8ecc2fdb09a28c3d4cad302a4f"
},
{
"url": "https://git.kernel.org/stable/c/222cc459d59857ee28a5366dc225ab42b22f9272"
},
{
"url": "https://git.kernel.org/stable/c/b5015b97adda6a24dd3e713c63e521ecbeff25c6"
},
{
"url": "https://git.kernel.org/stable/c/144c7fd008e0072b0b565f1157eec618de54ca8a"
},
{
"url": "https://git.kernel.org/stable/c/34817a2441747b48e444cb0e05d84e14bc9443da"
}
],
"title": "md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53380",
"datePublished": "2025-09-18T13:33:25.383Z",
"dateReserved": "2025-09-17T14:54:09.736Z",
"dateUpdated": "2025-09-18T13:33:25.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50563 (GCVE-0-2022-50563)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm thin: Fix UAF in run_timer_softirq()
When dm_resume() and dm_destroy() are concurrent, it will
lead to UAF, as follows:
BUG: KASAN: use-after-free in __run_timers+0x173/0x710
Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0
<snip>
Call Trace:
<IRQ>
dump_stack_lvl+0x73/0x9f
print_report.cold+0x132/0xaa2
_raw_spin_lock_irqsave+0xcd/0x160
__run_timers+0x173/0x710
kasan_report+0xad/0x110
__run_timers+0x173/0x710
__asan_store8+0x9c/0x140
__run_timers+0x173/0x710
call_timer_fn+0x310/0x310
pvclock_clocksource_read+0xfa/0x250
kvm_clock_read+0x2c/0x70
kvm_clock_get_cycles+0xd/0x20
ktime_get+0x5c/0x110
lapic_next_event+0x38/0x50
clockevents_program_event+0xf1/0x1e0
run_timer_softirq+0x49/0x90
__do_softirq+0x16e/0x62c
__irq_exit_rcu+0x1fa/0x270
irq_exit_rcu+0x12/0x20
sysvec_apic_timer_interrupt+0x8e/0xc0
One of the concurrency UAF can be shown as below:
use free
do_resume |
__find_device_hash_cell |
dm_get |
atomic_inc(&md->holders) |
| dm_destroy
| __dm_destroy
| if (!dm_suspended_md(md))
| atomic_read(&md->holders)
| msleep(1)
dm_resume |
__dm_resume |
dm_table_resume_targets |
pool_resume |
do_waker #add delay work |
dm_put |
atomic_dec(&md->holders) |
| dm_table_destroy
| pool_dtr
| __pool_dec
| __pool_destroy
| destroy_workqueue
| kfree(pool) # free pool
time out
__do_softirq
run_timer_softirq # pool has already been freed
This can be easily reproduced using:
1. create thin-pool
2. dmsetup suspend pool
3. dmsetup resume pool
4. dmsetup remove_all # Concurrent with 3
The root cause of this UAF bug is that dm_resume() adds timer after
dm_destroy() skips cancelling the timer because of suspend status.
After timeout, it will call run_timer_softirq(), however pool has
already been freed. The concurrency UAF bug will happen.
Therefore, cancelling timer again in __pool_destroy().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-thin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ee059d06a5d3c15465959e0472993e80fbe4e81",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "550a4fac7ecfee5bac6a0dd772456ca62fb72f46",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "e8b8e0d2bbf7d1172c4f435621418e29ee408d46",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "7ae6aa649394e1e7f6dafb55ce0d578c0572a280",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "34fe9c2251f19786a6689149a6212c6c0de1d63b",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "34cd15d83b7206188d440b29b68084fcafde9395",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "94e231c9d6f2648d2f1f68e7f476e050ee0a6159",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
},
{
"lessThan": "88430ebcbc0ec637b710b947738839848c20feff",
"status": "affected",
"version": "991d9fa02da0dd1f843dc011376965e0c8c6c9b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-thin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Fix UAF in run_timer_softirq()\n\nWhen dm_resume() and dm_destroy() are concurrent, it will\nlead to UAF, as follows:\n\n BUG: KASAN: use-after-free in __run_timers+0x173/0x710\n Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0\n\u003csnip\u003e\n Call Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x73/0x9f\n print_report.cold+0x132/0xaa2\n _raw_spin_lock_irqsave+0xcd/0x160\n __run_timers+0x173/0x710\n kasan_report+0xad/0x110\n __run_timers+0x173/0x710\n __asan_store8+0x9c/0x140\n __run_timers+0x173/0x710\n call_timer_fn+0x310/0x310\n pvclock_clocksource_read+0xfa/0x250\n kvm_clock_read+0x2c/0x70\n kvm_clock_get_cycles+0xd/0x20\n ktime_get+0x5c/0x110\n lapic_next_event+0x38/0x50\n clockevents_program_event+0xf1/0x1e0\n run_timer_softirq+0x49/0x90\n __do_softirq+0x16e/0x62c\n __irq_exit_rcu+0x1fa/0x270\n irq_exit_rcu+0x12/0x20\n sysvec_apic_timer_interrupt+0x8e/0xc0\n\nOne of the concurrency UAF can be shown as below:\n\n use free\ndo_resume |\n __find_device_hash_cell |\n dm_get |\n atomic_inc(\u0026md-\u003eholders) |\n | dm_destroy\n | __dm_destroy\n | if (!dm_suspended_md(md))\n | atomic_read(\u0026md-\u003eholders)\n | msleep(1)\n dm_resume |\n __dm_resume |\n dm_table_resume_targets |\n pool_resume |\n do_waker #add delay work |\n dm_put |\n atomic_dec(\u0026md-\u003eholders) |\n | dm_table_destroy\n | pool_dtr\n | __pool_dec\n | __pool_destroy\n | destroy_workqueue\n | kfree(pool) # free pool\n time out\n__do_softirq\n run_timer_softirq # pool has already been freed\n\nThis can be easily reproduced using:\n 1. create thin-pool\n 2. dmsetup suspend pool\n 3. dmsetup resume pool\n 4. dmsetup remove_all # Concurrent with 3\n\nThe root cause of this UAF bug is that dm_resume() adds timer after\ndm_destroy() skips cancelling the timer because of suspend status.\nAfter timeout, it will call run_timer_softirq(), however pool has\nalready been freed. The concurrency UAF bug will happen.\n\nTherefore, cancelling timer again in __pool_destroy()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:22.080Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81"
},
{
"url": "https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46"
},
{
"url": "https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46"
},
{
"url": "https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280"
},
{
"url": "https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b"
},
{
"url": "https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395"
},
{
"url": "https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159"
},
{
"url": "https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd"
},
{
"url": "https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff"
}
],
"title": "dm thin: Fix UAF in run_timer_softirq()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50563",
"datePublished": "2025-10-22T13:23:22.080Z",
"dateReserved": "2025-10-22T13:20:23.759Z",
"dateUpdated": "2025-10-22T13:23:22.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39882 (GCVE-0-2025-39882)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: fix potential OF node use-after-free
The for_each_child_of_node() helper drops the reference it takes to each
node as it iterates over children and an explicit of_node_put() is only
needed when exiting the loop early.
Drop the recently introduced bogus additional reference count decrement
at each iteration that could potentially lead to a use-after-free.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_drm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2fbe0f9f80b9cfa1e06ddcf8b863d918394ef1d",
"status": "affected",
"version": "7d98166183d627c0b9daca7672b2191fae0f8a03",
"versionType": "git"
},
{
"lessThan": "b58a26cdd4795c1ce6a80e38e9348885555dacd6",
"status": "affected",
"version": "31ce7c089b50c3d3056c37e0e25e7535e4428ae1",
"versionType": "git"
},
{
"lessThan": "c4901802ed1ce859242e10af06e6a7752cba0497",
"status": "affected",
"version": "fae58d0155a979a8c414bbc12db09dd4b2f910d0",
"versionType": "git"
},
{
"lessThan": "4de37a48b6b58faaded9eb765047cf0d8785ea18",
"status": "affected",
"version": "1f403699c40f0806a707a9a6eed3b8904224021a",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_drm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.6.107",
"status": "affected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThan": "6.12.48",
"status": "affected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThan": "6.16.8",
"status": "affected",
"version": "6.16.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.6.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.12.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.16.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: fix potential OF node use-after-free\n\nThe for_each_child_of_node() helper drops the reference it takes to each\nnode as it iterates over children and an explicit of_node_put() is only\nneeded when exiting the loop early.\n\nDrop the recently introduced bogus additional reference count decrement\nat each iteration that could potentially lead to a use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:42.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2fbe0f9f80b9cfa1e06ddcf8b863d918394ef1d"
},
{
"url": "https://git.kernel.org/stable/c/b58a26cdd4795c1ce6a80e38e9348885555dacd6"
},
{
"url": "https://git.kernel.org/stable/c/c4901802ed1ce859242e10af06e6a7752cba0497"
},
{
"url": "https://git.kernel.org/stable/c/4de37a48b6b58faaded9eb765047cf0d8785ea18"
}
],
"title": "drm/mediatek: fix potential OF node use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39882",
"datePublished": "2025-09-23T06:00:51.036Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-09-29T06:01:42.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53599 (GCVE-0-2023-53599)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: af_alg - Fix missing initialisation affecting gcm-aes-s390
Fix af_alg_alloc_areq() to initialise areq->first_rsgl.sgl.sgt.sgl to point
to the scatterlist array in areq->first_rsgl.sgl.sgl.
Without this, the gcm-aes-s390 driver will oops when it tries to do
gcm_walk_start() on req->dst because req->dst is set to the value of
areq->first_rsgl.sgl.sgl by _aead_recvmsg() calling
aead_request_set_crypt().
The problem comes if an empty ciphertext is passed: the loop in
af_alg_get_rsgl() just passes straight out and doesn't set areq->first_rsgl
up.
This isn't a problem on x86_64 using gcmaes_crypt_by_sg() because, as far
as I can tell, that ignores req->dst and only uses req->src[*].
[*] Is this a bug in aesni-intel_glue.c?
The s390x oops looks something like:
Unable to handle kernel pointer dereference in virtual kernel address space
Failing address: 0000000a00000000 TEID: 0000000a00000803
Fault in home space mode while using kernel ASCE.
AS:00000000a43a0007 R3:0000000000000024
Oops: 003b ilc:2 [#1] SMP
...
Call Trace:
[<000003ff7fc3d47e>] gcm_walk_start+0x16/0x28 [aes_s390]
[<00000000a2a342f2>] crypto_aead_decrypt+0x9a/0xb8
[<00000000a2a60888>] aead_recvmsg+0x478/0x698
[<00000000a2e519a0>] sock_recvmsg+0x70/0xb0
[<00000000a2e51a56>] sock_read_iter+0x76/0xa0
[<00000000a273e066>] vfs_read+0x26e/0x2a8
[<00000000a273e8c4>] ksys_read+0xbc/0x100
[<00000000a311d808>] __do_syscall+0x1d0/0x1f8
[<00000000a312ff30>] system_call+0x70/0x98
Last Breaking-Event-Address:
[<000003ff7fc3e6b4>] gcm_aes_crypt+0x104/0xa68 [aes_s390]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c9d205040d7c0eaccc473917f9b0bb0a923e440",
"status": "affected",
"version": "c1abe6f570aff4b6d396dc551e60570d2f50bd79",
"versionType": "git"
},
{
"lessThan": "6a4b8aa0a916b39a39175584c07222434fa6c6ef",
"status": "affected",
"version": "c1abe6f570aff4b6d396dc551e60570d2f50bd79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Fix missing initialisation affecting gcm-aes-s390\n\nFix af_alg_alloc_areq() to initialise areq-\u003efirst_rsgl.sgl.sgt.sgl to point\nto the scatterlist array in areq-\u003efirst_rsgl.sgl.sgl.\n\nWithout this, the gcm-aes-s390 driver will oops when it tries to do\ngcm_walk_start() on req-\u003edst because req-\u003edst is set to the value of\nareq-\u003efirst_rsgl.sgl.sgl by _aead_recvmsg() calling\naead_request_set_crypt().\n\nThe problem comes if an empty ciphertext is passed: the loop in\naf_alg_get_rsgl() just passes straight out and doesn\u0027t set areq-\u003efirst_rsgl\nup.\n\nThis isn\u0027t a problem on x86_64 using gcmaes_crypt_by_sg() because, as far\nas I can tell, that ignores req-\u003edst and only uses req-\u003esrc[*].\n\n[*] Is this a bug in aesni-intel_glue.c?\n\nThe s390x oops looks something like:\n\n Unable to handle kernel pointer dereference in virtual kernel address space\n Failing address: 0000000a00000000 TEID: 0000000a00000803\n Fault in home space mode while using kernel ASCE.\n AS:00000000a43a0007 R3:0000000000000024\n Oops: 003b ilc:2 [#1] SMP\n ...\n Call Trace:\n [\u003c000003ff7fc3d47e\u003e] gcm_walk_start+0x16/0x28 [aes_s390]\n [\u003c00000000a2a342f2\u003e] crypto_aead_decrypt+0x9a/0xb8\n [\u003c00000000a2a60888\u003e] aead_recvmsg+0x478/0x698\n [\u003c00000000a2e519a0\u003e] sock_recvmsg+0x70/0xb0\n [\u003c00000000a2e51a56\u003e] sock_read_iter+0x76/0xa0\n [\u003c00000000a273e066\u003e] vfs_read+0x26e/0x2a8\n [\u003c00000000a273e8c4\u003e] ksys_read+0xbc/0x100\n [\u003c00000000a311d808\u003e] __do_syscall+0x1d0/0x1f8\n [\u003c00000000a312ff30\u003e] system_call+0x70/0x98\n Last Breaking-Event-Address:\n [\u003c000003ff7fc3e6b4\u003e] gcm_aes_crypt+0x104/0xa68 [aes_s390]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:11.096Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c9d205040d7c0eaccc473917f9b0bb0a923e440"
},
{
"url": "https://git.kernel.org/stable/c/6a4b8aa0a916b39a39175584c07222434fa6c6ef"
}
],
"title": "crypto: af_alg - Fix missing initialisation affecting gcm-aes-s390",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53599",
"datePublished": "2025-10-04T15:44:11.096Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-04T15:44:11.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53222 (GCVE-0-2023-53222)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: jfs_dmap: Validate db_l2nbperpage while mounting
In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block
number inside dbFree(). db_l2nbperpage, which is the log2 number of
blocks per page, is passed as an argument to BLKTODMAP which uses it
for shifting.
Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is
too big. This happens because the large value is set without any
validation in dbMount() at line 181.
Thus, make sure that db_l2nbperpage is correct while mounting.
Max number of blocks per page = Page size / Min block size
=> log2(Max num_block per page) = log2(Page size / Min block size)
= log2(Page size) - log2(Min block size)
=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c",
"fs/jfs/jfs_filsys.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c1efe3f74a7864461b0dff281c5562154b4aa8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef5c205b6e6f8d1f18ef0b4a9832b1b5fa85f7f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a4855aeb13e4ad1f23e16753b68212e180f7d848",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "47b7eaae08e8b2f25bdf37bc14d21be090bcb20f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de984faecddb900fa850af4df574a25b32bb93f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c7feb54b113802d2aba98708769d3c33fb017254",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a03c4e683d33d17b667418eb717b13dda1fac6b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "11509910c599cbd04585ec35a6d5e1a0053d84c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c",
"fs/jfs/jfs_filsys.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: jfs_dmap: Validate db_l2nbperpage while mounting\n\nIn jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block\nnumber inside dbFree(). db_l2nbperpage, which is the log2 number of\nblocks per page, is passed as an argument to BLKTODMAP which uses it\nfor shifting.\n\nSyzbot reported a shift out-of-bounds crash because db_l2nbperpage is\ntoo big. This happens because the large value is set without any\nvalidation in dbMount() at line 181.\n\nThus, make sure that db_l2nbperpage is correct while mounting.\n\nMax number of blocks per page = Page size / Min block size\n=\u003e log2(Max num_block per page) = log2(Page size / Min block size)\n\t\t\t\t= log2(Page size) - log2(Min block size)\n\n=\u003e Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:50.970Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c1efe3f74a7864461b0dff281c5562154b4aa8e"
},
{
"url": "https://git.kernel.org/stable/c/ef5c205b6e6f8d1f18ef0b4a9832b1b5fa85f7f2"
},
{
"url": "https://git.kernel.org/stable/c/a4855aeb13e4ad1f23e16753b68212e180f7d848"
},
{
"url": "https://git.kernel.org/stable/c/47b7eaae08e8b2f25bdf37bc14d21be090bcb20f"
},
{
"url": "https://git.kernel.org/stable/c/de984faecddb900fa850af4df574a25b32bb93f5"
},
{
"url": "https://git.kernel.org/stable/c/c7feb54b113802d2aba98708769d3c33fb017254"
},
{
"url": "https://git.kernel.org/stable/c/2a03c4e683d33d17b667418eb717b13dda1fac6b"
},
{
"url": "https://git.kernel.org/stable/c/11509910c599cbd04585ec35a6d5e1a0053d84c1"
}
],
"title": "jfs: jfs_dmap: Validate db_l2nbperpage while mounting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53222",
"datePublished": "2025-09-15T14:21:50.970Z",
"dateReserved": "2025-09-15T14:19:21.845Z",
"dateUpdated": "2025-09-15T14:21:50.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40056 (GCVE-0-2025-40056)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost: vringh: Fix copy_to_iter return value check
The return value of copy_to_iter can't be negative, check whether the
copied length is equal to the requested length instead of checking for
negative values.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vringh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd71e7e0a612740e4de5524880c7cd40293af5f7",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "781226e11d5bdea0d69c7b5aa3cda874093c73b8",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "b3a950d236e98440c07405ba597b11bce56a8050",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "68aac2b335d474b938d154b9c95cbc58838cb2ce",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
},
{
"lessThan": "439263376c2c4e126cac0d07e4987568de4eaba5",
"status": "affected",
"version": "309bba39c945ac8ab8083ac05cd6cfe5822968e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vringh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: vringh: Fix copy_to_iter return value check\n\nThe return value of copy_to_iter can\u0027t be negative, check whether the\ncopied length is equal to the requested length instead of checking for\nnegative values."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:30.249Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd71e7e0a612740e4de5524880c7cd40293af5f7"
},
{
"url": "https://git.kernel.org/stable/c/781226e11d5bdea0d69c7b5aa3cda874093c73b8"
},
{
"url": "https://git.kernel.org/stable/c/b3a950d236e98440c07405ba597b11bce56a8050"
},
{
"url": "https://git.kernel.org/stable/c/68aac2b335d474b938d154b9c95cbc58838cb2ce"
},
{
"url": "https://git.kernel.org/stable/c/439263376c2c4e126cac0d07e4987568de4eaba5"
}
],
"title": "vhost: vringh: Fix copy_to_iter return value check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40056",
"datePublished": "2025-10-28T11:48:30.249Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-10-28T11:48:30.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40029 (GCVE-0-2025-40029)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bus: fsl-mc: Check return value of platform_get_resource()
platform_get_resource() returns NULL in case of failure, so check its
return value and propagate the error in order to prevent NULL pointer
dereference.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/fsl-mc-bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58dd05070b57a20f22ff35a34ef9846bdf49a1d0",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "8a4dd74fe413d4a278e649be1d22d028e1667116",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "e60d55692e6c8e951000343c39f3fc92cab57efc",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "78e87b8a3cf8a59671ea25c87192d16e8d710e1c",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "84ec0482ed9c9ed0aee553a5e7e7458ad79c021f",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "2ead548473f58c7960b6b939b79503c4a0a2c0bd",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/fsl-mc-bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: Check return value of platform_get_resource()\n\nplatform_get_resource() returns NULL in case of failure, so check its\nreturn value and propagate the error in order to prevent NULL pointer\ndereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:32.136Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58dd05070b57a20f22ff35a34ef9846bdf49a1d0"
},
{
"url": "https://git.kernel.org/stable/c/8a4dd74fe413d4a278e649be1d22d028e1667116"
},
{
"url": "https://git.kernel.org/stable/c/e60d55692e6c8e951000343c39f3fc92cab57efc"
},
{
"url": "https://git.kernel.org/stable/c/78e87b8a3cf8a59671ea25c87192d16e8d710e1c"
},
{
"url": "https://git.kernel.org/stable/c/84ec0482ed9c9ed0aee553a5e7e7458ad79c021f"
},
{
"url": "https://git.kernel.org/stable/c/2ead548473f58c7960b6b939b79503c4a0a2c0bd"
},
{
"url": "https://git.kernel.org/stable/c/25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae"
}
],
"title": "bus: fsl-mc: Check return value of platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40029",
"datePublished": "2025-10-28T11:48:00.679Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-10-29T13:19:32.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53104 (GCVE-0-2024-53104)
Vulnerability from cvelistv5
Published
2024-12-02 07:29
Modified
2025-11-03 22:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
This can lead to out of bounds writes since frames of this type were not
taken into account when calculating the size of the frames buffer in
uvc_parse_streaming.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c Version: c0efd232929c2cd87238de2cccdaf4e845be5b0c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53104",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T13:29:32.093245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-02-05",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53104"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:34.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53104"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-05T00:00:00+00:00",
"value": "CVE-2024-53104 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:29:17.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95edf13a48e75dc2cc5b0bc57bf90d6948a22fe8",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "684022f81f128338fe3587ec967459669a1204ae",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "faff5bbb2762c44ec7426037b3000e77a11d6773",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "467d84dc78c9abf6b217ada22b3fdba336262e29",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "beced2cb09b58c1243733f374c560a55382003d6",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "575a562f7a3ec2d54ff77ab6810e3fbceef2a91d",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "622ad10aae5f5e03b7927ea95f7f32812f692bb5",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "1ee9d9122801eb688783acd07791f2906b87cb4f",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
},
{
"lessThan": "ecf2b43018da9579842c774b7f35dbe11b5c38dd",
"status": "affected",
"version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.324",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.286",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.230",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.172",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.117",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.61",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.8",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.1",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format\n\nThis can lead to out of bounds writes since frames of this type were not\ntaken into account when calculating the size of the frames buffer in\nuvc_parse_streaming."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:53:07.798Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95edf13a48e75dc2cc5b0bc57bf90d6948a22fe8"
},
{
"url": "https://git.kernel.org/stable/c/684022f81f128338fe3587ec967459669a1204ae"
},
{
"url": "https://git.kernel.org/stable/c/faff5bbb2762c44ec7426037b3000e77a11d6773"
},
{
"url": "https://git.kernel.org/stable/c/467d84dc78c9abf6b217ada22b3fdba336262e29"
},
{
"url": "https://git.kernel.org/stable/c/beced2cb09b58c1243733f374c560a55382003d6"
},
{
"url": "https://git.kernel.org/stable/c/575a562f7a3ec2d54ff77ab6810e3fbceef2a91d"
},
{
"url": "https://git.kernel.org/stable/c/622ad10aae5f5e03b7927ea95f7f32812f692bb5"
},
{
"url": "https://git.kernel.org/stable/c/1ee9d9122801eb688783acd07791f2906b87cb4f"
},
{
"url": "https://git.kernel.org/stable/c/ecf2b43018da9579842c774b7f35dbe11b5c38dd"
}
],
"title": "media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53104",
"datePublished": "2024-12-02T07:29:27.261Z",
"dateReserved": "2024-11-19T17:17:24.985Z",
"dateUpdated": "2025-11-03T22:29:17.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53729 (GCVE-0-2023-53729)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: qcom: qmi_encdec: Restrict string length in decode
The QMI TLV value for strings in a lot of qmi element info structures
account for null terminated strings with MAX_LEN + 1. If a string is
actually MAX_LEN + 1 length, this will cause an out of bounds access
when the NULL character is appended in decoding.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9b8a11e82615274d4133aab3cf5aa1c59191f0a2 Version: 9b8a11e82615274d4133aab3cf5aa1c59191f0a2 Version: 9b8a11e82615274d4133aab3cf5aa1c59191f0a2 Version: 9b8a11e82615274d4133aab3cf5aa1c59191f0a2 Version: 9b8a11e82615274d4133aab3cf5aa1c59191f0a2 Version: 9b8a11e82615274d4133aab3cf5aa1c59191f0a2 Version: 9b8a11e82615274d4133aab3cf5aa1c59191f0a2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/qmi_encdec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b58859e7c4ac357517a59f0801e8ce1b58a8ee2",
"status": "affected",
"version": "9b8a11e82615274d4133aab3cf5aa1c59191f0a2",
"versionType": "git"
},
{
"lessThan": "64c5e916fabe5ef7bef0210b8a59fa8941ee1b8e",
"status": "affected",
"version": "9b8a11e82615274d4133aab3cf5aa1c59191f0a2",
"versionType": "git"
},
{
"lessThan": "2ccab9f82772ead618689d17dbc6950d6bd1e741",
"status": "affected",
"version": "9b8a11e82615274d4133aab3cf5aa1c59191f0a2",
"versionType": "git"
},
{
"lessThan": "b2f39b813d1eed4a522428d1e6acd7dfe9b81579",
"status": "affected",
"version": "9b8a11e82615274d4133aab3cf5aa1c59191f0a2",
"versionType": "git"
},
{
"lessThan": "f6250ecb7fbb934b89539e7e2ba6c1d8555c0975",
"status": "affected",
"version": "9b8a11e82615274d4133aab3cf5aa1c59191f0a2",
"versionType": "git"
},
{
"lessThan": "22ee7c9c7f381be178b4457bc54530002e08e938",
"status": "affected",
"version": "9b8a11e82615274d4133aab3cf5aa1c59191f0a2",
"versionType": "git"
},
{
"lessThan": "8d207400fd6b79c92aeb2f33bb79f62dff904ea2",
"status": "affected",
"version": "9b8a11e82615274d4133aab3cf5aa1c59191f0a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/qmi_encdec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: qmi_encdec: Restrict string length in decode\n\nThe QMI TLV value for strings in a lot of qmi element info structures\naccount for null terminated strings with MAX_LEN + 1. If a string is\nactually MAX_LEN + 1 length, this will cause an out of bounds access\nwhen the NULL character is appended in decoding."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:57.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b58859e7c4ac357517a59f0801e8ce1b58a8ee2"
},
{
"url": "https://git.kernel.org/stable/c/64c5e916fabe5ef7bef0210b8a59fa8941ee1b8e"
},
{
"url": "https://git.kernel.org/stable/c/2ccab9f82772ead618689d17dbc6950d6bd1e741"
},
{
"url": "https://git.kernel.org/stable/c/b2f39b813d1eed4a522428d1e6acd7dfe9b81579"
},
{
"url": "https://git.kernel.org/stable/c/f6250ecb7fbb934b89539e7e2ba6c1d8555c0975"
},
{
"url": "https://git.kernel.org/stable/c/22ee7c9c7f381be178b4457bc54530002e08e938"
},
{
"url": "https://git.kernel.org/stable/c/8d207400fd6b79c92aeb2f33bb79f62dff904ea2"
}
],
"title": "soc: qcom: qmi_encdec: Restrict string length in decode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53729",
"datePublished": "2025-10-22T13:23:57.739Z",
"dateReserved": "2025-10-22T13:21:37.349Z",
"dateUpdated": "2025-10-22T13:23:57.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39871 (GCVE-0-2025-39871)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Remove improper idxd_free
The call to idxd_free() introduces a duplicate put_device() leading to a
reference count underflow:
refcount_t: underflow; use-after-free.
WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110
...
Call Trace:
<TASK>
idxd_remove+0xe4/0x120 [idxd]
pci_device_remove+0x3f/0xb0
device_release_driver_internal+0x197/0x200
driver_detach+0x48/0x90
bus_remove_driver+0x74/0xf0
pci_unregister_driver+0x2e/0xb0
idxd_exit_module+0x34/0x7a0 [idxd]
__do_sys_delete_module.constprop.0+0x183/0x280
do_syscall_64+0x54/0xd70
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The idxd_unregister_devices() which is invoked at the very beginning of
idxd_remove(), already takes care of the necessary put_device() through the
following call path:
idxd_unregister_devices() -> device_unregister() -> put_device()
In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may
trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is
called immediately after, it can result in a use-after-free.
Remove the improper idxd_free() to avoid both the refcount underflow and
potential memory corruption during module unload.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d2d05fd0fc95c4defed6f7b87550e20e8baa1d97 Version: 21f9f5cd9a0c75084d4369ba0b8c4f695c41dea7 Version: d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 Version: d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 Version: 68ac5a01f635b3791196fd1c39bc48497252c36f Version: 2b7a961cea0e5b65afda911f76d14fec5c98d024 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e95ee7f532b21206fe3f1c4054002b0d21e3b9c",
"status": "affected",
"version": "d2d05fd0fc95c4defed6f7b87550e20e8baa1d97",
"versionType": "git"
},
{
"lessThan": "dd7a7e43269711d757fc260b0bbdf7138f75de11",
"status": "affected",
"version": "21f9f5cd9a0c75084d4369ba0b8c4f695c41dea7",
"versionType": "git"
},
{
"lessThan": "da4fbc1488a4cec6748da685181ee4449a878dac",
"status": "affected",
"version": "d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805",
"versionType": "git"
},
{
"lessThan": "f41c538881eec4dcf5961a242097d447f848cda6",
"status": "affected",
"version": "d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805",
"versionType": "git"
},
{
"status": "affected",
"version": "68ac5a01f635b3791196fd1c39bc48497252c36f",
"versionType": "git"
},
{
"status": "affected",
"version": "2b7a961cea0e5b65afda911f76d14fec5c98d024",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.6.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.12.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Remove improper idxd_free\n\nThe call to idxd_free() introduces a duplicate put_device() leading to a\nreference count underflow:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n...\nCall Trace:\n \u003cTASK\u003e\n idxd_remove+0xe4/0x120 [idxd]\n pci_device_remove+0x3f/0xb0\n device_release_driver_internal+0x197/0x200\n driver_detach+0x48/0x90\n bus_remove_driver+0x74/0xf0\n pci_unregister_driver+0x2e/0xb0\n idxd_exit_module+0x34/0x7a0 [idxd]\n __do_sys_delete_module.constprop.0+0x183/0x280\n do_syscall_64+0x54/0xd70\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe idxd_unregister_devices() which is invoked at the very beginning of\nidxd_remove(), already takes care of the necessary put_device() through the\nfollowing call path:\nidxd_unregister_devices() -\u003e device_unregister() -\u003e put_device()\n\nIn addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may\ntrigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is\ncalled immediately after, it can result in a use-after-free.\n\nRemove the improper idxd_free() to avoid both the refcount underflow and\npotential memory corruption during module unload."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:27.766Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e95ee7f532b21206fe3f1c4054002b0d21e3b9c"
},
{
"url": "https://git.kernel.org/stable/c/dd7a7e43269711d757fc260b0bbdf7138f75de11"
},
{
"url": "https://git.kernel.org/stable/c/da4fbc1488a4cec6748da685181ee4449a878dac"
},
{
"url": "https://git.kernel.org/stable/c/f41c538881eec4dcf5961a242097d447f848cda6"
}
],
"title": "dmaengine: idxd: Remove improper idxd_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39871",
"datePublished": "2025-09-23T06:00:44.882Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-09-29T06:01:27.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53313 (GCVE-0-2023-53313)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix wrong setting of max_corr_read_errors
There is no input check when echo md/max_read_errors and overflow might
occur. Add check of input number.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74050a3fdd4aecfd2cbf74d3c145812ab2744375",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "025fde32fb957a5c271711bc66841f817ff5f299",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "31c805a44b7569ca1017a4714385182d98bba212",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "b1d8f38310bce3282374983b229d94edbaf1e570",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "3c76920e547d4b931bed758bad83fd658dd88b4e",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "05d10428e8dffed0bac2502f34151729fc189cd3",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "aef6e98eb772594edd4399625e4e1bbe45971fa1",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "e83cb411aa1c6c9617db9329897f4506ba9e9b9d",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "f8b20a405428803bd9881881d8242c9d72c6b2b2",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix wrong setting of max_corr_read_errors\n\nThere is no input check when echo md/max_read_errors and overflow might\noccur. Add check of input number."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:50.642Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74050a3fdd4aecfd2cbf74d3c145812ab2744375"
},
{
"url": "https://git.kernel.org/stable/c/025fde32fb957a5c271711bc66841f817ff5f299"
},
{
"url": "https://git.kernel.org/stable/c/31c805a44b7569ca1017a4714385182d98bba212"
},
{
"url": "https://git.kernel.org/stable/c/b1d8f38310bce3282374983b229d94edbaf1e570"
},
{
"url": "https://git.kernel.org/stable/c/3c76920e547d4b931bed758bad83fd658dd88b4e"
},
{
"url": "https://git.kernel.org/stable/c/05d10428e8dffed0bac2502f34151729fc189cd3"
},
{
"url": "https://git.kernel.org/stable/c/aef6e98eb772594edd4399625e4e1bbe45971fa1"
},
{
"url": "https://git.kernel.org/stable/c/e83cb411aa1c6c9617db9329897f4506ba9e9b9d"
},
{
"url": "https://git.kernel.org/stable/c/f8b20a405428803bd9881881d8242c9d72c6b2b2"
}
],
"title": "md/raid10: fix wrong setting of max_corr_read_errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53313",
"datePublished": "2025-09-16T16:11:50.642Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:50.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53583 (GCVE-0-2023-53583)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start()
Since commit 096b52fd2bb4 ("perf: RISC-V: throttle perf events") the
perf_sample_event_took() function was added to report time spent in
overflow interrupts. If the interrupt takes too long, the perf framework
will lower the sysctl_perf_event_sample_rate and max_samples_per_tick.
When hwc->interrupts is larger than max_samples_per_tick, the
hwc->interrupts will be set to MAX_INTERRUPTS, and events will be
throttled within the __perf_event_account_interrupt() function.
However, the RISC-V PMU driver doesn't call riscv_pmu_stop() to update the
PERF_HES_STOPPED flag after perf_event_overflow() in pmu_sbi_ovf_handler()
function to avoid throttling. When the perf framework unthrottled the event
in the timer interrupt handler, it triggers riscv_pmu_start() function
and causes a WARN_ON_ONCE() warning, as shown below:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 240 at drivers/perf/riscv_pmu.c:184 riscv_pmu_start+0x7c/0x8e
Modules linked in:
CPU: 0 PID: 240 Comm: ls Not tainted 6.4-rc4-g19d0788e9ef2 #1
Hardware name: SiFive (DT)
epc : riscv_pmu_start+0x7c/0x8e
ra : riscv_pmu_start+0x28/0x8e
epc : ffffffff80aef864 ra : ffffffff80aef810 sp : ffff8f80004db6f0
gp : ffffffff81c83750 tp : ffffaf80069f9bc0 t0 : ffff8f80004db6c0
t1 : 0000000000000000 t2 : 000000000000001f s0 : ffff8f80004db720
s1 : ffffaf8008ca1068 a0 : 0000ffffffffffff a1 : 0000000000000000
a2 : 0000000000000001 a3 : 0000000000000870 a4 : 0000000000000000
a5 : 0000000000000000 a6 : 0000000000000840 a7 : 0000000000000030
s2 : 0000000000000000 s3 : ffffaf8005165800 s4 : ffffaf800424da00
s5 : ffffffffffffffff s6 : ffffffff81cc7590 s7 : 0000000000000000
s8 : 0000000000000006 s9 : 0000000000000001 s10: ffffaf807efbc340
s11: ffffaf807efbbf00 t3 : ffffaf8006a16028 t4 : 00000000dbfbb796
t5 : 0000000700000000 t6 : ffffaf8005269870
status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003
[<ffffffff80aef864>] riscv_pmu_start+0x7c/0x8e
[<ffffffff80185b56>] perf_adjust_freq_unthr_context+0x15e/0x174
[<ffffffff80188642>] perf_event_task_tick+0x88/0x9c
[<ffffffff800626a8>] scheduler_tick+0xfe/0x27c
[<ffffffff800b5640>] update_process_times+0x9a/0xba
[<ffffffff800c5bd4>] tick_sched_handle+0x32/0x66
[<ffffffff800c5e0c>] tick_sched_timer+0x64/0xb0
[<ffffffff800b5e50>] __hrtimer_run_queues+0x156/0x2f4
[<ffffffff800b6bdc>] hrtimer_interrupt+0xe2/0x1fe
[<ffffffff80acc9e8>] riscv_timer_interrupt+0x38/0x42
[<ffffffff80090a16>] handle_percpu_devid_irq+0x90/0x1d2
[<ffffffff8008a9f4>] generic_handle_domain_irq+0x28/0x36
After referring other PMU drivers like Arm, Loongarch, Csky, and Mips,
they don't call *_pmu_stop() to update with PERF_HES_STOPPED flag
after perf_event_overflow() function nor do they add PERF_HES_STOPPED
flag checking in *_pmu_start() which don't cause this warning.
Thus, it's recommended to remove this unnecessary check in
riscv_pmu_start() function to prevent this warning.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/perf/riscv_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aeb62beaf9cbd0a72e7f97c9af6d3e7f76ce2946",
"status": "affected",
"version": "096b52fd2bb4996fd68d22b3b7ad21a1296db9d3",
"versionType": "git"
},
{
"lessThan": "8270d539a943d00cf6a094da0073e2b5972b641d",
"status": "affected",
"version": "096b52fd2bb4996fd68d22b3b7ad21a1296db9d3",
"versionType": "git"
},
{
"lessThan": "66843b14fb71825fdd73ab12f6594f2243b402be",
"status": "affected",
"version": "096b52fd2bb4996fd68d22b3b7ad21a1296db9d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/perf/riscv_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start()\n\nSince commit 096b52fd2bb4 (\"perf: RISC-V: throttle perf events\") the\nperf_sample_event_took() function was added to report time spent in\noverflow interrupts. If the interrupt takes too long, the perf framework\nwill lower the sysctl_perf_event_sample_rate and max_samples_per_tick.\nWhen hwc-\u003einterrupts is larger than max_samples_per_tick, the\nhwc-\u003einterrupts will be set to MAX_INTERRUPTS, and events will be\nthrottled within the __perf_event_account_interrupt() function.\n\nHowever, the RISC-V PMU driver doesn\u0027t call riscv_pmu_stop() to update the\nPERF_HES_STOPPED flag after perf_event_overflow() in pmu_sbi_ovf_handler()\nfunction to avoid throttling. When the perf framework unthrottled the event\nin the timer interrupt handler, it triggers riscv_pmu_start() function\nand causes a WARN_ON_ONCE() warning, as shown below:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 240 at drivers/perf/riscv_pmu.c:184 riscv_pmu_start+0x7c/0x8e\n Modules linked in:\n CPU: 0 PID: 240 Comm: ls Not tainted 6.4-rc4-g19d0788e9ef2 #1\n Hardware name: SiFive (DT)\n epc : riscv_pmu_start+0x7c/0x8e\n ra : riscv_pmu_start+0x28/0x8e\n epc : ffffffff80aef864 ra : ffffffff80aef810 sp : ffff8f80004db6f0\n gp : ffffffff81c83750 tp : ffffaf80069f9bc0 t0 : ffff8f80004db6c0\n t1 : 0000000000000000 t2 : 000000000000001f s0 : ffff8f80004db720\n s1 : ffffaf8008ca1068 a0 : 0000ffffffffffff a1 : 0000000000000000\n a2 : 0000000000000001 a3 : 0000000000000870 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : 0000000000000840 a7 : 0000000000000030\n s2 : 0000000000000000 s3 : ffffaf8005165800 s4 : ffffaf800424da00\n s5 : ffffffffffffffff s6 : ffffffff81cc7590 s7 : 0000000000000000\n s8 : 0000000000000006 s9 : 0000000000000001 s10: ffffaf807efbc340\n s11: ffffaf807efbbf00 t3 : ffffaf8006a16028 t4 : 00000000dbfbb796\n t5 : 0000000700000000 t6 : ffffaf8005269870\n status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003\n [\u003cffffffff80aef864\u003e] riscv_pmu_start+0x7c/0x8e\n [\u003cffffffff80185b56\u003e] perf_adjust_freq_unthr_context+0x15e/0x174\n [\u003cffffffff80188642\u003e] perf_event_task_tick+0x88/0x9c\n [\u003cffffffff800626a8\u003e] scheduler_tick+0xfe/0x27c\n [\u003cffffffff800b5640\u003e] update_process_times+0x9a/0xba\n [\u003cffffffff800c5bd4\u003e] tick_sched_handle+0x32/0x66\n [\u003cffffffff800c5e0c\u003e] tick_sched_timer+0x64/0xb0\n [\u003cffffffff800b5e50\u003e] __hrtimer_run_queues+0x156/0x2f4\n [\u003cffffffff800b6bdc\u003e] hrtimer_interrupt+0xe2/0x1fe\n [\u003cffffffff80acc9e8\u003e] riscv_timer_interrupt+0x38/0x42\n [\u003cffffffff80090a16\u003e] handle_percpu_devid_irq+0x90/0x1d2\n [\u003cffffffff8008a9f4\u003e] generic_handle_domain_irq+0x28/0x36\n\nAfter referring other PMU drivers like Arm, Loongarch, Csky, and Mips,\nthey don\u0027t call *_pmu_stop() to update with PERF_HES_STOPPED flag\nafter perf_event_overflow() function nor do they add PERF_HES_STOPPED\nflag checking in *_pmu_start() which don\u0027t cause this warning.\n\nThus, it\u0027s recommended to remove this unnecessary check in\nriscv_pmu_start() function to prevent this warning."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:59.154Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aeb62beaf9cbd0a72e7f97c9af6d3e7f76ce2946"
},
{
"url": "https://git.kernel.org/stable/c/8270d539a943d00cf6a094da0073e2b5972b641d"
},
{
"url": "https://git.kernel.org/stable/c/66843b14fb71825fdd73ab12f6594f2243b402be"
}
],
"title": "perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53583",
"datePublished": "2025-10-04T15:43:59.154Z",
"dateReserved": "2025-10-04T15:40:38.477Z",
"dateUpdated": "2025-10-04T15:43:59.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53501 (GCVE-0-2023-53501)
Vulnerability from cvelistv5
Published
2025-10-01 11:45
Modified
2025-10-01 11:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind
When unbinding pasid - a race condition exists vs outstanding page faults.
To prevent this, the pasid_state object contains a refcount.
* set to 1 on pasid bind
* incremented on each ppr notification start
* decremented on each ppr notification done
* decremented on pasid unbind
Since refcount_dec assumes that refcount will never reach 0:
the current implementation causes the following to be invoked on
pasid unbind:
REFCOUNT_WARN("decrement hit 0; leaking memory")
Fix this issue by changing refcount_dec to refcount_dec_and_test
to explicitly handle refcount=1.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/iommu_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a50d60b8f2aff46dd7c7edb4a5835cdc4d432c22",
"status": "affected",
"version": "8bc54824da4e8fcf0ed679cf09ac32f23d83254a",
"versionType": "git"
},
{
"lessThan": "13ed255248dfbbb7f23f9170c7a537fb9ca22c73",
"status": "affected",
"version": "8bc54824da4e8fcf0ed679cf09ac32f23d83254a",
"versionType": "git"
},
{
"lessThan": "9ccc51be3126b25cfe9351dbffde946c925cc28a",
"status": "affected",
"version": "8bc54824da4e8fcf0ed679cf09ac32f23d83254a",
"versionType": "git"
},
{
"lessThan": "98d86bf32187db27946ca817c2467a5f2f7aa02f",
"status": "affected",
"version": "8bc54824da4e8fcf0ed679cf09ac32f23d83254a",
"versionType": "git"
},
{
"lessThan": "534103bcd52ca9c1fecbc70e717b4a538dc4ded8",
"status": "affected",
"version": "8bc54824da4e8fcf0ed679cf09ac32f23d83254a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/iommu_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind\n\nWhen unbinding pasid - a race condition exists vs outstanding page faults.\n\nTo prevent this, the pasid_state object contains a refcount.\n * set to 1 on pasid bind\n * incremented on each ppr notification start\n * decremented on each ppr notification done\n * decremented on pasid unbind\n\nSince refcount_dec assumes that refcount will never reach 0:\n the current implementation causes the following to be invoked on\n pasid unbind:\n REFCOUNT_WARN(\"decrement hit 0; leaking memory\")\n\nFix this issue by changing refcount_dec to refcount_dec_and_test\nto explicitly handle refcount=1."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:45:52.204Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a50d60b8f2aff46dd7c7edb4a5835cdc4d432c22"
},
{
"url": "https://git.kernel.org/stable/c/13ed255248dfbbb7f23f9170c7a537fb9ca22c73"
},
{
"url": "https://git.kernel.org/stable/c/9ccc51be3126b25cfe9351dbffde946c925cc28a"
},
{
"url": "https://git.kernel.org/stable/c/98d86bf32187db27946ca817c2467a5f2f7aa02f"
},
{
"url": "https://git.kernel.org/stable/c/534103bcd52ca9c1fecbc70e717b4a538dc4ded8"
}
],
"title": "iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53501",
"datePublished": "2025-10-01T11:45:52.204Z",
"dateReserved": "2025-10-01T11:39:39.404Z",
"dateUpdated": "2025-10-01T11:45:52.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53667 (GCVE-0-2023-53667)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than
the calculated "min" value, but greater than zero, the logic sets
tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in
cdc_ncm_fill_tx_frame() where all the data is handled.
For small values of dwNtbOutMaxSize the memory allocated during
alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to
how size is aligned at alloc time:
size = SKB_DATA_ALIGN(size);
size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
Thus we hit the same bug that we tried to squash with
commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero")
Low values of dwNtbOutMaxSize do not cause an issue presently because at
alloc_skb() time more memory (512b) is allocated than required for the
SKB headers alone (320b), leaving some space (512b - 320b = 192b)
for CDC data (172b).
However, if more elements (for example 3 x u64 = [24b]) were added to
one of the SKB header structs, say 'struct skb_shared_info',
increasing its original size (320b [320b aligned]) to something larger
(344b [384b aligned]), then suddenly the CDC data (172b) no longer
fits in the spare SKB data area (512b - 384b = 128b).
Consequently the SKB bounds checking semantics fails and panics:
skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
[snip]
Call Trace:
<TASK>
skb_put+0x151/0x210 net/core/skbuff.c:2047
skb_put_zero include/linux/skbuff.h:2422 [inline]
cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]
cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308
cdc_ncm_tx_fixup+0xa3/0x100
Deal with too low values of dwNtbOutMaxSize, clamp it in the range
[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure
enough data space is allocated to handle CDC data by making sure
dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 Version: 289507d3364f96f4b8814726917d572f71350d87 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/cdc_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2334ff0b343ba6ba7a6c0586fcc83992bbbc1776",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "bf415bfe7573596ac213b4fd1da9e62cfc9a9413",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "ff484163dfb61b58f23e4dbd007de1094427669c",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "42b78c8cc774b47023d6d16d96d54cc7015e4a07",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "9be921854e983a81a0aeeae5febcd87093086e46",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "6147745d43ff4e0d2c542e5b93e398ef0ee4db00",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "72d0240b0ee4794efc683975c213e4b384fea733",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
},
{
"lessThan": "7e01c7f7046efc2c7c192c3619db43292b98e997",
"status": "affected",
"version": "289507d3364f96f4b8814726917d572f71350d87",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/cdc_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.317",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.317",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.285",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.245",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cdc_ncm: Deal with too low values of dwNtbOutMaxSize\n\nCurrently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than\nthe calculated \"min\" value, but greater than zero, the logic sets\ntx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in\ncdc_ncm_fill_tx_frame() where all the data is handled.\n\nFor small values of dwNtbOutMaxSize the memory allocated during\nalloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to\nhow size is aligned at alloc time:\n\tsize = SKB_DATA_ALIGN(size);\n size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));\nThus we hit the same bug that we tried to squash with\ncommit 2be6d4d16a084 (\"net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero\")\n\nLow values of dwNtbOutMaxSize do not cause an issue presently because at\nalloc_skb() time more memory (512b) is allocated than required for the\nSKB headers alone (320b), leaving some space (512b - 320b = 192b)\nfor CDC data (172b).\n\nHowever, if more elements (for example 3 x u64 = [24b]) were added to\none of the SKB header structs, say \u0027struct skb_shared_info\u0027,\nincreasing its original size (320b [320b aligned]) to something larger\n(344b [384b aligned]), then suddenly the CDC data (172b) no longer\nfits in the spare SKB data area (512b - 384b = 128b).\n\nConsequently the SKB bounds checking semantics fails and panics:\n\nskbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:\u003cNULL\u003e\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:113!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nWorkqueue: mld mld_ifc_work\nRIP: 0010:skb_panic net/core/skbuff.c:113 [inline]\nRIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118\n[snip]\nCall Trace:\n \u003cTASK\u003e\n skb_put+0x151/0x210 net/core/skbuff.c:2047\n skb_put_zero include/linux/skbuff.h:2422 [inline]\n cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]\n cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308\n cdc_ncm_tx_fixup+0xa3/0x100\n\nDeal with too low values of dwNtbOutMaxSize, clamp it in the range\n[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure\nenough data space is allocated to handle CDC data by making sure\ndwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:25.185Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2334ff0b343ba6ba7a6c0586fcc83992bbbc1776"
},
{
"url": "https://git.kernel.org/stable/c/bf415bfe7573596ac213b4fd1da9e62cfc9a9413"
},
{
"url": "https://git.kernel.org/stable/c/ff484163dfb61b58f23e4dbd007de1094427669c"
},
{
"url": "https://git.kernel.org/stable/c/42b78c8cc774b47023d6d16d96d54cc7015e4a07"
},
{
"url": "https://git.kernel.org/stable/c/9be921854e983a81a0aeeae5febcd87093086e46"
},
{
"url": "https://git.kernel.org/stable/c/6147745d43ff4e0d2c542e5b93e398ef0ee4db00"
},
{
"url": "https://git.kernel.org/stable/c/72d0240b0ee4794efc683975c213e4b384fea733"
},
{
"url": "https://git.kernel.org/stable/c/7e01c7f7046efc2c7c192c3619db43292b98e997"
}
],
"title": "net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53667",
"datePublished": "2025-10-07T15:21:25.185Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2025-10-07T15:21:25.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53377 (GCVE-0-2023-53377)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-18 13:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: prevent use-after-free by freeing the cfile later
In smb2_compound_op we have a possible use-after-free
which can cause hard to debug problems later on.
This was revealed during stress testing with KASAN enabled
kernel. Fixing it by moving the cfile free call to
a few lines below, after the usage.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4fe07d55a5461e66a55fbefb57f85ff0facea32b",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "b6353518ef8180816e863aa23b06456f395404d6",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "d017880782cf71f8820ee4a2002843893176501d",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"lessThan": "33f736187d08f6bc822117629f263b97d3df4165",
"status": "affected",
"version": "76894f3e2f71177747b8b4763fb180e800279585",
"versionType": "git"
},
{
"status": "affected",
"version": "2d046892a493d9760c35fdaefc3017f27f91b621",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent use-after-free by freeing the cfile later\n\nIn smb2_compound_op we have a possible use-after-free\nwhich can cause hard to debug problems later on.\n\nThis was revealed during stress testing with KASAN enabled\nkernel. Fixing it by moving the cfile free call to\na few lines below, after the usage."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:33:23.162Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4fe07d55a5461e66a55fbefb57f85ff0facea32b"
},
{
"url": "https://git.kernel.org/stable/c/b6353518ef8180816e863aa23b06456f395404d6"
},
{
"url": "https://git.kernel.org/stable/c/d017880782cf71f8820ee4a2002843893176501d"
},
{
"url": "https://git.kernel.org/stable/c/33f736187d08f6bc822117629f263b97d3df4165"
}
],
"title": "cifs: prevent use-after-free by freeing the cfile later",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53377",
"datePublished": "2025-09-18T13:33:23.162Z",
"dateReserved": "2025-09-17T14:54:09.735Z",
"dateUpdated": "2025-09-18T13:33:23.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38706 (GCVE-0-2025-38706)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will
leads to null pointer dereference.
This was reproduced with topology loading and marking a link as ignore
due to missing hardware component on the system.
On module removal the soc_tplg_remove_link() would call
snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,
no runtime was created.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:36.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b465bedc2b417fd27c1d1ab7122882b4b60b1a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82ba7b8cf9f6e3bf392a9f08ba3d1c0b200ccb94",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f8fc03712194fd4e2df28af7f7f7a38205934ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "41f53afe53a57a7c50323f99424b598190acf192",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2fce20decc6a83f16dd73744150c4e7ea6c97c21",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cecc65827ef3df9754e097582d89569139e6cd1e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ce0a7255ce97ed7c54afae83fdbce712a1f0c9e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2d91cb261cac6d885954b8f5da28b5c176c18131",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()\n\nsnd_soc_remove_pcm_runtime() might be called with rtd == NULL which will\nleads to null pointer dereference.\nThis was reproduced with topology loading and marking a link as ignore\ndue to missing hardware component on the system.\nOn module removal the soc_tplg_remove_link() would call\nsnd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,\nno runtime was created."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:26.618Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b465bedc2b417fd27c1d1ab7122882b4b60b1a0"
},
{
"url": "https://git.kernel.org/stable/c/82ba7b8cf9f6e3bf392a9f08ba3d1c0b200ccb94"
},
{
"url": "https://git.kernel.org/stable/c/7f8fc03712194fd4e2df28af7f7f7a38205934ef"
},
{
"url": "https://git.kernel.org/stable/c/41f53afe53a57a7c50323f99424b598190acf192"
},
{
"url": "https://git.kernel.org/stable/c/2fce20decc6a83f16dd73744150c4e7ea6c97c21"
},
{
"url": "https://git.kernel.org/stable/c/cecc65827ef3df9754e097582d89569139e6cd1e"
},
{
"url": "https://git.kernel.org/stable/c/7ce0a7255ce97ed7c54afae83fdbce712a1f0c9e"
},
{
"url": "https://git.kernel.org/stable/c/2d91cb261cac6d885954b8f5da28b5c176c18131"
}
],
"title": "ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38706",
"datePublished": "2025-09-04T15:32:57.456Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:36.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38552 (GCVE-0-2025-38552)
Vulnerability from cvelistv5
Published
2025-08-16 11:34
Modified
2025-11-03 17:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: plug races between subflow fail and subflow creation
We have races similar to the one addressed by the previous patch between
subflow failing and additional subflow creation. They are just harder to
trigger.
The solution is similar. Use a separate flag to track the condition
'socket state prevent any additional subflow creation' protected by the
fallback lock.
The socket fallback makes such flag true, and also receiving or sending
an MP_FAIL option.
The field 'allow_infinite_fallback' is now always touched under the
relevant lock, we can drop the ONCE annotation on write.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:44.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c",
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c476d627584b7589a134a8b48dd5c6639e4401c5",
"status": "affected",
"version": "478d770008b03ed9d74bdc8add2315b7fd124ecc",
"versionType": "git"
},
{
"lessThan": "7c96d519ee15a130842a6513530b4d20acd2bfcd",
"status": "affected",
"version": "478d770008b03ed9d74bdc8add2315b7fd124ecc",
"versionType": "git"
},
{
"lessThan": "f81b6fbe13c7fc413b5158cdffc6a59391a2a8db",
"status": "affected",
"version": "478d770008b03ed9d74bdc8add2315b7fd124ecc",
"versionType": "git"
},
{
"lessThan": "659da22dee5ff316ba63bdaeeac7b58b5442f6c2",
"status": "affected",
"version": "478d770008b03ed9d74bdc8add2315b7fd124ecc",
"versionType": "git"
},
{
"lessThan": "def5b7b2643ebba696fc60ddf675dca13f073486",
"status": "affected",
"version": "478d770008b03ed9d74bdc8add2315b7fd124ecc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c",
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: plug races between subflow fail and subflow creation\n\nWe have races similar to the one addressed by the previous patch between\nsubflow failing and additional subflow creation. They are just harder to\ntrigger.\n\nThe solution is similar. Use a separate flag to track the condition\n\u0027socket state prevent any additional subflow creation\u0027 protected by the\nfallback lock.\n\nThe socket fallback makes such flag true, and also receiving or sending\nan MP_FAIL option.\n\nThe field \u0027allow_infinite_fallback\u0027 is now always touched under the\nrelevant lock, we can drop the ONCE annotation on write."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:44.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c476d627584b7589a134a8b48dd5c6639e4401c5"
},
{
"url": "https://git.kernel.org/stable/c/7c96d519ee15a130842a6513530b4d20acd2bfcd"
},
{
"url": "https://git.kernel.org/stable/c/f81b6fbe13c7fc413b5158cdffc6a59391a2a8db"
},
{
"url": "https://git.kernel.org/stable/c/659da22dee5ff316ba63bdaeeac7b58b5442f6c2"
},
{
"url": "https://git.kernel.org/stable/c/def5b7b2643ebba696fc60ddf675dca13f073486"
}
],
"title": "mptcp: plug races between subflow fail and subflow creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38552",
"datePublished": "2025-08-16T11:34:20.455Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-11-03T17:39:44.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53205 (GCVE-0-2023-53205)
Vulnerability from cvelistv5
Published
2025-09-15 14:21
Modified
2025-09-15 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler
We do check for target CPU == -1, but this might change at the time we
are going to use it. Hold the physical target CPU in a local variable to
avoid out-of-bound accesses to the cpu arrays.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/kvm/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9ccf140a2a03a0ae82be4bdfbdd17bdaea72ff5",
"status": "affected",
"version": "87e28a15c42cc592009c32a8c20e5789059027c2",
"versionType": "git"
},
{
"lessThan": "86bfb18bad60fc468e5f112cbbd918462a8dd435",
"status": "affected",
"version": "87e28a15c42cc592009c32a8c20e5789059027c2",
"versionType": "git"
},
{
"lessThan": "dc7e0192c470a53d847c79a2796f9ac429477a26",
"status": "affected",
"version": "87e28a15c42cc592009c32a8c20e5789059027c2",
"versionType": "git"
},
{
"lessThan": "0bc380beb78aa352eadbc21d934dd9606fcee808",
"status": "affected",
"version": "87e28a15c42cc592009c32a8c20e5789059027c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/kvm/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390/diag: fix racy access of physical cpu number in diag 9c handler\n\nWe do check for target CPU == -1, but this might change at the time we\nare going to use it. Hold the physical target CPU in a local variable to\navoid out-of-bound accesses to the cpu arrays."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:21:33.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9ccf140a2a03a0ae82be4bdfbdd17bdaea72ff5"
},
{
"url": "https://git.kernel.org/stable/c/86bfb18bad60fc468e5f112cbbd918462a8dd435"
},
{
"url": "https://git.kernel.org/stable/c/dc7e0192c470a53d847c79a2796f9ac429477a26"
},
{
"url": "https://git.kernel.org/stable/c/0bc380beb78aa352eadbc21d934dd9606fcee808"
}
],
"title": "KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53205",
"datePublished": "2025-09-15T14:21:33.560Z",
"dateReserved": "2025-09-15T13:59:19.068Z",
"dateUpdated": "2025-09-15T14:21:33.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53446 (GCVE-0-2023-53446)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free
Struct pcie_link_state->downstream is a pointer to the pci_dev of function
0. Previously we retained that pointer when removing function 0, and
subsequent ASPM policy changes dereferenced it, resulting in a
use-after-free warning from KASAN, e.g.:
# echo 1 > /sys/bus/pci/devices/0000:03:00.0/remove
# echo powersave > /sys/module/pcie_aspm/parameters/policy
BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500
Call Trace:
kasan_report+0xae/0xe0
pcie_config_aspm_link+0x42d/0x500
pcie_aspm_set_policy+0x8e/0x1a0
param_attr_store+0x162/0x2c0
module_attr_store+0x3e/0x80
PCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM
Control value in all functions of multi-function devices.
Disable ASPM and free the pcie_link_state when any child function is
removed so we can discard the dangling pcie_link_state->downstream pointer
and maintain the same ASPM Control configuration for all functions.
[bhelgaas: commit log and comment]
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b5a0a9b59c8185aebcd9a717e2e6258b58c72c06 Version: b5a0a9b59c8185aebcd9a717e2e6258b58c72c06 Version: b5a0a9b59c8185aebcd9a717e2e6258b58c72c06 Version: b5a0a9b59c8185aebcd9a717e2e6258b58c72c06 Version: b5a0a9b59c8185aebcd9a717e2e6258b58c72c06 Version: b5a0a9b59c8185aebcd9a717e2e6258b58c72c06 Version: b5a0a9b59c8185aebcd9a717e2e6258b58c72c06 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/pcie/aspm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "666e7f9d60cee23077ea3e6331f6f8a19f7ea03f",
"status": "affected",
"version": "b5a0a9b59c8185aebcd9a717e2e6258b58c72c06",
"versionType": "git"
},
{
"lessThan": "7badf4d6f49a358a01ab072bbff88d3ee886c33b",
"status": "affected",
"version": "b5a0a9b59c8185aebcd9a717e2e6258b58c72c06",
"versionType": "git"
},
{
"lessThan": "9856c0de49052174ab474113f4ba40c02aaee086",
"status": "affected",
"version": "b5a0a9b59c8185aebcd9a717e2e6258b58c72c06",
"versionType": "git"
},
{
"lessThan": "7aecdd47910c51707696e8b0e045b9f88bd4230f",
"status": "affected",
"version": "b5a0a9b59c8185aebcd9a717e2e6258b58c72c06",
"versionType": "git"
},
{
"lessThan": "d51d2eeae4ce54d542909c4d9d07bf371a78592c",
"status": "affected",
"version": "b5a0a9b59c8185aebcd9a717e2e6258b58c72c06",
"versionType": "git"
},
{
"lessThan": "4203722d51afe3d239e03f15cc73efdf023a7103",
"status": "affected",
"version": "b5a0a9b59c8185aebcd9a717e2e6258b58c72c06",
"versionType": "git"
},
{
"lessThan": "456d8aa37d0f56fc9e985e812496e861dcd6f2f2",
"status": "affected",
"version": "b5a0a9b59c8185aebcd9a717e2e6258b58c72c06",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/pcie/aspm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free\n\nStruct pcie_link_state-\u003edownstream is a pointer to the pci_dev of function\n0. Previously we retained that pointer when removing function 0, and\nsubsequent ASPM policy changes dereferenced it, resulting in a\nuse-after-free warning from KASAN, e.g.:\n\n # echo 1 \u003e /sys/bus/pci/devices/0000:03:00.0/remove\n # echo powersave \u003e /sys/module/pcie_aspm/parameters/policy\n\n BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500\n Call Trace:\n kasan_report+0xae/0xe0\n pcie_config_aspm_link+0x42d/0x500\n pcie_aspm_set_policy+0x8e/0x1a0\n param_attr_store+0x162/0x2c0\n module_attr_store+0x3e/0x80\n\nPCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM\nControl value in all functions of multi-function devices.\n\nDisable ASPM and free the pcie_link_state when any child function is\nremoved so we can discard the dangling pcie_link_state-\u003edownstream pointer\nand maintain the same ASPM Control configuration for all functions.\n\n[bhelgaas: commit log and comment]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:21.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/666e7f9d60cee23077ea3e6331f6f8a19f7ea03f"
},
{
"url": "https://git.kernel.org/stable/c/7badf4d6f49a358a01ab072bbff88d3ee886c33b"
},
{
"url": "https://git.kernel.org/stable/c/9856c0de49052174ab474113f4ba40c02aaee086"
},
{
"url": "https://git.kernel.org/stable/c/7aecdd47910c51707696e8b0e045b9f88bd4230f"
},
{
"url": "https://git.kernel.org/stable/c/d51d2eeae4ce54d542909c4d9d07bf371a78592c"
},
{
"url": "https://git.kernel.org/stable/c/4203722d51afe3d239e03f15cc73efdf023a7103"
},
{
"url": "https://git.kernel.org/stable/c/456d8aa37d0f56fc9e985e812496e861dcd6f2f2"
}
],
"title": "PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53446",
"datePublished": "2025-09-18T16:04:21.939Z",
"dateReserved": "2025-09-17T14:54:09.753Z",
"dateUpdated": "2025-09-18T16:04:21.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40078 (GCVE-0-2025-40078)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-29 13:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Explicitly check accesses to bpf_sock_addr
Syzkaller found a kernel warning on the following sock_addr program:
0: r0 = 0
1: r2 = *(u32 *)(r1 +60)
2: exit
which triggers:
verifier bug: error during ctx access conversion (0)
This is happening because offset 60 in bpf_sock_addr corresponds to an
implicit padding of 4 bytes, right after msg_src_ip4. Access to this
padding isn't rejected in sock_addr_is_valid_access and it thus later
fails to convert the access.
This patch fixes it by explicitly checking the various fields of
bpf_sock_addr in sock_addr_is_valid_access.
I checked the other ctx structures and is_valid_access functions and
didn't find any other similar cases. Other cases of (properly handled)
padding are covered in new tests in a subsequent patch.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de44cdc50d2dce8718cb57deddf9cf1be9a7759f",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "76e04bbb4296fb6eac084dbfc27e02ccc744db3e",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "4f00858cd9bbbdf67159e28b85a8ca9e77c83622",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "cdeafacb4f9ff261a96baef519e29480fd7b1019",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "fe9d33f0470350558cb08cecb54cf2267b3a45d2",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "ad8b4fe5617e3c85fc23267f02500c4f3bf0ff69",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "6fabca2fc94d33cdf7ec102058983b086293395f",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Explicitly check accesses to bpf_sock_addr\n\nSyzkaller found a kernel warning on the following sock_addr program:\n\n 0: r0 = 0\n 1: r2 = *(u32 *)(r1 +60)\n 2: exit\n\nwhich triggers:\n\n verifier bug: error during ctx access conversion (0)\n\nThis is happening because offset 60 in bpf_sock_addr corresponds to an\nimplicit padding of 4 bytes, right after msg_src_ip4. Access to this\npadding isn\u0027t rejected in sock_addr_is_valid_access and it thus later\nfails to convert the access.\n\nThis patch fixes it by explicitly checking the various fields of\nbpf_sock_addr in sock_addr_is_valid_access.\n\nI checked the other ctx structures and is_valid_access functions and\ndidn\u0027t find any other similar cases. Other cases of (properly handled)\npadding are covered in new tests in a subsequent patch."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:59.525Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de44cdc50d2dce8718cb57deddf9cf1be9a7759f"
},
{
"url": "https://git.kernel.org/stable/c/76e04bbb4296fb6eac084dbfc27e02ccc744db3e"
},
{
"url": "https://git.kernel.org/stable/c/6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec"
},
{
"url": "https://git.kernel.org/stable/c/4f00858cd9bbbdf67159e28b85a8ca9e77c83622"
},
{
"url": "https://git.kernel.org/stable/c/cdeafacb4f9ff261a96baef519e29480fd7b1019"
},
{
"url": "https://git.kernel.org/stable/c/fe9d33f0470350558cb08cecb54cf2267b3a45d2"
},
{
"url": "https://git.kernel.org/stable/c/ad8b4fe5617e3c85fc23267f02500c4f3bf0ff69"
},
{
"url": "https://git.kernel.org/stable/c/6fabca2fc94d33cdf7ec102058983b086293395f"
}
],
"title": "bpf: Explicitly check accesses to bpf_sock_addr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40078",
"datePublished": "2025-10-28T11:48:43.548Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-10-29T13:19:59.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57893 (GCVE-0-2024-57893)
Vulnerability from cvelistv5
Published
2025-01-15 13:05
Modified
2025-11-03 20:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: seq: oss: Fix races at processing SysEx messages
OSS sequencer handles the SysEx messages split in 6 bytes packets, and
ALSA sequencer OSS layer tries to combine those. It stores the data
in the internal buffer and this access is racy as of now, which may
lead to the out-of-bounds access.
As a temporary band-aid fix, introduce a mutex for serializing the
process of the SysEx message packets.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:55:07.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/seq/oss/seq_oss_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cff1de87ed14fc0f2332213d2367100e7ad0753a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d2392b79d8af3714ea8878b71c66dc49d3110f44",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d382112b36382aa65aad765f189ebde9926c101",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0179488ca992d79908b8e26b9213f1554fc5bacc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/seq/oss/seq_oss_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: oss: Fix races at processing SysEx messages\n\nOSS sequencer handles the SysEx messages split in 6 bytes packets, and\nALSA sequencer OSS layer tries to combine those. It stores the data\nin the internal buffer and this access is racy as of now, which may\nlead to the out-of-bounds access.\n\nAs a temporary band-aid fix, introduce a mutex for serializing the\nprocess of the SysEx message packets."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:06:04.133Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cff1de87ed14fc0f2332213d2367100e7ad0753a"
},
{
"url": "https://git.kernel.org/stable/c/d2392b79d8af3714ea8878b71c66dc49d3110f44"
},
{
"url": "https://git.kernel.org/stable/c/9d382112b36382aa65aad765f189ebde9926c101"
},
{
"url": "https://git.kernel.org/stable/c/0179488ca992d79908b8e26b9213f1554fc5bacc"
}
],
"title": "ALSA: seq: oss: Fix races at processing SysEx messages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57893",
"datePublished": "2025-01-15T13:05:45.550Z",
"dateReserved": "2025-01-11T14:45:42.028Z",
"dateUpdated": "2025-11-03T20:55:07.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49053 (GCVE-0-2022-49053)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-21 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcmu: Fix possible page UAF
tcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not
take refcount properly and just returns page pointer. When
tcmu_try_get_data_page() returns, the returned page may have been freed by
tcmu_blocks_release().
We need to get_page() under cmdr_lock to avoid concurrent
tcmu_blocks_release().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:25.641949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:30.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7c5d79e50be6e06b669141e3db1f977a0dd4e8e",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "e3e0e067d5b34e4a68e3cc55f8eebc413f56f8ed",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "fb7a5115422fbd6a4d505e8844f1ef5529f10489",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "aec36b98a1bbaa84bfd8299a306e4c12314af626",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "b7f3b5d70c834f49f7d87a2f2ed1c6284d9a0322",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "a9564d84ed9f6ee71017d062d0d2182154294a4b",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "a6968f7a367f128d120447360734344d5a3d5336",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.239",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcmu: Fix possible page UAF\n\ntcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not\ntake refcount properly and just returns page pointer. When\ntcmu_try_get_data_page() returns, the returned page may have been freed by\ntcmu_blocks_release().\n\nWe need to get_page() under cmdr_lock to avoid concurrent\ntcmu_blocks_release()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:44:03.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7c5d79e50be6e06b669141e3db1f977a0dd4e8e"
},
{
"url": "https://git.kernel.org/stable/c/e3e0e067d5b34e4a68e3cc55f8eebc413f56f8ed"
},
{
"url": "https://git.kernel.org/stable/c/fb7a5115422fbd6a4d505e8844f1ef5529f10489"
},
{
"url": "https://git.kernel.org/stable/c/aec36b98a1bbaa84bfd8299a306e4c12314af626"
},
{
"url": "https://git.kernel.org/stable/c/b7f3b5d70c834f49f7d87a2f2ed1c6284d9a0322"
},
{
"url": "https://git.kernel.org/stable/c/a9564d84ed9f6ee71017d062d0d2182154294a4b"
},
{
"url": "https://git.kernel.org/stable/c/a6968f7a367f128d120447360734344d5a3d5336"
}
],
"title": "scsi: target: tcmu: Fix possible page UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49053",
"datePublished": "2025-02-26T01:54:26.806Z",
"dateReserved": "2025-02-26T01:49:39.242Z",
"dateUpdated": "2025-05-21T08:44:03.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56600 (GCVE-0-2024-56600)
Vulnerability from cvelistv5
Published
2024-12-27 14:51
Modified
2025-11-03 20:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: inet6: do not leave a dangling sk pointer in inet6_create()
sock_init_data() attaches the allocated sk pointer to the provided sock
object. If inet6_create() fails later, the sk object is released, but the
sock object retains the dangling sk pointer, which may cause use-after-free
later.
Clear the sock sk pointer on error.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:42:30.859070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:24.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:50:38.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/af_inet6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2709d1271cfdf55c670ab5c5982139ab627ddc7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "35360255ca30776dee34d9fa764cffa24d0a5f65",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "276a473c956fb55a6f3affa9ff232e10fffa7b43",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "79e16a0d339532ea832d85798eb036fc4f9e0cea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "706b07b7b37f886423846cb38919132090bc40da",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f44fceb71d72d29fb00e0ac84cdf9c081b03cd06",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9df99c395d0f55fb444ef39f4d6f194ca437d884",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/af_inet6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: inet6: do not leave a dangling sk pointer in inet6_create()\n\nsock_init_data() attaches the allocated sk pointer to the provided sock\nobject. If inet6_create() fails later, the sk object is released, but the\nsock object retains the dangling sk pointer, which may cause use-after-free\nlater.\n\nClear the sock sk pointer on error."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T09:13:41.087Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2709d1271cfdf55c670ab5c5982139ab627ddc7"
},
{
"url": "https://git.kernel.org/stable/c/35360255ca30776dee34d9fa764cffa24d0a5f65"
},
{
"url": "https://git.kernel.org/stable/c/276a473c956fb55a6f3affa9ff232e10fffa7b43"
},
{
"url": "https://git.kernel.org/stable/c/79e16a0d339532ea832d85798eb036fc4f9e0cea"
},
{
"url": "https://git.kernel.org/stable/c/706b07b7b37f886423846cb38919132090bc40da"
},
{
"url": "https://git.kernel.org/stable/c/f44fceb71d72d29fb00e0ac84cdf9c081b03cd06"
},
{
"url": "https://git.kernel.org/stable/c/9df99c395d0f55fb444ef39f4d6f194ca437d884"
}
],
"title": "net: inet6: do not leave a dangling sk pointer in inet6_create()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56600",
"datePublished": "2024-12-27T14:51:06.610Z",
"dateReserved": "2024-12-27T14:03:06.011Z",
"dateUpdated": "2025-11-03T20:50:38.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50519 (GCVE-0-2022-50519)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure
If creation or finalization of a checkpoint fails due to anomalies in the
checkpoint metadata on disk, a kernel warning is generated.
This patch replaces the WARN_ONs by nilfs_error, so that a kernel, booted
with panic_on_warn, does not panic. A nilfs_error is appropriate here to
handle the abnormal filesystem condition.
This also replaces the detected error codes with an I/O error so that
neither of the internal error codes is returned to callers.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/segment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b63026b5e13040cd5afa11769dd0d9e1504b031a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae16440c44ae2acda6d72aff9d74eccf8967dae5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bf98be80cbe3b4e6c86c36ed00457389aca3eb15",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "259c0f68168ac6a598db3486597b10e74d625db0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a18fdc5ae8e6d7ac33c6ee0a2e5f9f1414ef412",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c0c3d3d3ea41cb5228ee90568bb953f9a56c3227",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "090fcfb6edeb9367a915b2749e2bd1f8b48d8898",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5c0776b5bc31de7cd28afb558fae37a20f33602e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "723ac751208f6d6540191689cfbf6c77135a7a1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/segment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.218",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.218",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure\n\nIf creation or finalization of a checkpoint fails due to anomalies in the\ncheckpoint metadata on disk, a kernel warning is generated.\n\nThis patch replaces the WARN_ONs by nilfs_error, so that a kernel, booted\nwith panic_on_warn, does not panic. A nilfs_error is appropriate here to\nhandle the abnormal filesystem condition.\n\nThis also replaces the detected error codes with an I/O error so that\nneither of the internal error codes is returned to callers."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:13.844Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b63026b5e13040cd5afa11769dd0d9e1504b031a"
},
{
"url": "https://git.kernel.org/stable/c/ae16440c44ae2acda6d72aff9d74eccf8967dae5"
},
{
"url": "https://git.kernel.org/stable/c/bf98be80cbe3b4e6c86c36ed00457389aca3eb15"
},
{
"url": "https://git.kernel.org/stable/c/259c0f68168ac6a598db3486597b10e74d625db0"
},
{
"url": "https://git.kernel.org/stable/c/8a18fdc5ae8e6d7ac33c6ee0a2e5f9f1414ef412"
},
{
"url": "https://git.kernel.org/stable/c/c0c3d3d3ea41cb5228ee90568bb953f9a56c3227"
},
{
"url": "https://git.kernel.org/stable/c/090fcfb6edeb9367a915b2749e2bd1f8b48d8898"
},
{
"url": "https://git.kernel.org/stable/c/5c0776b5bc31de7cd28afb558fae37a20f33602e"
},
{
"url": "https://git.kernel.org/stable/c/723ac751208f6d6540191689cfbf6c77135a7a1b"
}
],
"title": "nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50519",
"datePublished": "2025-10-07T15:19:13.844Z",
"dateReserved": "2025-10-07T15:15:38.662Z",
"dateUpdated": "2025-10-07T15:19:13.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53594 (GCVE-0-2023-53594)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver core: fix resource leak in device_add()
When calling kobject_add() failed in device_add(), it will call
cleanup_glue_dir() to free resource. But in kobject_add(),
dev->kobj.parent has been set to NULL. This will cause resource leak.
The process is as follows:
device_add()
get_device_parent()
class_dir_create_and_add()
kobject_add() //kobject_get()
...
dev->kobj.parent = kobj;
...
kobject_add() //failed, but set dev->kobj.parent = NULL
...
glue_dir = get_glue_dir(dev) //glue_dir = NULL, and goto
//"Error" label
...
cleanup_glue_dir() //becaues glue_dir is NULL, not call
//kobject_put()
The preceding problem may cause insmod mac80211_hwsim.ko to failed.
sysfs: cannot create duplicate filename '/devices/virtual/mac80211_hwsim'
Call Trace:
<TASK>
dump_stack_lvl+0x8e/0xd1
sysfs_warn_dup.cold+0x1c/0x29
sysfs_create_dir_ns+0x224/0x280
kobject_add_internal+0x2aa/0x880
kobject_add+0x135/0x1a0
get_device_parent+0x3d7/0x590
device_add+0x2aa/0x1cb0
device_create_groups_vargs+0x1eb/0x260
device_create+0xdc/0x110
mac80211_hwsim_new_radio+0x31e/0x4790 [mac80211_hwsim]
init_mac80211_hwsim+0x48d/0x1000 [mac80211_hwsim]
do_one_initcall+0x10f/0x630
do_init_module+0x19f/0x5e0
load_module+0x64b7/0x6eb0
__do_sys_finit_module+0x140/0x200
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
</TASK>
kobject_add_internal failed for mac80211_hwsim with -EEXIST, don't try to
register things with the same name in the same directory.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cebf8fd16900fdfd58c0028617944f808f97fe50 Version: cebf8fd16900fdfd58c0028617944f808f97fe50 Version: cebf8fd16900fdfd58c0028617944f808f97fe50 Version: cebf8fd16900fdfd58c0028617944f808f97fe50 Version: e7f6e3c9db4b6f259c89fd05728d024ab32acd71 Version: a93a63333dbdb182b87e8cc99df8b4474f867acb Version: 37de955c11b59050346e530143c20b10b4846527 Version: 645897231f960590220144b06d1f994b7eb88326 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d389e363075c2e1deb84a560686ea92123e4b8b",
"status": "affected",
"version": "cebf8fd16900fdfd58c0028617944f808f97fe50",
"versionType": "git"
},
{
"lessThan": "d1dbff10c6cd3b43457f3efd3c9c4950009635bf",
"status": "affected",
"version": "cebf8fd16900fdfd58c0028617944f808f97fe50",
"versionType": "git"
},
{
"lessThan": "f39d21154db87545d8f0b25d13c326f37cc32239",
"status": "affected",
"version": "cebf8fd16900fdfd58c0028617944f808f97fe50",
"versionType": "git"
},
{
"lessThan": "6977b1a5d67097eaa4d02b0c126c04cc6e8917c0",
"status": "affected",
"version": "cebf8fd16900fdfd58c0028617944f808f97fe50",
"versionType": "git"
},
{
"status": "affected",
"version": "e7f6e3c9db4b6f259c89fd05728d024ab32acd71",
"versionType": "git"
},
{
"status": "affected",
"version": "a93a63333dbdb182b87e8cc99df8b4474f867acb",
"versionType": "git"
},
{
"status": "affected",
"version": "37de955c11b59050346e530143c20b10b4846527",
"versionType": "git"
},
{
"status": "affected",
"version": "645897231f960590220144b06d1f994b7eb88326",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix resource leak in device_add()\n\nWhen calling kobject_add() failed in device_add(), it will call\ncleanup_glue_dir() to free resource. But in kobject_add(),\ndev-\u003ekobj.parent has been set to NULL. This will cause resource leak.\n\nThe process is as follows:\ndevice_add()\n\tget_device_parent()\n\t\tclass_dir_create_and_add()\n\t\t\tkobject_add()\t\t//kobject_get()\n\t...\n\tdev-\u003ekobj.parent = kobj;\n\t...\n\tkobject_add()\t\t//failed, but set dev-\u003ekobj.parent = NULL\n\t...\n\tglue_dir = get_glue_dir(dev)\t//glue_dir = NULL, and goto\n\t\t\t\t\t//\"Error\" label\n\t...\n\tcleanup_glue_dir()\t//becaues glue_dir is NULL, not call\n\t\t\t\t//kobject_put()\n\nThe preceding problem may cause insmod mac80211_hwsim.ko to failed.\nsysfs: cannot create duplicate filename \u0027/devices/virtual/mac80211_hwsim\u0027\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x8e/0xd1\nsysfs_warn_dup.cold+0x1c/0x29\nsysfs_create_dir_ns+0x224/0x280\nkobject_add_internal+0x2aa/0x880\nkobject_add+0x135/0x1a0\nget_device_parent+0x3d7/0x590\ndevice_add+0x2aa/0x1cb0\ndevice_create_groups_vargs+0x1eb/0x260\ndevice_create+0xdc/0x110\nmac80211_hwsim_new_radio+0x31e/0x4790 [mac80211_hwsim]\ninit_mac80211_hwsim+0x48d/0x1000 [mac80211_hwsim]\ndo_one_initcall+0x10f/0x630\ndo_init_module+0x19f/0x5e0\nload_module+0x64b7/0x6eb0\n__do_sys_finit_module+0x140/0x200\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n\u003c/TASK\u003e\nkobject_add_internal failed for mac80211_hwsim with -EEXIST, don\u0027t try to\nregister things with the same name in the same directory."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:07.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d389e363075c2e1deb84a560686ea92123e4b8b"
},
{
"url": "https://git.kernel.org/stable/c/d1dbff10c6cd3b43457f3efd3c9c4950009635bf"
},
{
"url": "https://git.kernel.org/stable/c/f39d21154db87545d8f0b25d13c326f37cc32239"
},
{
"url": "https://git.kernel.org/stable/c/6977b1a5d67097eaa4d02b0c126c04cc6e8917c0"
}
],
"title": "driver core: fix resource leak in device_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53594",
"datePublished": "2025-10-04T15:44:07.533Z",
"dateReserved": "2025-10-04T15:40:38.478Z",
"dateUpdated": "2025-10-04T15:44:07.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39721 (GCVE-0-2025-39721)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-09-29 05:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - flush misc workqueue during device shutdown
Repeated loading and unloading of a device specific QAT driver, for
example qat_4xxx, in a tight loop can lead to a crash due to a
use-after-free scenario. This occurs when a power management (PM)
interrupt triggers just before the device-specific driver (e.g.,
qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains
loaded.
Since the driver uses a shared workqueue (`qat_misc_wq`) across all
devices and owned by intel_qat.ko, a deferred routine from the
device-specific driver may still be pending in the queue. If this
routine executes after the driver is unloaded, it can dereference freed
memory, resulting in a page fault and kernel crash like the following:
BUG: unable to handle page fault for address: ffa000002e50a01c
#PF: supervisor read access in kernel mode
RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]
Call Trace:
pm_bh_handler+0x1d2/0x250 [intel_qat]
process_one_work+0x171/0x340
worker_thread+0x277/0x3a0
kthread+0xf0/0x120
ret_from_fork+0x2d/0x50
To prevent this, flush the misc workqueue during device shutdown to
ensure that all pending work items are completed before the driver is
unloaded.
Note: This approach may slightly increase shutdown latency if the
workqueue contains jobs from other devices, but it ensures correctness
and stability.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/intel/qat/qat_common/adf_common_drv.h",
"drivers/crypto/intel/qat/qat_common/adf_init.c",
"drivers/crypto/intel/qat/qat_common/adf_isr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5858448a6c65d8ee3f8600570d3ce19febcb33be",
"status": "affected",
"version": "e5745f34113b758b45d134dec04a7df94dc67131",
"versionType": "git"
},
{
"lessThan": "fe546f5c50fc474daca6bee72caa7ab68a74c33d",
"status": "affected",
"version": "e5745f34113b758b45d134dec04a7df94dc67131",
"versionType": "git"
},
{
"lessThan": "e59a52e429e13df3feb34f4853a8e36d121ed937",
"status": "affected",
"version": "e5745f34113b758b45d134dec04a7df94dc67131",
"versionType": "git"
},
{
"lessThan": "3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a",
"status": "affected",
"version": "e5745f34113b758b45d134dec04a7df94dc67131",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/intel/qat/qat_common/adf_common_drv.h",
"drivers/crypto/intel/qat/qat_common/adf_init.c",
"drivers/crypto/intel/qat/qat_common/adf_isr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - flush misc workqueue during device shutdown\n\nRepeated loading and unloading of a device specific QAT driver, for\nexample qat_4xxx, in a tight loop can lead to a crash due to a\nuse-after-free scenario. This occurs when a power management (PM)\ninterrupt triggers just before the device-specific driver (e.g.,\nqat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains\nloaded.\n\nSince the driver uses a shared workqueue (`qat_misc_wq`) across all\ndevices and owned by intel_qat.ko, a deferred routine from the\ndevice-specific driver may still be pending in the queue. If this\nroutine executes after the driver is unloaded, it can dereference freed\nmemory, resulting in a page fault and kernel crash like the following:\n\n BUG: unable to handle page fault for address: ffa000002e50a01c\n #PF: supervisor read access in kernel mode\n RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]\n Call Trace:\n pm_bh_handler+0x1d2/0x250 [intel_qat]\n process_one_work+0x171/0x340\n worker_thread+0x277/0x3a0\n kthread+0xf0/0x120\n ret_from_fork+0x2d/0x50\n\nTo prevent this, flush the misc workqueue during device shutdown to\nensure that all pending work items are completed before the driver is\nunloaded.\n\nNote: This approach may slightly increase shutdown latency if the\nworkqueue contains jobs from other devices, but it ensures correctness\nand stability."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:07.985Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5858448a6c65d8ee3f8600570d3ce19febcb33be"
},
{
"url": "https://git.kernel.org/stable/c/fe546f5c50fc474daca6bee72caa7ab68a74c33d"
},
{
"url": "https://git.kernel.org/stable/c/e59a52e429e13df3feb34f4853a8e36d121ed937"
},
{
"url": "https://git.kernel.org/stable/c/3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a"
}
],
"title": "crypto: qat - flush misc workqueue during device shutdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39721",
"datePublished": "2025-09-05T17:21:28.911Z",
"dateReserved": "2025-04-16T07:20:57.117Z",
"dateUpdated": "2025-09-29T05:58:07.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53451 (GCVE-0-2023-53451)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix potential NULL pointer dereference
Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate
pointer before dereferencing the pointer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_iocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "02405f4023866ae91a611b5b85cb2e074ec2de5a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ee4c9a93238b9ce3703942500cb1aeacf77090d2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f90a8b0481615622bd0558aa8cf361bea872045",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2bea9c1c983152c5411f5a2f1113cb790ce1389d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5a52a2e14fe866541bbc0033058e44bf0bf0c580",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce2cdbe530b0066bae1f98dbab590a232d507eaa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af7affc0f6b82a5bde430fc4f0dcf70963442fbc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "464ea494a40c6e3e0e8f91dd325408aaf21515ba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_iocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix potential NULL pointer dereference\n\nKlocwork tool reported \u0027cur_dsd\u0027 may be dereferenced. Add fix to validate\npointer before dereferencing the pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:22.857Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/02405f4023866ae91a611b5b85cb2e074ec2de5a"
},
{
"url": "https://git.kernel.org/stable/c/ee4c9a93238b9ce3703942500cb1aeacf77090d2"
},
{
"url": "https://git.kernel.org/stable/c/4f90a8b0481615622bd0558aa8cf361bea872045"
},
{
"url": "https://git.kernel.org/stable/c/2bea9c1c983152c5411f5a2f1113cb790ce1389d"
},
{
"url": "https://git.kernel.org/stable/c/5a52a2e14fe866541bbc0033058e44bf0bf0c580"
},
{
"url": "https://git.kernel.org/stable/c/ce2cdbe530b0066bae1f98dbab590a232d507eaa"
},
{
"url": "https://git.kernel.org/stable/c/af7affc0f6b82a5bde430fc4f0dcf70963442fbc"
},
{
"url": "https://git.kernel.org/stable/c/464ea494a40c6e3e0e8f91dd325408aaf21515ba"
}
],
"title": "scsi: qla2xxx: Fix potential NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53451",
"datePublished": "2025-10-01T11:42:22.857Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:22.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39751 (GCVE-0-2025-39751)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-06T09:54:34.568Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39751",
"datePublished": "2025-09-11T16:52:22.651Z",
"dateRejected": "2025-10-06T09:54:34.568Z",
"dateReserved": "2025-04-16T07:20:57.125Z",
"dateUpdated": "2025-10-06T09:54:34.568Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39895 (GCVE-0-2025-39895)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched: Fix sched_numa_find_nth_cpu() if mask offline
sched_numa_find_nth_cpu() uses a bsearch to look for the 'closest'
CPU in sched_domains_numa_masks and given cpus mask. However they
might not intersect if all CPUs in the cpus mask are offline. bsearch
will return NULL in that case, bail out instead of dereferencing a
bogus pointer.
The previous behaviour lead to this bug when using maxcpus=4 on an
rk3399 (LLLLbb) (i.e. booting with all big CPUs offline):
[ 1.422922] Unable to handle kernel paging request at virtual address ffffff8000000000
[ 1.423635] Mem abort info:
[ 1.423889] ESR = 0x0000000096000006
[ 1.424227] EC = 0x25: DABT (current EL), IL = 32 bits
[ 1.424715] SET = 0, FnV = 0
[ 1.424995] EA = 0, S1PTW = 0
[ 1.425279] FSC = 0x06: level 2 translation fault
[ 1.425735] Data abort info:
[ 1.425998] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
[ 1.426499] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 1.426952] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 1.427428] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000004a9f000
[ 1.428038] [ffffff8000000000] pgd=18000000f7fff403, p4d=18000000f7fff403, pud=18000000f7fff403, pmd=0000000000000000
[ 1.429014] Internal error: Oops: 0000000096000006 [#1] SMP
[ 1.429525] Modules linked in:
[ 1.429813] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-dirty #343 PREEMPT
[ 1.430559] Hardware name: Pine64 RockPro64 v2.1 (DT)
[ 1.431012] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 1.431634] pc : sched_numa_find_nth_cpu+0x2a0/0x488
[ 1.432094] lr : sched_numa_find_nth_cpu+0x284/0x488
[ 1.432543] sp : ffffffc084e1b960
[ 1.432843] x29: ffffffc084e1b960 x28: ffffff80078a8800 x27: ffffffc0846eb1d0
[ 1.433495] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
[ 1.434144] x23: 0000000000000000 x22: fffffffffff7f093 x21: ffffffc081de6378
[ 1.434792] x20: 0000000000000000 x19: 0000000ffff7f093 x18: 00000000ffffffff
[ 1.435441] x17: 3030303866666666 x16: 66663d736b73616d x15: ffffffc104e1b5b7
[ 1.436091] x14: 0000000000000000 x13: ffffffc084712860 x12: 0000000000000372
[ 1.436739] x11: 0000000000000126 x10: ffffffc08476a860 x9 : ffffffc084712860
[ 1.437389] x8 : 00000000ffffefff x7 : ffffffc08476a860 x6 : 0000000000000000
[ 1.438036] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000
[ 1.438683] x2 : 0000000000000000 x1 : ffffffc0846eb000 x0 : ffffff8000407b68
[ 1.439332] Call trace:
[ 1.439559] sched_numa_find_nth_cpu+0x2a0/0x488 (P)
[ 1.440016] smp_call_function_any+0xc8/0xd0
[ 1.440416] armv8_pmu_init+0x58/0x27c
[ 1.440770] armv8_cortex_a72_pmu_init+0x20/0x2c
[ 1.441199] arm_pmu_device_probe+0x1e4/0x5e8
[ 1.441603] armv8_pmu_device_probe+0x1c/0x28
[ 1.442007] platform_probe+0x5c/0xac
[ 1.442347] really_probe+0xbc/0x298
[ 1.442683] __driver_probe_device+0x78/0x12c
[ 1.443087] driver_probe_device+0xdc/0x160
[ 1.443475] __driver_attach+0x94/0x19c
[ 1.443833] bus_for_each_dev+0x74/0xd4
[ 1.444190] driver_attach+0x24/0x30
[ 1.444525] bus_add_driver+0xe4/0x208
[ 1.444874] driver_register+0x60/0x128
[ 1.445233] __platform_driver_register+0x24/0x30
[ 1.445662] armv8_pmu_driver_init+0x28/0x4c
[ 1.446059] do_one_initcall+0x44/0x25c
[ 1.446416] kernel_init_freeable+0x1dc/0x3bc
[ 1.446820] kernel_init+0x20/0x1d8
[ 1.447151] ret_from_fork+0x10/0x20
[ 1.447493] Code: 90022e21 f000e5f5 910de2b5 2a1703e2 (f8767803)
[ 1.448040] ---[ end trace 0000000000000000 ]---
[ 1.448483] note: swapper/0[1] exited with preempt_count 1
[ 1.449047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[ 1.449741] SMP: stopping secondary CPUs
[ 1.450105] Kernel Offset: disabled
[ 1.450419] CPU features: 0x000000,00080000,20002001,0400421b
[
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9b8d4dba8e78c1887fecd81ba0d8204d6ff05fc",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
},
{
"lessThan": "b3ec50cc5eb5ca84256ca701d28b137a6036c412",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
},
{
"lessThan": "b921c288cd8abef9af5b59e056a63cc2c263a9e3",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
},
{
"lessThan": "5ebf512f335053a42482ebff91e46c6dc156bf8c",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: Fix sched_numa_find_nth_cpu() if mask offline\n\nsched_numa_find_nth_cpu() uses a bsearch to look for the \u0027closest\u0027\nCPU in sched_domains_numa_masks and given cpus mask. However they\nmight not intersect if all CPUs in the cpus mask are offline. bsearch\nwill return NULL in that case, bail out instead of dereferencing a\nbogus pointer.\n\nThe previous behaviour lead to this bug when using maxcpus=4 on an\nrk3399 (LLLLbb) (i.e. booting with all big CPUs offline):\n\n[ 1.422922] Unable to handle kernel paging request at virtual address ffffff8000000000\n[ 1.423635] Mem abort info:\n[ 1.423889] ESR = 0x0000000096000006\n[ 1.424227] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 1.424715] SET = 0, FnV = 0\n[ 1.424995] EA = 0, S1PTW = 0\n[ 1.425279] FSC = 0x06: level 2 translation fault\n[ 1.425735] Data abort info:\n[ 1.425998] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n[ 1.426499] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 1.426952] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 1.427428] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000004a9f000\n[ 1.428038] [ffffff8000000000] pgd=18000000f7fff403, p4d=18000000f7fff403, pud=18000000f7fff403, pmd=0000000000000000\n[ 1.429014] Internal error: Oops: 0000000096000006 [#1] SMP\n[ 1.429525] Modules linked in:\n[ 1.429813] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-dirty #343 PREEMPT\n[ 1.430559] Hardware name: Pine64 RockPro64 v2.1 (DT)\n[ 1.431012] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1.431634] pc : sched_numa_find_nth_cpu+0x2a0/0x488\n[ 1.432094] lr : sched_numa_find_nth_cpu+0x284/0x488\n[ 1.432543] sp : ffffffc084e1b960\n[ 1.432843] x29: ffffffc084e1b960 x28: ffffff80078a8800 x27: ffffffc0846eb1d0\n[ 1.433495] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n[ 1.434144] x23: 0000000000000000 x22: fffffffffff7f093 x21: ffffffc081de6378\n[ 1.434792] x20: 0000000000000000 x19: 0000000ffff7f093 x18: 00000000ffffffff\n[ 1.435441] x17: 3030303866666666 x16: 66663d736b73616d x15: ffffffc104e1b5b7\n[ 1.436091] x14: 0000000000000000 x13: ffffffc084712860 x12: 0000000000000372\n[ 1.436739] x11: 0000000000000126 x10: ffffffc08476a860 x9 : ffffffc084712860\n[ 1.437389] x8 : 00000000ffffefff x7 : ffffffc08476a860 x6 : 0000000000000000\n[ 1.438036] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 1.438683] x2 : 0000000000000000 x1 : ffffffc0846eb000 x0 : ffffff8000407b68\n[ 1.439332] Call trace:\n[ 1.439559] sched_numa_find_nth_cpu+0x2a0/0x488 (P)\n[ 1.440016] smp_call_function_any+0xc8/0xd0\n[ 1.440416] armv8_pmu_init+0x58/0x27c\n[ 1.440770] armv8_cortex_a72_pmu_init+0x20/0x2c\n[ 1.441199] arm_pmu_device_probe+0x1e4/0x5e8\n[ 1.441603] armv8_pmu_device_probe+0x1c/0x28\n[ 1.442007] platform_probe+0x5c/0xac\n[ 1.442347] really_probe+0xbc/0x298\n[ 1.442683] __driver_probe_device+0x78/0x12c\n[ 1.443087] driver_probe_device+0xdc/0x160\n[ 1.443475] __driver_attach+0x94/0x19c\n[ 1.443833] bus_for_each_dev+0x74/0xd4\n[ 1.444190] driver_attach+0x24/0x30\n[ 1.444525] bus_add_driver+0xe4/0x208\n[ 1.444874] driver_register+0x60/0x128\n[ 1.445233] __platform_driver_register+0x24/0x30\n[ 1.445662] armv8_pmu_driver_init+0x28/0x4c\n[ 1.446059] do_one_initcall+0x44/0x25c\n[ 1.446416] kernel_init_freeable+0x1dc/0x3bc\n[ 1.446820] kernel_init+0x20/0x1d8\n[ 1.447151] ret_from_fork+0x10/0x20\n[ 1.447493] Code: 90022e21 f000e5f5 910de2b5 2a1703e2 (f8767803)\n[ 1.448040] ---[ end trace 0000000000000000 ]---\n[ 1.448483] note: swapper/0[1] exited with preempt_count 1\n[ 1.449047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n[ 1.449741] SMP: stopping secondary CPUs\n[ 1.450105] Kernel Offset: disabled\n[ 1.450419] CPU features: 0x000000,00080000,20002001,0400421b\n[ \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:43.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9b8d4dba8e78c1887fecd81ba0d8204d6ff05fc"
},
{
"url": "https://git.kernel.org/stable/c/b3ec50cc5eb5ca84256ca701d28b137a6036c412"
},
{
"url": "https://git.kernel.org/stable/c/b921c288cd8abef9af5b59e056a63cc2c263a9e3"
},
{
"url": "https://git.kernel.org/stable/c/5ebf512f335053a42482ebff91e46c6dc156bf8c"
}
],
"title": "sched: Fix sched_numa_find_nth_cpu() if mask offline",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39895",
"datePublished": "2025-10-01T07:42:43.920Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:43.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53428 (GCVE-0-2023-53428)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powercap: arm_scmi: Remove recursion while parsing zones
Powercap zones can be defined as arranged in a hierarchy of trees and when
registering a zone with powercap_register_zone(), the kernel powercap
subsystem expects this to happen starting from the root zones down to the
leaves; on the other side, de-registration by powercap_deregister_zone()
must begin from the leaf zones.
Available SCMI powercap zones are retrieved dynamically from the platform
at probe time and, while any defined hierarchy between the zones is
described properly in the zones descriptor, the platform returns the
availables zones with no particular well-defined order: as a consequence,
the trees possibly composing the hierarchy of zones have to be somehow
walked properly to register the retrieved zones from the root.
Currently the ARM SCMI Powercap driver walks the zones using a recursive
algorithm; this approach, even though correct and tested can lead to kernel
stack overflow when processing a returned hierarchy of zones composed by
particularly high trees.
Avoid possible kernel stack overflow by substituting the recursive approach
with an iterative one supported by a dynamically allocated stack-like data
structure.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/powercap/arm_scmi_powercap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b427c23cebc5c926516f20304bf1acc05a33d147",
"status": "affected",
"version": "b55eef5226b71edf5422de246bc189da1fdc9000",
"versionType": "git"
},
{
"lessThan": "8022b64fb7daa6135d9f7b0e2f7b5b8e9e5179c9",
"status": "affected",
"version": "b55eef5226b71edf5422de246bc189da1fdc9000",
"versionType": "git"
},
{
"lessThan": "3e767d6850f867cc33ac16ca097350a1d2417982",
"status": "affected",
"version": "b55eef5226b71edf5422de246bc189da1fdc9000",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/powercap/arm_scmi_powercap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: arm_scmi: Remove recursion while parsing zones\n\nPowercap zones can be defined as arranged in a hierarchy of trees and when\nregistering a zone with powercap_register_zone(), the kernel powercap\nsubsystem expects this to happen starting from the root zones down to the\nleaves; on the other side, de-registration by powercap_deregister_zone()\nmust begin from the leaf zones.\n\nAvailable SCMI powercap zones are retrieved dynamically from the platform\nat probe time and, while any defined hierarchy between the zones is\ndescribed properly in the zones descriptor, the platform returns the\navailables zones with no particular well-defined order: as a consequence,\nthe trees possibly composing the hierarchy of zones have to be somehow\nwalked properly to register the retrieved zones from the root.\n\nCurrently the ARM SCMI Powercap driver walks the zones using a recursive\nalgorithm; this approach, even though correct and tested can lead to kernel\nstack overflow when processing a returned hierarchy of zones composed by\nparticularly high trees.\n\nAvoid possible kernel stack overflow by substituting the recursive approach\nwith an iterative one supported by a dynamically allocated stack-like data\nstructure."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:09.580Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b427c23cebc5c926516f20304bf1acc05a33d147"
},
{
"url": "https://git.kernel.org/stable/c/8022b64fb7daa6135d9f7b0e2f7b5b8e9e5179c9"
},
{
"url": "https://git.kernel.org/stable/c/3e767d6850f867cc33ac16ca097350a1d2417982"
}
],
"title": "powercap: arm_scmi: Remove recursion while parsing zones",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53428",
"datePublished": "2025-09-18T16:04:09.580Z",
"dateReserved": "2025-09-17T14:54:09.745Z",
"dateUpdated": "2025-09-18T16:04:09.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37885 (GCVE-0-2025-37885)
Vulnerability from cvelistv5
Published
2025-05-09 06:45
Modified
2025-11-03 19:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Reset IRTE to host control if *new* route isn't postable
Restore an IRTE back to host control (remapped or posted MSI mode) if the
*new* GSI route prevents posting the IRQ directly to a vCPU, regardless of
the GSI routing type. Updating the IRTE if and only if the new GSI is an
MSI results in KVM leaving an IRTE posting to a vCPU.
The dangling IRTE can result in interrupts being incorrectly delivered to
the guest, and in the worst case scenario can result in use-after-free,
e.g. if the VM is torn down, but the underlying host IRQ isn't freed.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f Version: efc644048ecde54f016011fe10110addd0de348f |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:56:59.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c",
"arch/x86/kvm/vmx/posted_intr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "116c7d35b8f72eac383b9fd371d7c1a8ffc2968b",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "023816bd5fa46fab94d1e7917fe131b79ed1fb41",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "3481fd96d801715942b6f69fe251133128156f30",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "b5de7ac74f69603ad803c524b840bffd36368fc3",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "3066ec21d1a33896125747f68638725f456308db",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
},
{
"lessThan": "9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2",
"status": "affected",
"version": "efc644048ecde54f016011fe10110addd0de348f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c",
"arch/x86/kvm/vmx/posted_intr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.136",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.89",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.26",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.5",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Reset IRTE to host control if *new* route isn\u0027t postable\n\nRestore an IRTE back to host control (remapped or posted MSI mode) if the\n*new* GSI route prevents posting the IRQ directly to a vCPU, regardless of\nthe GSI routing type. Updating the IRTE if and only if the new GSI is an\nMSI results in KVM leaving an IRTE posting to a vCPU.\n\nThe dangling IRTE can result in interrupts being incorrectly delivered to\nthe guest, and in the worst case scenario can result in use-after-free,\ne.g. if the VM is torn down, but the underlying host IRQ isn\u0027t freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-26T05:23:01.651Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769"
},
{
"url": "https://git.kernel.org/stable/c/116c7d35b8f72eac383b9fd371d7c1a8ffc2968b"
},
{
"url": "https://git.kernel.org/stable/c/023816bd5fa46fab94d1e7917fe131b79ed1fb41"
},
{
"url": "https://git.kernel.org/stable/c/3481fd96d801715942b6f69fe251133128156f30"
},
{
"url": "https://git.kernel.org/stable/c/b5de7ac74f69603ad803c524b840bffd36368fc3"
},
{
"url": "https://git.kernel.org/stable/c/3066ec21d1a33896125747f68638725f456308db"
},
{
"url": "https://git.kernel.org/stable/c/9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2"
}
],
"title": "KVM: x86: Reset IRTE to host control if *new* route isn\u0027t postable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37885",
"datePublished": "2025-05-09T06:45:48.150Z",
"dateReserved": "2025-04-16T04:51:23.963Z",
"dateUpdated": "2025-11-03T19:56:59.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53612 (GCVE-0-2023-53612)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (coretemp) Simplify platform device handling
Coretemp's platform driver is unconventional. All the real work is done
globally by the initcall and CPU hotplug notifiers, while the "driver"
effectively just wraps an allocation and the registration of the hwmon
interface in a long-winded round-trip through the driver core. The whole
logic of dynamically creating and destroying platform devices to bring
the interfaces up and down is error prone, since it assumes
platform_device_add() will synchronously bind the driver and set drvdata
before it returns, thus results in a NULL dereference if drivers_autoprobe
is turned off for the platform bus. Furthermore, the unusual approach of
doing that from within a CPU hotplug notifier, already commented in the
code that it deadlocks suspend, also causes lockdep issues for other
drivers or subsystems which may want to legitimately register a CPU
hotplug notifier from a platform bus notifier.
All of these issues can be solved by ripping this unusual behaviour out
completely, simply tying the platform devices to the lifetime of the
module itself, and directly managing the hwmon interfaces from the
hotplug notifiers. There is a slight user-visible change in that
/sys/bus/platform/drivers/coretemp will no longer appear, and
/sys/devices/platform/coretemp.n will remain present if package n is
hotplugged off, but hwmon users should really only be looking for the
presence of the hwmon interfaces, whose behaviour remains unchanged.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/coretemp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4000384684f612b3645a944f6acde0e65ac370b8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5735878a7b7db7e9ce731cb36cec298a9de67549",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "52ea47a0ddfbc5fe05e873d3f5a59db4ba3e03fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8fcdbc4bc01365f4b10fed7db544a3149e3054fd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c57a8d14d7880521150ee801d53a0a64fdffd9c8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6d03bbff456befeccdd4d663177c4d6c75d0c4ff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/coretemp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) Simplify platform device handling\n\nCoretemp\u0027s platform driver is unconventional. All the real work is done\nglobally by the initcall and CPU hotplug notifiers, while the \"driver\"\neffectively just wraps an allocation and the registration of the hwmon\ninterface in a long-winded round-trip through the driver core. The whole\nlogic of dynamically creating and destroying platform devices to bring\nthe interfaces up and down is error prone, since it assumes\nplatform_device_add() will synchronously bind the driver and set drvdata\nbefore it returns, thus results in a NULL dereference if drivers_autoprobe\nis turned off for the platform bus. Furthermore, the unusual approach of\ndoing that from within a CPU hotplug notifier, already commented in the\ncode that it deadlocks suspend, also causes lockdep issues for other\ndrivers or subsystems which may want to legitimately register a CPU\nhotplug notifier from a platform bus notifier.\n\nAll of these issues can be solved by ripping this unusual behaviour out\ncompletely, simply tying the platform devices to the lifetime of the\nmodule itself, and directly managing the hwmon interfaces from the\nhotplug notifiers. There is a slight user-visible change in that\n/sys/bus/platform/drivers/coretemp will no longer appear, and\n/sys/devices/platform/coretemp.n will remain present if package n is\nhotplugged off, but hwmon users should really only be looking for the\npresence of the hwmon interfaces, whose behaviour remains unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:20.297Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4000384684f612b3645a944f6acde0e65ac370b8"
},
{
"url": "https://git.kernel.org/stable/c/5735878a7b7db7e9ce731cb36cec298a9de67549"
},
{
"url": "https://git.kernel.org/stable/c/52ea47a0ddfbc5fe05e873d3f5a59db4ba3e03fe"
},
{
"url": "https://git.kernel.org/stable/c/8fcdbc4bc01365f4b10fed7db544a3149e3054fd"
},
{
"url": "https://git.kernel.org/stable/c/c57a8d14d7880521150ee801d53a0a64fdffd9c8"
},
{
"url": "https://git.kernel.org/stable/c/6d03bbff456befeccdd4d663177c4d6c75d0c4ff"
}
],
"title": "hwmon: (coretemp) Simplify platform device handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53612",
"datePublished": "2025-10-04T15:44:20.297Z",
"dateReserved": "2025-10-04T15:40:38.480Z",
"dateUpdated": "2025-10-04T15:44:20.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53311 (GCVE-0-2023-53311)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,
nilfs_evict_inode() could cause use-after-free read for nilfs_root if
inodes are left in "garbage_list" and released by nilfs_dispose_list at
the end of nilfs_detach_log_writer(), and this bug was fixed by commit
9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in
nilfs_evict_inode()").
However, it turned out that there is another possibility of UAF in the
call path where mark_inode_dirty_sync() is called from iput():
nilfs_detach_log_writer()
nilfs_dispose_list()
iput()
mark_inode_dirty_sync()
__mark_inode_dirty()
nilfs_dirty_inode()
__nilfs_mark_inode_dirty()
nilfs_load_inode_block() --> causes UAF of nilfs_root struct
This can happen after commit 0ae45f63d4ef ("vfs: add support for a
lazytime mount option"), which changed iput() to call
mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME
flag and i_nlink is non-zero.
This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty
data after degenerating to read-only") when using the syzbot reproducer,
but the issue has potentially existed before.
Fix this issue by adding a "purging flag" to the nilfs structure, setting
that flag while disposing the "garbage_list" and checking it in
__nilfs_mark_inode_dirty().
Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root
in nilfs_evict_inode()"), this patch does not rely on ns_writer to
determine whether to skip operations, so as not to break recovery on
mount. The nilfs_salvage_orphan_logs routine dirties the buffer of
salvaged data before attaching the log writer, so changing
__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL
will cause recovery write to fail. The purpose of using the cleanup-only
flag is to allow for narrowing of such conditions.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c",
"fs/nilfs2/segment.c",
"fs/nilfs2/the_nilfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11afd67f1b3c28eb216e50a3ca8dbcb69bb71793",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "a3c3b4cbf9b8554120fb230e6516e980c6277487",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "d2c539c216cce74837a9cf5804eb205939b82227",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "37207240872456fbab44a110bde6640445233963",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "3645510cf926e6af2f4d44899370d7e5331c93bd",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "7532ff6edbf5242376b24a95a2fefb59bb653e5a",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "5828d5f5dc877dcfdd7b23102e978e2ecfd86d82",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "f8654743a0e6909dc634cbfad6db6816f10f3399",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c",
"fs/nilfs2/segment.c",
"fs/nilfs2/the_nilfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput\n\nDuring unmount process of nilfs2, nothing holds nilfs_root structure after\nnilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,\nnilfs_evict_inode() could cause use-after-free read for nilfs_root if\ninodes are left in \"garbage_list\" and released by nilfs_dispose_list at\nthe end of nilfs_detach_log_writer(), and this bug was fixed by commit\n9b5a04ac3ad9 (\"nilfs2: fix use-after-free bug of nilfs_root in\nnilfs_evict_inode()\").\n\nHowever, it turned out that there is another possibility of UAF in the\ncall path where mark_inode_dirty_sync() is called from iput():\n\nnilfs_detach_log_writer()\n nilfs_dispose_list()\n iput()\n mark_inode_dirty_sync()\n __mark_inode_dirty()\n nilfs_dirty_inode()\n __nilfs_mark_inode_dirty()\n nilfs_load_inode_block() --\u003e causes UAF of nilfs_root struct\n\nThis can happen after commit 0ae45f63d4ef (\"vfs: add support for a\nlazytime mount option\"), which changed iput() to call\nmark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME\nflag and i_nlink is non-zero.\n\nThis issue appears after commit 28a65b49eb53 (\"nilfs2: do not write dirty\ndata after degenerating to read-only\") when using the syzbot reproducer,\nbut the issue has potentially existed before.\n\nFix this issue by adding a \"purging flag\" to the nilfs structure, setting\nthat flag while disposing the \"garbage_list\" and checking it in\n__nilfs_mark_inode_dirty().\n\nUnlike commit 9b5a04ac3ad9 (\"nilfs2: fix use-after-free bug of nilfs_root\nin nilfs_evict_inode()\"), this patch does not rely on ns_writer to\ndetermine whether to skip operations, so as not to break recovery on\nmount. The nilfs_salvage_orphan_logs routine dirties the buffer of\nsalvaged data before attaching the log writer, so changing\n__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL\nwill cause recovery write to fail. The purpose of using the cleanup-only\nflag is to allow for narrowing of such conditions."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:49.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11afd67f1b3c28eb216e50a3ca8dbcb69bb71793"
},
{
"url": "https://git.kernel.org/stable/c/a3c3b4cbf9b8554120fb230e6516e980c6277487"
},
{
"url": "https://git.kernel.org/stable/c/d2c539c216cce74837a9cf5804eb205939b82227"
},
{
"url": "https://git.kernel.org/stable/c/37207240872456fbab44a110bde6640445233963"
},
{
"url": "https://git.kernel.org/stable/c/3645510cf926e6af2f4d44899370d7e5331c93bd"
},
{
"url": "https://git.kernel.org/stable/c/7532ff6edbf5242376b24a95a2fefb59bb653e5a"
},
{
"url": "https://git.kernel.org/stable/c/5828d5f5dc877dcfdd7b23102e978e2ecfd86d82"
},
{
"url": "https://git.kernel.org/stable/c/f8654743a0e6909dc634cbfad6db6816f10f3399"
}
],
"title": "nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53311",
"datePublished": "2025-09-16T16:11:49.099Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:49.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38700 (GCVE-0-2025-38700)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
In case of an ib_fast_reg_mr allocation failure during iSER setup, the
machine hits a panic because iscsi_conn->dd_data is initialized
unconditionally, even when no memory is allocated (dd_size == 0). This
leads invalid pointer dereference during connection teardown.
Fix by setting iscsi_conn->dd_data only if memory is actually allocated.
Panic trace:
------------
iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12
iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers
BUG: unable to handle page fault for address: fffffffffffffff8
RIP: 0010:swake_up_locked.part.5+0xa/0x40
Call Trace:
complete+0x31/0x40
iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]
iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]
iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]
iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]
? netlink_lookup+0x12f/0x1b0
? netlink_deliver_tap+0x2c/0x200
netlink_unicast+0x1ab/0x280
netlink_sendmsg+0x257/0x4f0
? _copy_from_user+0x29/0x60
sock_sendmsg+0x5f/0x70
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:31.738Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/libiscsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f53af99f441ee79599d8df6113a7144d74cf9153",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9ea6d961566c7d762ed0204b06db05756fdda3b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd5aad080edb501ab5c84b7623d612d0e3033403",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a145c269dc5380c063a20a0db7e6df2995962e9d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "66a373f50b4249d57f5a88c7be9676f9d5884865",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "35782c32528d82aa21f84cb5ceb2abd3526a8159",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a33d42b7fc24fe03f239fbb0880dd5b4b4b97c19",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2b242ea14386a510010eabfbfc3ce81a101f3802",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ea3a256ed81f95ab0f3281a0e234b01a9cae605",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/libiscsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libiscsi: Initialize iscsi_conn-\u003edd_data only if memory is allocated\n\nIn case of an ib_fast_reg_mr allocation failure during iSER setup, the\nmachine hits a panic because iscsi_conn-\u003edd_data is initialized\nunconditionally, even when no memory is allocated (dd_size == 0). This\nleads invalid pointer dereference during connection teardown.\n\nFix by setting iscsi_conn-\u003edd_data only if memory is actually allocated.\n\nPanic trace:\n------------\n iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12\n iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers\n BUG: unable to handle page fault for address: fffffffffffffff8\n RIP: 0010:swake_up_locked.part.5+0xa/0x40\n Call Trace:\n complete+0x31/0x40\n iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]\n iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]\n iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]\n iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]\n ? netlink_lookup+0x12f/0x1b0\n ? netlink_deliver_tap+0x2c/0x200\n netlink_unicast+0x1ab/0x280\n netlink_sendmsg+0x257/0x4f0\n ? _copy_from_user+0x29/0x60\n sock_sendmsg+0x5f/0x70"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:18.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f53af99f441ee79599d8df6113a7144d74cf9153"
},
{
"url": "https://git.kernel.org/stable/c/9ea6d961566c7d762ed0204b06db05756fdda3b6"
},
{
"url": "https://git.kernel.org/stable/c/fd5aad080edb501ab5c84b7623d612d0e3033403"
},
{
"url": "https://git.kernel.org/stable/c/a145c269dc5380c063a20a0db7e6df2995962e9d"
},
{
"url": "https://git.kernel.org/stable/c/66a373f50b4249d57f5a88c7be9676f9d5884865"
},
{
"url": "https://git.kernel.org/stable/c/35782c32528d82aa21f84cb5ceb2abd3526a8159"
},
{
"url": "https://git.kernel.org/stable/c/a33d42b7fc24fe03f239fbb0880dd5b4b4b97c19"
},
{
"url": "https://git.kernel.org/stable/c/2b242ea14386a510010eabfbfc3ce81a101f3802"
},
{
"url": "https://git.kernel.org/stable/c/3ea3a256ed81f95ab0f3281a0e234b01a9cae605"
}
],
"title": "scsi: libiscsi: Initialize iscsi_conn-\u003edd_data only if memory is allocated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38700",
"datePublished": "2025-09-04T15:32:52.241Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:31.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38698 (GCVE-0-2025-38698)
Vulnerability from cvelistv5
Published
2025-09-04 15:32
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: Regular file corruption check
The reproducer builds a corrupted file on disk with a negative i_size value.
Add a check when opening this file to avoid subsequent operation failures.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:27.948Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f896c3d0192241d6438be6963682ace8203f502",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6bc86f1d7d5419d5b19483ba203ca0b760c41c51",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9ad054cd2c4ca8c371e555748832aa217c41fc65",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9605cb2ea38ba014d0e704cba0dbbb00593fa9fd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "78989af5bbf55a0cf1165b0fa73921bc02f1543b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "00462be586b33076f8b8023e7ba697deedc131db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd9454b7710b28060faa49b041f8283c435721a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02edcfda419168d9405bffe55f18ea9c1bf92366",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2d04df8116426b6c7b9f8b9b371250f666a2a2fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Regular file corruption check\n\nThe reproducer builds a corrupted file on disk with a negative i_size value.\nAdd a check when opening this file to avoid subsequent operation failures."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:15.930Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f896c3d0192241d6438be6963682ace8203f502"
},
{
"url": "https://git.kernel.org/stable/c/6bc86f1d7d5419d5b19483ba203ca0b760c41c51"
},
{
"url": "https://git.kernel.org/stable/c/9ad054cd2c4ca8c371e555748832aa217c41fc65"
},
{
"url": "https://git.kernel.org/stable/c/9605cb2ea38ba014d0e704cba0dbbb00593fa9fd"
},
{
"url": "https://git.kernel.org/stable/c/78989af5bbf55a0cf1165b0fa73921bc02f1543b"
},
{
"url": "https://git.kernel.org/stable/c/00462be586b33076f8b8023e7ba697deedc131db"
},
{
"url": "https://git.kernel.org/stable/c/fd9454b7710b28060faa49b041f8283c435721a3"
},
{
"url": "https://git.kernel.org/stable/c/02edcfda419168d9405bffe55f18ea9c1bf92366"
},
{
"url": "https://git.kernel.org/stable/c/2d04df8116426b6c7b9f8b9b371250f666a2a2fb"
}
],
"title": "jfs: Regular file corruption check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38698",
"datePublished": "2025-09-04T15:32:50.616Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:27.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39702 (GCVE-0-2025-39702)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: sr: Fix MAC comparison to be constant-time
To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:30.669Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6_hmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b348c9c8d2ca2c67559ffd0e258ae7e1107d4f0",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "86b6d34717fe0570afce07ee79b8eeb40341f831",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "3ddd55cf19ed6cc62def5e3af10c2a9df1b861c3",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "b3967c493799e63f648e9c7b6cb063aa2aed04e7",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "f7878d47560d61e3f370aca3cebb8f42a55b990a",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "a458b2902115b26a25d67393b12ddd57d1216aaa",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6_hmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:43.992Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b348c9c8d2ca2c67559ffd0e258ae7e1107d4f0"
},
{
"url": "https://git.kernel.org/stable/c/86b6d34717fe0570afce07ee79b8eeb40341f831"
},
{
"url": "https://git.kernel.org/stable/c/3ddd55cf19ed6cc62def5e3af10c2a9df1b861c3"
},
{
"url": "https://git.kernel.org/stable/c/b3967c493799e63f648e9c7b6cb063aa2aed04e7"
},
{
"url": "https://git.kernel.org/stable/c/f7878d47560d61e3f370aca3cebb8f42a55b990a"
},
{
"url": "https://git.kernel.org/stable/c/a458b2902115b26a25d67393b12ddd57d1216aaa"
}
],
"title": "ipv6: sr: Fix MAC comparison to be constant-time",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39702",
"datePublished": "2025-09-05T17:21:08.674Z",
"dateReserved": "2025-04-16T07:20:57.115Z",
"dateUpdated": "2025-11-03T17:42:30.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53673 (GCVE-0-2023-53673)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: call disconnect callback before deleting conn
In hci_cs_disconnect, we do hci_conn_del even if disconnection failed.
ISO, L2CAP and SCO connections refer to the hci_conn without
hci_conn_get, so disconn_cfm must be called so they can clean up their
conn, otherwise use-after-free occurs.
ISO:
==========================================================
iso_sock_connect:880: sk 00000000eabd6557
iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
...
iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073
hci_dev_put:1487: hci0 orig refcnt 17
__iso_chan_add:214: conn 00000000b6251073
iso_sock_clear_timer:117: sock 00000000eabd6557 state 3
...
hci_rx_work:4085: hci0 Event packet
hci_event_packet:7601: hci0: event 0x0f
hci_cmd_status_evt:4346: hci0: opcode 0x0406
hci_cs_disconnect:2760: hci0: status 0x0c
hci_sent_cmd_data:3107: hci0 opcode 0x0406
hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560
hci_conn_unlink:1102: hci0: hcon 000000001696f1fd
hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2
hci_chan_list_flush:2780: hcon 000000001696f1fd
hci_dev_put:1487: hci0 orig refcnt 21
hci_dev_put:1487: hci0 orig refcnt 20
hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c
... <no iso_* activity on sk/conn> ...
iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557
BUG: kernel NULL pointer dereference, address: 0000000000000668
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth
==========================================================
L2CAP:
==================================================================
hci_cmd_status_evt:4359: hci0: opcode 0x0406
hci_cs_disconnect:2760: hci0: status 0x0c
hci_sent_cmd_data:3085: hci0 opcode 0x0406
hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585
hci_conn_unlink:1102: hci0: hcon ffff88800c999000
hci_chan_list_flush:2780: hcon ffff88800c999000
hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280
...
BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]
Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175
CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5b/0x90
print_report+0xcf/0x670
? __virt_addr_valid+0xf8/0x180
? hci_send_acl+0x2d/0x540 [bluetooth]
kasan_report+0xa8/0xe0
? hci_send_acl+0x2d/0x540 [bluetooth]
hci_send_acl+0x2d/0x540 [bluetooth]
? __pfx___lock_acquire+0x10/0x10
l2cap_chan_send+0x1fd/0x1300 [bluetooth]
? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]
? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]
? lock_release+0x1d5/0x3c0
? mark_held_locks+0x1a/0x90
l2cap_sock_sendmsg+0x100/0x170 [bluetooth]
sock_write_iter+0x275/0x280
? __pfx_sock_write_iter+0x10/0x10
? __pfx___lock_acquire+0x10/0x10
do_iter_readv_writev+0x176/0x220
? __pfx_do_iter_readv_writev+0x10/0x10
? find_held_lock+0x83/0xa0
? selinux_file_permission+0x13e/0x210
do_iter_write+0xda/0x340
vfs_writev+0x1b4/0x400
? __pfx_vfs_writev+0x10/0x10
? __seccomp_filter+0x112/0x750
? populate_seccomp_data+0x182/0x220
? __fget_light+0xdf/0x100
? do_writev+0x19d/0x210
do_writev+0x19d/0x210
? __pfx_do_writev+0x10/0x10
? mark_held_locks+0x1a/0x90
do_syscall_64+0x60/0x90
? lockdep_hardirqs_on_prepare+0x149/0x210
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on_prepare+0x149/0x210
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7ff45cb23e64
Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX:
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59bd1e476bbc7bc6dff3c61bba787095a4839796",
"status": "affected",
"version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
"versionType": "git"
},
{
"lessThan": "093a07052406b363b1b2ab489e17dbadaf3e509b",
"status": "affected",
"version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
"versionType": "git"
},
{
"lessThan": "7f7cfcb6f0825652973b780f248603e23f16ee90",
"status": "affected",
"version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: call disconnect callback before deleting conn\n\nIn hci_cs_disconnect, we do hci_conn_del even if disconnection failed.\n\nISO, L2CAP and SCO connections refer to the hci_conn without\nhci_conn_get, so disconn_cfm must be called so they can clean up their\nconn, otherwise use-after-free occurs.\n\nISO:\n==========================================================\niso_sock_connect:880: sk 00000000eabd6557\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073\nhci_dev_put:1487: hci0 orig refcnt 17\n__iso_chan_add:214: conn 00000000b6251073\niso_sock_clear_timer:117: sock 00000000eabd6557 state 3\n...\nhci_rx_work:4085: hci0 Event packet\nhci_event_packet:7601: hci0: event 0x0f\nhci_cmd_status_evt:4346: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3107: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560\nhci_conn_unlink:1102: hci0: hcon 000000001696f1fd\nhci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2\nhci_chan_list_flush:2780: hcon 000000001696f1fd\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_dev_put:1487: hci0 orig refcnt 20\nhci_req_cmd_complete:3978: opcode 0x0406 status 0x0c\n... \u003cno iso_* activity on sk/conn\u003e ...\niso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557\nBUG: kernel NULL pointer dereference, address: 0000000000000668\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth\n==========================================================\n\nL2CAP:\n==================================================================\nhci_cmd_status_evt:4359: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3085: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585\nhci_conn_unlink:1102: hci0: hcon ffff88800c999000\nhci_chan_list_flush:2780: hcon ffff88800c999000\nhci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280\n...\nBUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]\nRead of size 8 at addr ffff888018ddd298 by task bluetoothd/1175\n\nCPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0xf8/0x180\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n kasan_report+0xa8/0xe0\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n hci_send_acl+0x2d/0x540 [bluetooth]\n ? __pfx___lock_acquire+0x10/0x10\n l2cap_chan_send+0x1fd/0x1300 [bluetooth]\n ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]\n ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]\n ? lock_release+0x1d5/0x3c0\n ? mark_held_locks+0x1a/0x90\n l2cap_sock_sendmsg+0x100/0x170 [bluetooth]\n sock_write_iter+0x275/0x280\n ? __pfx_sock_write_iter+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n do_iter_readv_writev+0x176/0x220\n ? __pfx_do_iter_readv_writev+0x10/0x10\n ? find_held_lock+0x83/0xa0\n ? selinux_file_permission+0x13e/0x210\n do_iter_write+0xda/0x340\n vfs_writev+0x1b4/0x400\n ? __pfx_vfs_writev+0x10/0x10\n ? __seccomp_filter+0x112/0x750\n ? populate_seccomp_data+0x182/0x220\n ? __fget_light+0xdf/0x100\n ? do_writev+0x19d/0x210\n do_writev+0x19d/0x210\n ? __pfx_do_writev+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0x60/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n ? do_syscall_64+0x6c/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7ff45cb23e64\nCode: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\nRSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:29.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59bd1e476bbc7bc6dff3c61bba787095a4839796"
},
{
"url": "https://git.kernel.org/stable/c/093a07052406b363b1b2ab489e17dbadaf3e509b"
},
{
"url": "https://git.kernel.org/stable/c/7f7cfcb6f0825652973b780f248603e23f16ee90"
}
],
"title": "Bluetooth: hci_event: call disconnect callback before deleting conn",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53673",
"datePublished": "2025-10-07T15:21:29.632Z",
"dateReserved": "2025-10-07T15:16:59.663Z",
"dateUpdated": "2025-10-07T15:21:29.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53692 (GCVE-0-2023-53692)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free read in ext4_find_extent for bigalloc + inline
Syzbot found the following issue:
loop0: detected capacity change from 0 to 2048
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931
Read of size 4 at addr ffff888073644750 by task syz-executor420/5067
CPU: 0 PID: 5067 Comm: syz-executor420 Not tainted 6.2.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline]
ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931
ext4_clu_mapped+0x117/0x970 fs/ext4/extents.c:5809
ext4_insert_delayed_block fs/ext4/inode.c:1696 [inline]
ext4_da_map_blocks fs/ext4/inode.c:1806 [inline]
ext4_da_get_block_prep+0x9e8/0x13c0 fs/ext4/inode.c:1870
ext4_block_write_begin+0x6a8/0x2290 fs/ext4/inode.c:1098
ext4_da_write_begin+0x539/0x760 fs/ext4/inode.c:3082
generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772
ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:285
ext4_file_write_iter+0x1d0/0x18f0
call_write_iter include/linux/fs.h:2186 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7dc/0xc50 fs/read_write.c:584
ksys_write+0x177/0x2a0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4b7a9737b9
RSP: 002b:00007ffc5cac3668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4b7a9737b9
RDX: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004
RBP: 00007f4b7a933050 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000079f R11: 0000000000000246 R12: 00007f4b7a9330e0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Above issue is happens when enable bigalloc and inline data feature. As
commit 131294c35ed6 fixed delayed allocation bug in ext4_clu_mapped for
bigalloc + inline. But it only resolved issue when has inline data, if
inline data has been converted to extent(ext4_da_convert_inline_data_to_extent)
before writepages, there is no EXT4_STATE_MAY_INLINE_DATA flag. However
i_data is still store inline data in this scene. Then will trigger UAF
when find extent.
To resolve above issue, there is need to add judge "ext4_has_inline_data(inode)"
in ext4_clu_mapped().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6f4200ec76a0d31200c308ec5a71c68df5417004 Version: 9404839e0c9db5a517ea83c0ca3388b39d105fdf Version: d440d6427a5e3a877c1c259b8d2b216ddb65e185 Version: 81b915181c630ee1cffa052e52874fe4e1ba91ac Version: 131294c35ed6f777bd4e79d42af13b5c41bf2775 Version: 131294c35ed6f777bd4e79d42af13b5c41bf2775 Version: 131294c35ed6f777bd4e79d42af13b5c41bf2775 Version: c0c8edbc8abbe8f16d80a1d794d1ba2c12b6f193 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a34f6dcb78c654ab905642c1b4e7e5fbb4f0babe",
"status": "affected",
"version": "6f4200ec76a0d31200c308ec5a71c68df5417004",
"versionType": "git"
},
{
"lessThan": "770b0613637f59f3091dda1ff0c23671a5326b9c",
"status": "affected",
"version": "9404839e0c9db5a517ea83c0ca3388b39d105fdf",
"versionType": "git"
},
{
"lessThan": "40566def189c513be2c694681256d7486cc6e368",
"status": "affected",
"version": "d440d6427a5e3a877c1c259b8d2b216ddb65e185",
"versionType": "git"
},
{
"lessThan": "96d440bee177669dc0acedca0abd73bae6a9be8b",
"status": "affected",
"version": "81b915181c630ee1cffa052e52874fe4e1ba91ac",
"versionType": "git"
},
{
"lessThan": "11c87c8df2cae1d6be83c07e59fef0792de73482",
"status": "affected",
"version": "131294c35ed6f777bd4e79d42af13b5c41bf2775",
"versionType": "git"
},
{
"lessThan": "14da044725a3ab10affa3566d29c15737c0e67a4",
"status": "affected",
"version": "131294c35ed6f777bd4e79d42af13b5c41bf2775",
"versionType": "git"
},
{
"lessThan": "835659598c67907b98cd2aa57bb951dfaf675c69",
"status": "affected",
"version": "131294c35ed6f777bd4e79d42af13b5c41bf2775",
"versionType": "git"
},
{
"status": "affected",
"version": "c0c8edbc8abbe8f16d80a1d794d1ba2c12b6f193",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "6.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free read in ext4_find_extent for bigalloc + inline\n\nSyzbot found the following issue:\nloop0: detected capacity change from 0 to 2048\nEXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.\n==================================================================\nBUG: KASAN: use-after-free in ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline]\nBUG: KASAN: use-after-free in ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931\nRead of size 4 at addr ffff888073644750 by task syz-executor420/5067\n\nCPU: 0 PID: 5067 Comm: syz-executor420 Not tainted 6.2.0-rc1-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:306\n print_report+0x107/0x1f0 mm/kasan/report.c:417\n kasan_report+0xcd/0x100 mm/kasan/report.c:517\n ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline]\n ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931\n ext4_clu_mapped+0x117/0x970 fs/ext4/extents.c:5809\n ext4_insert_delayed_block fs/ext4/inode.c:1696 [inline]\n ext4_da_map_blocks fs/ext4/inode.c:1806 [inline]\n ext4_da_get_block_prep+0x9e8/0x13c0 fs/ext4/inode.c:1870\n ext4_block_write_begin+0x6a8/0x2290 fs/ext4/inode.c:1098\n ext4_da_write_begin+0x539/0x760 fs/ext4/inode.c:3082\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:285\n ext4_file_write_iter+0x1d0/0x18f0\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f4b7a9737b9\nRSP: 002b:00007ffc5cac3668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4b7a9737b9\nRDX: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004\nRBP: 00007f4b7a933050 R08: 0000000000000000 R09: 0000000000000000\nR10: 000000000000079f R11: 0000000000000246 R12: 00007f4b7a9330e0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAbove issue is happens when enable bigalloc and inline data feature. As\ncommit 131294c35ed6 fixed delayed allocation bug in ext4_clu_mapped for\nbigalloc + inline. But it only resolved issue when has inline data, if\ninline data has been converted to extent(ext4_da_convert_inline_data_to_extent)\nbefore writepages, there is no EXT4_STATE_MAY_INLINE_DATA flag. However\ni_data is still store inline data in this scene. Then will trigger UAF\nwhen find extent.\nTo resolve above issue, there is need to add judge \"ext4_has_inline_data(inode)\"\nin ext4_clu_mapped()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:34.702Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a34f6dcb78c654ab905642c1b4e7e5fbb4f0babe"
},
{
"url": "https://git.kernel.org/stable/c/770b0613637f59f3091dda1ff0c23671a5326b9c"
},
{
"url": "https://git.kernel.org/stable/c/40566def189c513be2c694681256d7486cc6e368"
},
{
"url": "https://git.kernel.org/stable/c/96d440bee177669dc0acedca0abd73bae6a9be8b"
},
{
"url": "https://git.kernel.org/stable/c/11c87c8df2cae1d6be83c07e59fef0792de73482"
},
{
"url": "https://git.kernel.org/stable/c/14da044725a3ab10affa3566d29c15737c0e67a4"
},
{
"url": "https://git.kernel.org/stable/c/835659598c67907b98cd2aa57bb951dfaf675c69"
}
],
"title": "ext4: fix use-after-free read in ext4_find_extent for bigalloc + inline",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53692",
"datePublished": "2025-10-22T13:23:34.702Z",
"dateReserved": "2025-10-22T13:21:37.344Z",
"dateUpdated": "2025-10-22T13:23:34.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38727 (GCVE-0-2025-38727)
Vulnerability from cvelistv5
Published
2025-09-04 15:33
Modified
2025-11-03 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: avoid infinite retry looping in netlink_unicast()
netlink_attachskb() checks for the socket's read memory allocation
constraints. Firstly, it has:
rmem < READ_ONCE(sk->sk_rcvbuf)
to check if the just increased rmem value fits into the socket's receive
buffer. If not, it proceeds and tries to wait for the memory under:
rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)
The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is
equal to sk->sk_rcvbuf. Thus the function neither successfully accepts
these conditions, nor manages to reschedule the task - and is called in
retry loop for indefinite time which is caught as:
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212
(t=26000 jiffies g=230833 q=259957)
NMI backtrace for cpu 0
CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014
Call Trace:
<IRQ>
dump_stack lib/dump_stack.c:120
nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62
rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335
rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590
update_process_times kernel/time/timer.c:1953
tick_sched_handle kernel/time/tick-sched.c:227
tick_sched_timer kernel/time/tick-sched.c:1399
__hrtimer_run_queues kernel/time/hrtimer.c:1652
hrtimer_interrupt kernel/time/hrtimer.c:1717
__sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113
asm_call_irq_on_stack arch/x86/entry/entry_64.S:808
</IRQ>
netlink_attachskb net/netlink/af_netlink.c:1234
netlink_unicast net/netlink/af_netlink.c:1349
kauditd_send_queue kernel/audit.c:776
kauditd_thread kernel/audit.c:897
kthread kernel/kthread.c:328
ret_from_fork arch/x86/entry/entry_64.S:304
Restore the original behavior of the check which commit in Fixes
accidentally missed when restructuring the code.
Found by Linux Verification Center (linuxtesting.org).
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9da025150b7c14a8390fc06aea314c0a4011e82c Version: c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98 Version: fd69af06101090eaa60b3d216ae715f9c0a58e5b Version: 76602d8e13864524382b0687dc32cd8f19164d5a Version: 55baecb9eb90238f60a8350660d6762046ebd3bd Version: 4b8e18af7bea92f8b7fb92d40aeae729209db250 Version: cd7ff61bfffd7000143c42bbffb85eeb792466d6 Version: ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc Version: ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:56.297Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47d49fd07f86d1f55ea1083287303d237e9e0922",
"status": "affected",
"version": "9da025150b7c14a8390fc06aea314c0a4011e82c",
"versionType": "git"
},
{
"lessThan": "6bee383ff83352a693d03efdf27cdd80742f71b2",
"status": "affected",
"version": "c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98",
"versionType": "git"
},
{
"lessThan": "f324959ad47e62e3cadaffa65d3cff790fb48529",
"status": "affected",
"version": "fd69af06101090eaa60b3d216ae715f9c0a58e5b",
"versionType": "git"
},
{
"lessThan": "d42b71a34f6b8a2d5c53df81169b03b8d8b5cf4e",
"status": "affected",
"version": "76602d8e13864524382b0687dc32cd8f19164d5a",
"versionType": "git"
},
{
"lessThan": "346c820ef5135cf062fa3473da955ef8c5fb6929",
"status": "affected",
"version": "55baecb9eb90238f60a8350660d6762046ebd3bd",
"versionType": "git"
},
{
"lessThan": "44ddd7b1ae0b7edb2c832eb16798c827a05e58f0",
"status": "affected",
"version": "4b8e18af7bea92f8b7fb92d40aeae729209db250",
"versionType": "git"
},
{
"lessThan": "78fcd69d55c5f11d7694c547eca767a1cfd38ec4",
"status": "affected",
"version": "cd7ff61bfffd7000143c42bbffb85eeb792466d6",
"versionType": "git"
},
{
"lessThan": "e8edc7de688791a337c068693f22e8d8b869df71",
"status": "affected",
"version": "ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc",
"versionType": "git"
},
{
"lessThan": "759dfc7d04bab1b0b86113f1164dc1fec192b859",
"status": "affected",
"version": "ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "5.4.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.10.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.15.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "6.1.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.6.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.12.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "6.15.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: avoid infinite retry looping in netlink_unicast()\n\nnetlink_attachskb() checks for the socket\u0027s read memory allocation\nconstraints. Firstly, it has:\n\n rmem \u003c READ_ONCE(sk-\u003esk_rcvbuf)\n\nto check if the just increased rmem value fits into the socket\u0027s receive\nbuffer. If not, it proceeds and tries to wait for the memory under:\n\n rmem + skb-\u003etruesize \u003e READ_ONCE(sk-\u003esk_rcvbuf)\n\nThe checks don\u0027t cover the case when skb-\u003etruesize + sk-\u003esk_rmem_alloc is\nequal to sk-\u003esk_rcvbuf. Thus the function neither successfully accepts\nthese conditions, nor manages to reschedule the task - and is called in\nretry loop for indefinite time which is caught as:\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212\n (t=26000 jiffies g=230833 q=259957)\n NMI backtrace for cpu 0\n CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014\n Call Trace:\n \u003cIRQ\u003e\n dump_stack lib/dump_stack.c:120\n nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105\n nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62\n rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335\n rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590\n update_process_times kernel/time/timer.c:1953\n tick_sched_handle kernel/time/tick-sched.c:227\n tick_sched_timer kernel/time/tick-sched.c:1399\n __hrtimer_run_queues kernel/time/hrtimer.c:1652\n hrtimer_interrupt kernel/time/hrtimer.c:1717\n __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113\n asm_call_irq_on_stack arch/x86/entry/entry_64.S:808\n \u003c/IRQ\u003e\n\n netlink_attachskb net/netlink/af_netlink.c:1234\n netlink_unicast net/netlink/af_netlink.c:1349\n kauditd_send_queue kernel/audit.c:776\n kauditd_thread kernel/audit.c:897\n kthread kernel/kthread.c:328\n ret_from_fork arch/x86/entry/entry_64.S:304\n\nRestore the original behavior of the check which commit in Fixes\naccidentally missed when restructuring the code.\n\nFound by Linux Verification Center (linuxtesting.org)."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:53.644Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47d49fd07f86d1f55ea1083287303d237e9e0922"
},
{
"url": "https://git.kernel.org/stable/c/6bee383ff83352a693d03efdf27cdd80742f71b2"
},
{
"url": "https://git.kernel.org/stable/c/f324959ad47e62e3cadaffa65d3cff790fb48529"
},
{
"url": "https://git.kernel.org/stable/c/d42b71a34f6b8a2d5c53df81169b03b8d8b5cf4e"
},
{
"url": "https://git.kernel.org/stable/c/346c820ef5135cf062fa3473da955ef8c5fb6929"
},
{
"url": "https://git.kernel.org/stable/c/44ddd7b1ae0b7edb2c832eb16798c827a05e58f0"
},
{
"url": "https://git.kernel.org/stable/c/78fcd69d55c5f11d7694c547eca767a1cfd38ec4"
},
{
"url": "https://git.kernel.org/stable/c/e8edc7de688791a337c068693f22e8d8b869df71"
},
{
"url": "https://git.kernel.org/stable/c/759dfc7d04bab1b0b86113f1164dc1fec192b859"
}
],
"title": "netlink: avoid infinite retry looping in netlink_unicast()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38727",
"datePublished": "2025-09-04T15:33:25.286Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:56.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53444 (GCVE-0-2023-53444)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: fix bulk_move corruption when adding a entry
When the resource is the first in the bulk_move range, adding it again
(thus moving it to the tail) will corrupt the list since the first
pointer is not moved. This eventually lead to null pointer deref in
ttm_lru_bulk_move_del()
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70a3015683b007a0db4a1e858791b69afd45fc83",
"status": "affected",
"version": "fee2ede155423b0f7a559050a39750b98fe9db69",
"versionType": "git"
},
{
"lessThan": "e7cf50e41bdc2d574056ebbfeaafc5f0e2562d5b",
"status": "affected",
"version": "fee2ede155423b0f7a559050a39750b98fe9db69",
"versionType": "git"
},
{
"lessThan": "4481913607e58196c48a4fef5e6f45350684ec3c",
"status": "affected",
"version": "fee2ede155423b0f7a559050a39750b98fe9db69",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: fix bulk_move corruption when adding a entry\n\nWhen the resource is the first in the bulk_move range, adding it again\n(thus moving it to the tail) will corrupt the list since the first\npointer is not moved. This eventually lead to null pointer deref in\nttm_lru_bulk_move_del()"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T16:04:20.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70a3015683b007a0db4a1e858791b69afd45fc83"
},
{
"url": "https://git.kernel.org/stable/c/e7cf50e41bdc2d574056ebbfeaafc5f0e2562d5b"
},
{
"url": "https://git.kernel.org/stable/c/4481913607e58196c48a4fef5e6f45350684ec3c"
}
],
"title": "drm/ttm: fix bulk_move corruption when adding a entry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53444",
"datePublished": "2025-09-18T16:04:20.572Z",
"dateReserved": "2025-09-17T14:54:09.752Z",
"dateUpdated": "2025-09-18T16:04:20.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57996 (GCVE-0-2024-57996)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: sch_sfq: don't allow 1 packet limit
The current implementation does not work correctly with a limit of
1. iproute2 actually checks for this and this patch adds the check in
kernel as well.
This fixes the following syzkaller reported crash:
UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6
index 65535 is out of range for type 'struct sfq_head[128]'
CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x125/0x19f lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:148 [inline]
__ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347
sfq_link net/sched/sch_sfq.c:210 [inline]
sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238
sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500
sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525
qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026
tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319
qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026
dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296
netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]
dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362
__dev_close_many+0x214/0x350 net/core/dev.c:1468
dev_close_many+0x207/0x510 net/core/dev.c:1506
unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738
unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695
unregister_netdevice include/linux/netdevice.h:2893 [inline]
__tun_detach+0x6b6/0x1600 drivers/net/tun.c:689
tun_detach drivers/net/tun.c:705 [inline]
tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640
__fput+0x203/0x840 fs/file_table.c:280
task_work_run+0x129/0x1b0 kernel/task_work.c:185
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x5ce/0x2200 kernel/exit.c:931
do_group_exit+0x144/0x310 kernel/exit.c:1046
__do_sys_exit_group kernel/exit.c:1057 [inline]
__se_sys_exit_group kernel/exit.c:1055 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055
do_syscall_64+0x6c/0xd0
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fe5e7b52479
Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.
RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0
R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270
The crash can be also be reproduced with the following (with a tc
recompiled to allow for sfq limits of 1):
tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s
../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1
ifconfig dummy0 up
ping -I dummy0 -f -c2 -W0.1 8.8.8.8
sleep 1
Scenario that triggers the crash:
* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1
* TBF dequeues: it peeks from SFQ which moves the packet to the
gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so
it schedules itself for later.
* the second packet is sent and TBF tries to queues it to SFQ. qdisc
qlen is now 2 and because the SFQ limit is 1 the packet is dropped
by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,
however q->tail is not NULL.
At this point, assuming no more packets are queued, when sch_dequeue
runs again it will decrement the qlen for the current empty slot
causing an underflow and the subsequent out of bounds access.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:07.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_sfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e12f6013d0a69660e8b99bfe381b9546ae667328",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b562b7f9231432da40d12e19786c1bd7df653a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7fefc294204f10a3405f175f4ac2be16d63f135e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "10685681bafce6febb39770f3387621bf5d67d0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_sfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: don\u0027t allow 1 packet limit\n\nThe current implementation does not work correctly with a limit of\n1. iproute2 actually checks for this and this patch adds the check in\nkernel as well.\n\nThis fixes the following syzkaller reported crash:\n\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x125/0x19f lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:148 [inline]\n __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347\n sfq_link net/sched/sch_sfq.c:210 [inline]\n sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238\n sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500\n sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525\n qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319\n qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296\n netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]\n dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362\n __dev_close_many+0x214/0x350 net/core/dev.c:1468\n dev_close_many+0x207/0x510 net/core/dev.c:1506\n unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738\n unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695\n unregister_netdevice include/linux/netdevice.h:2893 [inline]\n __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689\n tun_detach drivers/net/tun.c:705 [inline]\n tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640\n __fput+0x203/0x840 fs/file_table.c:280\n task_work_run+0x129/0x1b0 kernel/task_work.c:185\n exit_task_work include/linux/task_work.h:33 [inline]\n do_exit+0x5ce/0x2200 kernel/exit.c:931\n do_group_exit+0x144/0x310 kernel/exit.c:1046\n __do_sys_exit_group kernel/exit.c:1057 [inline]\n __se_sys_exit_group kernel/exit.c:1055 [inline]\n __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055\n do_syscall_64+0x6c/0xd0\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fe5e7b52479\nCode: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.\nRSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0\nR13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270\n\nThe crash can be also be reproduced with the following (with a tc\nrecompiled to allow for sfq limits of 1):\n\ntc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s\n../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1\nifconfig dummy0 up\nping -I dummy0 -f -c2 -W0.1 8.8.8.8\nsleep 1\n\nScenario that triggers the crash:\n\n* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1\n\n* TBF dequeues: it peeks from SFQ which moves the packet to the\n gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so\n it schedules itself for later.\n\n* the second packet is sent and TBF tries to queues it to SFQ. qdisc\n qlen is now 2 and because the SFQ limit is 1 the packet is dropped\n by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,\n however q-\u003etail is not NULL.\n\nAt this point, assuming no more packets are queued, when sch_dequeue\nruns again it will decrement the qlen for the current empty slot\ncausing an underflow and the subsequent out of bounds access."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:42:44.697Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e12f6013d0a69660e8b99bfe381b9546ae667328"
},
{
"url": "https://git.kernel.org/stable/c/1e6d9d87626cf89eeffb4d943db12cb5b10bf961"
},
{
"url": "https://git.kernel.org/stable/c/1b562b7f9231432da40d12e19786c1bd7df653a7"
},
{
"url": "https://git.kernel.org/stable/c/35d0137305ae2f97260a9047f445bd4434bd6cc7"
},
{
"url": "https://git.kernel.org/stable/c/833e9a1c27b82024db7ff5038a51651f48f05e5e"
},
{
"url": "https://git.kernel.org/stable/c/7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4"
},
{
"url": "https://git.kernel.org/stable/c/7fefc294204f10a3405f175f4ac2be16d63f135e"
},
{
"url": "https://git.kernel.org/stable/c/10685681bafce6febb39770f3387621bf5d67d0b"
}
],
"title": "net_sched: sch_sfq: don\u0027t allow 1 packet limit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57996",
"datePublished": "2025-02-27T02:07:16.765Z",
"dateReserved": "2025-02-27T02:04:28.914Z",
"dateUpdated": "2025-11-03T19:33:07.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53447 (GCVE-0-2023-53447)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-19 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: don't reset unchangable mount option in f2fs_remount()
syzbot reports a bug as below:
general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN
RIP: 0010:__lock_acquire+0x69/0x2000 kernel/locking/lockdep.c:4942
Call Trace:
lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5691
__raw_write_lock include/linux/rwlock_api_smp.h:209 [inline]
_raw_write_lock+0x2e/0x40 kernel/locking/spinlock.c:300
__drop_extent_tree+0x3ac/0x660 fs/f2fs/extent_cache.c:1100
f2fs_drop_extent_tree+0x17/0x30 fs/f2fs/extent_cache.c:1116
f2fs_insert_range+0x2d5/0x3c0 fs/f2fs/file.c:1664
f2fs_fallocate+0x4e4/0x6d0 fs/f2fs/file.c:1838
vfs_fallocate+0x54b/0x6b0 fs/open.c:324
ksys_fallocate fs/open.c:347 [inline]
__do_sys_fallocate fs/open.c:355 [inline]
__se_sys_fallocate fs/open.c:353 [inline]
__x64_sys_fallocate+0xbd/0x100 fs/open.c:353
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The root cause is race condition as below:
- since it tries to remount rw filesystem, so that do_remount won't
call sb_prepare_remount_readonly to block fallocate, there may be race
condition in between remount and fallocate.
- in f2fs_remount(), default_options() will reset mount option to default
one, and then update it based on result of parse_options(), so there is
a hole which race condition can happen.
Thread A Thread B
- f2fs_fill_super
- parse_options
- clear_opt(READ_EXTENT_CACHE)
- f2fs_remount
- default_options
- set_opt(READ_EXTENT_CACHE)
- f2fs_fallocate
- f2fs_insert_range
- f2fs_drop_extent_tree
- __drop_extent_tree
- __may_extent_tree
- test_opt(READ_EXTENT_CACHE) return true
- write_lock(&et->lock) access NULL pointer
- parse_options
- clear_opt(READ_EXTENT_CACHE)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "115557cc226a927924f2d7d1980ccbf6e3b3bb36",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "458c15dfbce62c35fefd9ca637b20a051309c9f1",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don\u0027t reset unchangable mount option in f2fs_remount()\n\nsyzbot reports a bug as below:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN\nRIP: 0010:__lock_acquire+0x69/0x2000 kernel/locking/lockdep.c:4942\nCall Trace:\n lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5691\n __raw_write_lock include/linux/rwlock_api_smp.h:209 [inline]\n _raw_write_lock+0x2e/0x40 kernel/locking/spinlock.c:300\n __drop_extent_tree+0x3ac/0x660 fs/f2fs/extent_cache.c:1100\n f2fs_drop_extent_tree+0x17/0x30 fs/f2fs/extent_cache.c:1116\n f2fs_insert_range+0x2d5/0x3c0 fs/f2fs/file.c:1664\n f2fs_fallocate+0x4e4/0x6d0 fs/f2fs/file.c:1838\n vfs_fallocate+0x54b/0x6b0 fs/open.c:324\n ksys_fallocate fs/open.c:347 [inline]\n __do_sys_fallocate fs/open.c:355 [inline]\n __se_sys_fallocate fs/open.c:353 [inline]\n __x64_sys_fallocate+0xbd/0x100 fs/open.c:353\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is race condition as below:\n- since it tries to remount rw filesystem, so that do_remount won\u0027t\ncall sb_prepare_remount_readonly to block fallocate, there may be race\ncondition in between remount and fallocate.\n- in f2fs_remount(), default_options() will reset mount option to default\none, and then update it based on result of parse_options(), so there is\na hole which race condition can happen.\n\nThread A\t\t\tThread B\n- f2fs_fill_super\n - parse_options\n - clear_opt(READ_EXTENT_CACHE)\n\n- f2fs_remount\n - default_options\n - set_opt(READ_EXTENT_CACHE)\n\t\t\t\t- f2fs_fallocate\n\t\t\t\t - f2fs_insert_range\n\t\t\t\t - f2fs_drop_extent_tree\n\t\t\t\t - __drop_extent_tree\n\t\t\t\t - __may_extent_tree\n\t\t\t\t - test_opt(READ_EXTENT_CACHE) return true\n\t\t\t\t - write_lock(\u0026et-\u003elock) access NULL pointer\n - parse_options\n - clear_opt(READ_EXTENT_CACHE)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T15:21:41.293Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/115557cc226a927924f2d7d1980ccbf6e3b3bb36"
},
{
"url": "https://git.kernel.org/stable/c/458c15dfbce62c35fefd9ca637b20a051309c9f1"
}
],
"title": "f2fs: don\u0027t reset unchangable mount option in f2fs_remount()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53447",
"datePublished": "2025-09-18T16:04:22.649Z",
"dateReserved": "2025-09-17T14:54:09.753Z",
"dateUpdated": "2025-09-19T15:21:41.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49545 (GCVE-0-2022-49545)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Cancel pending work at closing a MIDI substream
At closing a USB MIDI output substream, there might be still a pending
work, which would eventually access the rawmidi runtime object that is
being released. For fixing the race, make sure to cancel the pending
work at closing.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "40bdb5ec957aca5c5c1924602bef6b0ab18e22d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "11868ca21585561659c2575b0d6508ef8e9c4291",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5e5fe2b6065541c6216a7a003b0cddf386be0d2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "517dcef4d2dda0132648f1e4c079ed17bba4d1a4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0125de38122f0f66bf61336158d12a1aabfe6425",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Cancel pending work at closing a MIDI substream\n\nAt closing a USB MIDI output substream, there might be still a pending\nwork, which would eventually access the rawmidi runtime object that is\nbeing released. For fixing the race, make sure to cancel the pending\nwork at closing."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:14.387Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/40bdb5ec957aca5c5c1924602bef6b0ab18e22d3"
},
{
"url": "https://git.kernel.org/stable/c/11868ca21585561659c2575b0d6508ef8e9c4291"
},
{
"url": "https://git.kernel.org/stable/c/5e5fe2b6065541c6216a7a003b0cddf386be0d2d"
},
{
"url": "https://git.kernel.org/stable/c/517dcef4d2dda0132648f1e4c079ed17bba4d1a4"
},
{
"url": "https://git.kernel.org/stable/c/0125de38122f0f66bf61336158d12a1aabfe6425"
}
],
"title": "ALSA: usb-audio: Cancel pending work at closing a MIDI substream",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49545",
"datePublished": "2025-02-26T02:13:58.363Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-05-04T08:40:14.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50388 (GCVE-0-2022-50388)
Vulnerability from cvelistv5
Published
2025-09-18 13:33
Modified
2025-09-29 10:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme: fix multipath crash caused by flush request when blktrace is enabled
The flush request initialized by blk_kick_flush has NULL bio,
and it may be dealt with nvme_end_req during io completion.
When blktrace is enabled, nvme_trace_bio_complete with multipath
activated trying to access NULL pointer bio from flush request
results in the following crash:
[ 2517.831677] BUG: kernel NULL pointer dereference, address: 000000000000001a
[ 2517.835213] #PF: supervisor read access in kernel mode
[ 2517.838724] #PF: error_code(0x0000) - not-present page
[ 2517.842222] PGD 7b2d51067 P4D 0
[ 2517.845684] Oops: 0000 [#1] SMP NOPTI
[ 2517.849125] CPU: 2 PID: 732 Comm: kworker/2:1H Kdump: loaded Tainted: G S 5.15.67-0.cl9.x86_64 #1
[ 2517.852723] Hardware name: XFUSION 2288H V6/BC13MBSBC, BIOS 1.13 07/27/2022
[ 2517.856358] Workqueue: nvme_tcp_wq nvme_tcp_io_work [nvme_tcp]
[ 2517.859993] RIP: 0010:blk_add_trace_bio_complete+0x6/0x30
[ 2517.863628] Code: 1f 44 00 00 48 8b 46 08 31 c9 ba 04 00 10 00 48 8b 80 50 03 00 00 48 8b 78 50 e9 e5 fe ff ff 0f 1f 44 00 00 41 54 49 89 f4 55 <0f> b6 7a 1a 48 89 d5 e8 3e 1c 2b 00 48 89 ee 4c 89 e7 5d 89 c1 ba
[ 2517.871269] RSP: 0018:ff7f6a008d9dbcd0 EFLAGS: 00010286
[ 2517.875081] RAX: ff3d5b4be00b1d50 RBX: 0000000002040002 RCX: ff3d5b0a270f2000
[ 2517.878966] RDX: 0000000000000000 RSI: ff3d5b0b021fb9f8 RDI: 0000000000000000
[ 2517.882849] RBP: ff3d5b0b96a6fa00 R08: 0000000000000001 R09: 0000000000000000
[ 2517.886718] R10: 000000000000000c R11: 000000000000000c R12: ff3d5b0b021fb9f8
[ 2517.890575] R13: 0000000002000000 R14: ff3d5b0b021fb1b0 R15: 0000000000000018
[ 2517.894434] FS: 0000000000000000(0000) GS:ff3d5b42bfc80000(0000) knlGS:0000000000000000
[ 2517.898299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2517.902157] CR2: 000000000000001a CR3: 00000004f023e005 CR4: 0000000000771ee0
[ 2517.906053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2517.909930] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2517.913761] PKRU: 55555554
[ 2517.917558] Call Trace:
[ 2517.921294] <TASK>
[ 2517.924982] nvme_complete_rq+0x1c3/0x1e0 [nvme_core]
[ 2517.928715] nvme_tcp_recv_pdu+0x4d7/0x540 [nvme_tcp]
[ 2517.932442] nvme_tcp_recv_skb+0x4f/0x240 [nvme_tcp]
[ 2517.936137] ? nvme_tcp_recv_pdu+0x540/0x540 [nvme_tcp]
[ 2517.939830] tcp_read_sock+0x9c/0x260
[ 2517.943486] nvme_tcp_try_recv+0x65/0xa0 [nvme_tcp]
[ 2517.947173] nvme_tcp_io_work+0x64/0x90 [nvme_tcp]
[ 2517.950834] process_one_work+0x1e8/0x390
[ 2517.954473] worker_thread+0x53/0x3c0
[ 2517.958069] ? process_one_work+0x390/0x390
[ 2517.961655] kthread+0x10c/0x130
[ 2517.965211] ? set_kthread_struct+0x40/0x40
[ 2517.968760] ret_from_fork+0x1f/0x30
[ 2517.972285] </TASK>
To avoid this situation, add a NULL check for req->bio before
calling trace_block_bio_complete.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/nvme.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f13301a69ababa6c2236fb4f0393b7e914e7e1e0",
"status": "affected",
"version": "35fe0d12c8a3d5e45f297562732ddc9ba9dc58dd",
"versionType": "git"
},
{
"lessThan": "4df413d46960f11c8c105238cfc3f5ff4c95c003",
"status": "affected",
"version": "35fe0d12c8a3d5e45f297562732ddc9ba9dc58dd",
"versionType": "git"
},
{
"lessThan": "fcd2d199486033223e9b2a6a7f9a01dd0327eac3",
"status": "affected",
"version": "35fe0d12c8a3d5e45f297562732ddc9ba9dc58dd",
"versionType": "git"
},
{
"lessThan": "183c2aaef40a91acbaae45c3824d6cde7bb62b10",
"status": "affected",
"version": "35fe0d12c8a3d5e45f297562732ddc9ba9dc58dd",
"versionType": "git"
},
{
"lessThan": "3659fb5ac29a5e6102bebe494ac789fd47fb78f4",
"status": "affected",
"version": "35fe0d12c8a3d5e45f297562732ddc9ba9dc58dd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/nvme.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix multipath crash caused by flush request when blktrace is enabled\n\nThe flush request initialized by blk_kick_flush has NULL bio,\nand it may be dealt with nvme_end_req during io completion.\nWhen blktrace is enabled, nvme_trace_bio_complete with multipath\nactivated trying to access NULL pointer bio from flush request\nresults in the following crash:\n\n[ 2517.831677] BUG: kernel NULL pointer dereference, address: 000000000000001a\n[ 2517.835213] #PF: supervisor read access in kernel mode\n[ 2517.838724] #PF: error_code(0x0000) - not-present page\n[ 2517.842222] PGD 7b2d51067 P4D 0\n[ 2517.845684] Oops: 0000 [#1] SMP NOPTI\n[ 2517.849125] CPU: 2 PID: 732 Comm: kworker/2:1H Kdump: loaded Tainted: G S 5.15.67-0.cl9.x86_64 #1\n[ 2517.852723] Hardware name: XFUSION 2288H V6/BC13MBSBC, BIOS 1.13 07/27/2022\n[ 2517.856358] Workqueue: nvme_tcp_wq nvme_tcp_io_work [nvme_tcp]\n[ 2517.859993] RIP: 0010:blk_add_trace_bio_complete+0x6/0x30\n[ 2517.863628] Code: 1f 44 00 00 48 8b 46 08 31 c9 ba 04 00 10 00 48 8b 80 50 03 00 00 48 8b 78 50 e9 e5 fe ff ff 0f 1f 44 00 00 41 54 49 89 f4 55 \u003c0f\u003e b6 7a 1a 48 89 d5 e8 3e 1c 2b 00 48 89 ee 4c 89 e7 5d 89 c1 ba\n[ 2517.871269] RSP: 0018:ff7f6a008d9dbcd0 EFLAGS: 00010286\n[ 2517.875081] RAX: ff3d5b4be00b1d50 RBX: 0000000002040002 RCX: ff3d5b0a270f2000\n[ 2517.878966] RDX: 0000000000000000 RSI: ff3d5b0b021fb9f8 RDI: 0000000000000000\n[ 2517.882849] RBP: ff3d5b0b96a6fa00 R08: 0000000000000001 R09: 0000000000000000\n[ 2517.886718] R10: 000000000000000c R11: 000000000000000c R12: ff3d5b0b021fb9f8\n[ 2517.890575] R13: 0000000002000000 R14: ff3d5b0b021fb1b0 R15: 0000000000000018\n[ 2517.894434] FS: 0000000000000000(0000) GS:ff3d5b42bfc80000(0000) knlGS:0000000000000000\n[ 2517.898299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 2517.902157] CR2: 000000000000001a CR3: 00000004f023e005 CR4: 0000000000771ee0\n[ 2517.906053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 2517.909930] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 2517.913761] PKRU: 55555554\n[ 2517.917558] Call Trace:\n[ 2517.921294] \u003cTASK\u003e\n[ 2517.924982] nvme_complete_rq+0x1c3/0x1e0 [nvme_core]\n[ 2517.928715] nvme_tcp_recv_pdu+0x4d7/0x540 [nvme_tcp]\n[ 2517.932442] nvme_tcp_recv_skb+0x4f/0x240 [nvme_tcp]\n[ 2517.936137] ? nvme_tcp_recv_pdu+0x540/0x540 [nvme_tcp]\n[ 2517.939830] tcp_read_sock+0x9c/0x260\n[ 2517.943486] nvme_tcp_try_recv+0x65/0xa0 [nvme_tcp]\n[ 2517.947173] nvme_tcp_io_work+0x64/0x90 [nvme_tcp]\n[ 2517.950834] process_one_work+0x1e8/0x390\n[ 2517.954473] worker_thread+0x53/0x3c0\n[ 2517.958069] ? process_one_work+0x390/0x390\n[ 2517.961655] kthread+0x10c/0x130\n[ 2517.965211] ? set_kthread_struct+0x40/0x40\n[ 2517.968760] ret_from_fork+0x1f/0x30\n[ 2517.972285] \u003c/TASK\u003e\n\nTo avoid this situation, add a NULL check for req-\u003ebio before\ncalling trace_block_bio_complete."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T10:47:32.224Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f13301a69ababa6c2236fb4f0393b7e914e7e1e0"
},
{
"url": "https://git.kernel.org/stable/c/4df413d46960f11c8c105238cfc3f5ff4c95c003"
},
{
"url": "https://git.kernel.org/stable/c/fcd2d199486033223e9b2a6a7f9a01dd0327eac3"
},
{
"url": "https://git.kernel.org/stable/c/183c2aaef40a91acbaae45c3824d6cde7bb62b10"
},
{
"url": "https://git.kernel.org/stable/c/3659fb5ac29a5e6102bebe494ac789fd47fb78f4"
}
],
"title": "nvme: fix multipath crash caused by flush request when blktrace is enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50388",
"datePublished": "2025-09-18T13:33:08.612Z",
"dateReserved": "2025-09-17T14:53:06.997Z",
"dateUpdated": "2025-09-29T10:47:32.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38644 (GCVE-0-2025-38644)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-11-03 17:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: reject TDLS operations when station is not associated
syzbot triggered a WARN in ieee80211_tdls_oper() by sending
NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,
before association completed and without prior TDLS setup.
This left internal state like sdata->u.mgd.tdls_peer uninitialized,
leading to a WARN_ON() in code paths that assumed it was valid.
Reject the operation early if not in station mode or not associated.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 81dd2b8822410e56048b927be779d95a2b6dc186 Version: 81dd2b8822410e56048b927be779d95a2b6dc186 Version: 81dd2b8822410e56048b927be779d95a2b6dc186 Version: 81dd2b8822410e56048b927be779d95a2b6dc186 Version: 81dd2b8822410e56048b927be779d95a2b6dc186 Version: 81dd2b8822410e56048b927be779d95a2b6dc186 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:40.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/tdls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c84204cf0bbe89e454a5caccc6a908bc7db1542",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "378ae9ccaea3f445838a087962a067b5cb2e8577",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "af72badd5ee423eb16f6ad7fe0a62f1b4252d848",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "4df663d4c1ca386dcab2f743dfc9f0cc07aef73c",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "31af06b574394530f68a4310c45ecbe2f68853c4",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "16ecdab5446f15a61ec88eb0d23d25d009821db0",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/tdls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:24.140Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c84204cf0bbe89e454a5caccc6a908bc7db1542"
},
{
"url": "https://git.kernel.org/stable/c/378ae9ccaea3f445838a087962a067b5cb2e8577"
},
{
"url": "https://git.kernel.org/stable/c/af72badd5ee423eb16f6ad7fe0a62f1b4252d848"
},
{
"url": "https://git.kernel.org/stable/c/4df663d4c1ca386dcab2f743dfc9f0cc07aef73c"
},
{
"url": "https://git.kernel.org/stable/c/31af06b574394530f68a4310c45ecbe2f68853c4"
},
{
"url": "https://git.kernel.org/stable/c/16ecdab5446f15a61ec88eb0d23d25d009821db0"
}
],
"title": "wifi: mac80211: reject TDLS operations when station is not associated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38644",
"datePublished": "2025-08-22T16:00:49.899Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2025-11-03T17:40:40.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-42753 (GCVE-0-2023-42753)
Vulnerability from cvelistv5
Published
2023-09-25 20:25
Modified
2025-11-06 21:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Out-of-bounds Write
Summary
An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 7 |
Unaffected: 0:3.10.0-1160.108.1.rt56.1259.el7 < * cpe:/a:redhat:rhel_extras_rt:7 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"
},
{
"name": "RHSA-2023:7370",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7370"
},
{
"name": "RHSA-2023:7379",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7379"
},
{
"name": "RHSA-2023:7382",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7382"
},
{
"name": "RHSA-2023:7389",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7389"
},
{
"name": "RHSA-2023:7411",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7411"
},
{
"name": "RHSA-2023:7418",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7418"
},
{
"name": "RHSA-2023:7539",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7539"
},
{
"name": "RHSA-2023:7558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7558"
},
{
"name": "RHSA-2024:0089",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0089"
},
{
"name": "RHSA-2024:0113",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0113"
},
{
"name": "RHSA-2024:0134",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0134"
},
{
"name": "RHSA-2024:0340",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0340"
},
{
"name": "RHSA-2024:0346",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0346"
},
{
"name": "RHSA-2024:0347",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0347"
},
{
"name": "RHSA-2024:0371",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0371"
},
{
"name": "RHSA-2024:0376",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0376"
},
{
"name": "RHSA-2024:0378",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0378"
},
{
"name": "RHSA-2024:0402",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0402"
},
{
"name": "RHSA-2024:0403",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0403"
},
{
"name": "RHSA-2024:0412",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0412"
},
{
"name": "RHSA-2024:0461",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0461"
},
{
"name": "RHSA-2024:0562",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0562"
},
{
"name": "RHSA-2024:0563",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0563"
},
{
"name": "RHSA-2024:0593",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0593"
},
{
"name": "RHSA-2024:0999",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0999"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-42753"
},
{
"name": "RHBZ#2239843",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239843"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2023/q3/216"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2023/09/22/10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42753",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T20:32:37.608936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T20:48:56.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_extras_rt:7"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.10.0-1160.108.1.rt56.1259.el7",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7::workstation",
"cpe:/o:redhat:enterprise_linux:7::client",
"cpe:/o:redhat:enterprise_linux:7::computenode",
"cpe:/o:redhat:enterprise_linux:7::server"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.10.0-1160.108.1.el7",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7::server"
],
"defaultStatus": "unaffected",
"packageName": "kpatch-patch",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_aus:7.7::server"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7.7 Advanced Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.10.0-1062.85.1.el7",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv",
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-513.11.1.rt7.313.el8_9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "unaffected",
"packageName": "kpatch-patch",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb",
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-513.11.1.el8_9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_aus:8.2::baseos",
"cpe:/o:redhat:rhel_e4s:8.2::baseos",
"cpe:/o:redhat:rhel_tus:8.2::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.2 Advanced Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-193.120.1.el8_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_tus:8.2::realtime",
"cpe:/a:redhat:rhel_tus:8.2::nfv"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-193.120.1.rt13.171.el8_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_aus:8.2::baseos",
"cpe:/o:redhat:rhel_e4s:8.2::baseos",
"cpe:/o:redhat:rhel_tus:8.2::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-193.120.1.el8_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.2::baseos"
],
"defaultStatus": "unaffected",
"packageName": "kpatch-patch",
"product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_aus:8.2::baseos",
"cpe:/o:redhat:rhel_e4s:8.2::baseos",
"cpe:/o:redhat:rhel_tus:8.2::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-193.120.1.el8_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos",
"cpe:/o:redhat:rhel_e4s:8.4::baseos",
"cpe:/o:redhat:rhel_tus:8.4::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-305.120.1.el8_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_tus:8.4::realtime",
"cpe:/a:redhat:rhel_tus:8.4::nfv"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-305.120.1.rt7.196.el8_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos",
"cpe:/o:redhat:rhel_e4s:8.4::baseos",
"cpe:/o:redhat:rhel_tus:8.4::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-305.120.1.el8_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos",
"cpe:/o:redhat:rhel_e4s:8.4::baseos",
"cpe:/o:redhat:rhel_tus:8.4::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-305.120.1.el8_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.4::baseos"
],
"defaultStatus": "unaffected",
"packageName": "kpatch-patch",
"product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:8.6::baseos"
],
"defaultStatus": "unaffected",
"packageName": "kpatch-patch",
"product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:8.6::crb",
"cpe:/o:redhat:rhel_eus:8.6::baseos",
"cpe:/o:redhat:rhev_hypervisor:4.4::el8"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-372.87.1.el8_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:8.8::crb",
"cpe:/o:redhat:rhel_eus:8.8::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-477.36.1.el8_8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:8.8::baseos"
],
"defaultStatus": "unaffected",
"packageName": "kpatch-patch",
"product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.18.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "unaffected",
"packageName": "kpatch-patch",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-362.18.1.el9_3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:9.0::baseos",
"cpe:/a:redhat:rhel_eus:9.0::crb",
"cpe:/a:redhat:rhel_eus:9.0::appstream"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9.0 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-70.80.1.el9_0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.0::realtime",
"cpe:/a:redhat:rhel_eus:9.0::nfv"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9.0 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-70.80.1.rt21.151.el9_0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:9.0::baseos"
],
"defaultStatus": "unaffected",
"packageName": "kpatch-patch",
"product": "Red Hat Enterprise Linux 9.0 Extended Update Support",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.2::appstream",
"cpe:/a:redhat:rhel_eus:9.2::crb",
"cpe:/o:redhat:rhel_eus:9.2::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-284.40.1.el9_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.2::nfv",
"cpe:/a:redhat:rhel_eus:9.2::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-284.40.1.rt14.325.el9_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:9.2::baseos"
],
"defaultStatus": "unaffected",
"packageName": "kpatch-patch",
"product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:8.6::crb",
"cpe:/o:redhat:rhel_eus:8.6::baseos",
"cpe:/o:redhat:rhev_hypervisor:4.4::el8"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-372.87.1.el8_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2023-09-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h-\u003enets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:02:00.466Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:7370",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7370"
},
{
"name": "RHSA-2023:7379",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7379"
},
{
"name": "RHSA-2023:7382",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7382"
},
{
"name": "RHSA-2023:7389",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7389"
},
{
"name": "RHSA-2023:7411",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7411"
},
{
"name": "RHSA-2023:7418",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7418"
},
{
"name": "RHSA-2023:7539",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7539"
},
{
"name": "RHSA-2023:7558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7558"
},
{
"name": "RHSA-2024:0089",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0089"
},
{
"name": "RHSA-2024:0113",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0113"
},
{
"name": "RHSA-2024:0134",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0134"
},
{
"name": "RHSA-2024:0340",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0340"
},
{
"name": "RHSA-2024:0346",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0346"
},
{
"name": "RHSA-2024:0347",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0347"
},
{
"name": "RHSA-2024:0371",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0371"
},
{
"name": "RHSA-2024:0376",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0376"
},
{
"name": "RHSA-2024:0378",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0378"
},
{
"name": "RHSA-2024:0402",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0402"
},
{
"name": "RHSA-2024:0403",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0403"
},
{
"name": "RHSA-2024:0412",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0412"
},
{
"name": "RHSA-2024:0461",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0461"
},
{
"name": "RHSA-2024:0562",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0562"
},
{
"name": "RHSA-2024:0563",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0563"
},
{
"name": "RHSA-2024:0593",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0593"
},
{
"name": "RHSA-2024:0999",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0999"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-42753"
},
{
"name": "RHBZ#2239843",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239843"
},
{
"url": "https://seclists.org/oss-sec/2023/q3/216"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-20T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-09-22T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Kernel: netfilter: potential slab-out-of-bound access due to integer underflow",
"workarounds": [
{
"lang": "en",
"value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."
}
],
"x_redhatCweChain": "CWE-191-\u003eCWE-787: Integer Underflow (Wrap or Wraparound) leads to Out-of-bounds Write"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-42753",
"datePublished": "2023-09-25T20:25:59.706Z",
"dateReserved": "2023-09-13T11:03:47.961Z",
"dateUpdated": "2025-11-06T21:02:00.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39756 (GCVE-0-2025-39756)
Vulnerability from cvelistv5
Published
2025-09-11 16:52
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: Prevent file descriptor table allocations exceeding INT_MAX
When sysctl_nr_open is set to a very high value (for example, 1073741816
as set by systemd), processes attempting to use file descriptors near
the limit can trigger massive memory allocation attempts that exceed
INT_MAX, resulting in a WARNING in mm/slub.c:
WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288
This happens because kvmalloc_array() and kvmalloc() check if the
requested size exceeds INT_MAX and emit a warning when the allocation is
not flagged with __GFP_NOWARN.
Specifically, when nr_open is set to 1073741816 (0x3ffffff8) and a
process calls dup2(oldfd, 1073741880), the kernel attempts to allocate:
- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes
- Multiple bitmaps: ~400MB
- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647)
Reproducer:
1. Set /proc/sys/fs/nr_open to 1073741816:
# echo 1073741816 > /proc/sys/fs/nr_open
2. Run a program that uses a high file descriptor:
#include <unistd.h>
#include <sys/resource.h>
int main() {
struct rlimit rlim = {1073741824, 1073741824};
setrlimit(RLIMIT_NOFILE, &rlim);
dup2(2, 1073741880); // Triggers the warning
return 0;
}
3. Observe WARNING in dmesg at mm/slub.c:5027
systemd commit a8b627a introduced automatic bumping of fs.nr_open to the
maximum possible value. The rationale was that systems with memory
control groups (memcg) no longer need separate file descriptor limits
since memory is properly accounted. However, this change overlooked
that:
1. The kernel's allocation functions still enforce INT_MAX as a maximum
size regardless of memcg accounting
2. Programs and tests that legitimately test file descriptor limits can
inadvertently trigger massive allocations
3. The resulting allocations (>8GB) are impractical and will always fail
systemd's algorithm starts with INT_MAX and keeps halving the value
until the kernel accepts it. On most systems, this results in nr_open
being set to 1073741816 (0x3ffffff8), which is just under 1GB of file
descriptors.
While processes rarely use file descriptors near this limit in normal
operation, certain selftests (like
tools/testing/selftests/core/unshare_test.c) and programs that test file
descriptor limits can trigger this issue.
Fix this by adding a check in alloc_fdtable() to ensure the requested
allocation size does not exceed INT_MAX. This causes the operation to
fail with -EMFILE instead of triggering a kernel warning and avoids the
impractical >8GB memory allocation request.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9cfe015aa424b3c003baba3841a60dd9b5ad319b Version: 9cfe015aa424b3c003baba3841a60dd9b5ad319b Version: 9cfe015aa424b3c003baba3841a60dd9b5ad319b Version: 9cfe015aa424b3c003baba3841a60dd9b5ad319b Version: 9cfe015aa424b3c003baba3841a60dd9b5ad319b Version: 9cfe015aa424b3c003baba3841a60dd9b5ad319b Version: 9cfe015aa424b3c003baba3841a60dd9b5ad319b Version: 9cfe015aa424b3c003baba3841a60dd9b5ad319b Version: 9cfe015aa424b3c003baba3841a60dd9b5ad319b |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:05.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4159c5a90c03f8acd3de345a7f5fc63b0909818",
"status": "affected",
"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b",
"versionType": "git"
},
{
"lessThan": "f95638a8f22eba307dceddf5aef9ae2326bbcf98",
"status": "affected",
"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b",
"versionType": "git"
},
{
"lessThan": "749528086620f8012b83ae032a80f6ffa80c45cd",
"status": "affected",
"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b",
"versionType": "git"
},
{
"lessThan": "628fc28f42d979f36dbf75a6129ac7730e30c04e",
"status": "affected",
"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b",
"versionType": "git"
},
{
"lessThan": "237e416eb62101f21b28c9e6e564d10efe1ecc6f",
"status": "affected",
"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b",
"versionType": "git"
},
{
"lessThan": "d4f9351243c17865a8cdbe6b3ccd09d0b13a7bcc",
"status": "affected",
"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b",
"versionType": "git"
},
{
"lessThan": "9f61fa6a2a89a610120bc4e5d24379c667314b5c",
"status": "affected",
"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b",
"versionType": "git"
},
{
"lessThan": "dfd1f4ea98c3bd3a03d12169b5b2daa1f0a3e4ae",
"status": "affected",
"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b",
"versionType": "git"
},
{
"lessThan": "04a2c4b4511d186b0fce685da21085a5d4acd370",
"status": "affected",
"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Prevent file descriptor table allocations exceeding INT_MAX\n\nWhen sysctl_nr_open is set to a very high value (for example, 1073741816\nas set by systemd), processes attempting to use file descriptors near\nthe limit can trigger massive memory allocation attempts that exceed\nINT_MAX, resulting in a WARNING in mm/slub.c:\n\n WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288\n\nThis happens because kvmalloc_array() and kvmalloc() check if the\nrequested size exceeds INT_MAX and emit a warning when the allocation is\nnot flagged with __GFP_NOWARN.\n\nSpecifically, when nr_open is set to 1073741816 (0x3ffffff8) and a\nprocess calls dup2(oldfd, 1073741880), the kernel attempts to allocate:\n- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes\n- Multiple bitmaps: ~400MB\n- Total allocation size: \u003e 8GB (exceeding INT_MAX = 2,147,483,647)\n\nReproducer:\n1. Set /proc/sys/fs/nr_open to 1073741816:\n # echo 1073741816 \u003e /proc/sys/fs/nr_open\n\n2. Run a program that uses a high file descriptor:\n #include \u003cunistd.h\u003e\n #include \u003csys/resource.h\u003e\n\n int main() {\n struct rlimit rlim = {1073741824, 1073741824};\n setrlimit(RLIMIT_NOFILE, \u0026rlim);\n dup2(2, 1073741880); // Triggers the warning\n return 0;\n }\n\n3. Observe WARNING in dmesg at mm/slub.c:5027\n\nsystemd commit a8b627a introduced automatic bumping of fs.nr_open to the\nmaximum possible value. The rationale was that systems with memory\ncontrol groups (memcg) no longer need separate file descriptor limits\nsince memory is properly accounted. However, this change overlooked\nthat:\n\n1. The kernel\u0027s allocation functions still enforce INT_MAX as a maximum\n size regardless of memcg accounting\n2. Programs and tests that legitimately test file descriptor limits can\n inadvertently trigger massive allocations\n3. The resulting allocations (\u003e8GB) are impractical and will always fail\n\nsystemd\u0027s algorithm starts with INT_MAX and keeps halving the value\nuntil the kernel accepts it. On most systems, this results in nr_open\nbeing set to 1073741816 (0x3ffffff8), which is just under 1GB of file\ndescriptors.\n\nWhile processes rarely use file descriptors near this limit in normal\noperation, certain selftests (like\ntools/testing/selftests/core/unshare_test.c) and programs that test file\ndescriptor limits can trigger this issue.\n\nFix this by adding a check in alloc_fdtable() to ensure the requested\nallocation size does not exceed INT_MAX. This causes the operation to\nfail with -EMFILE instead of triggering a kernel warning and avoids the\nimpractical \u003e8GB memory allocation request."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:58:45.959Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4159c5a90c03f8acd3de345a7f5fc63b0909818"
},
{
"url": "https://git.kernel.org/stable/c/f95638a8f22eba307dceddf5aef9ae2326bbcf98"
},
{
"url": "https://git.kernel.org/stable/c/749528086620f8012b83ae032a80f6ffa80c45cd"
},
{
"url": "https://git.kernel.org/stable/c/628fc28f42d979f36dbf75a6129ac7730e30c04e"
},
{
"url": "https://git.kernel.org/stable/c/237e416eb62101f21b28c9e6e564d10efe1ecc6f"
},
{
"url": "https://git.kernel.org/stable/c/d4f9351243c17865a8cdbe6b3ccd09d0b13a7bcc"
},
{
"url": "https://git.kernel.org/stable/c/9f61fa6a2a89a610120bc4e5d24379c667314b5c"
},
{
"url": "https://git.kernel.org/stable/c/dfd1f4ea98c3bd3a03d12169b5b2daa1f0a3e4ae"
},
{
"url": "https://git.kernel.org/stable/c/04a2c4b4511d186b0fce685da21085a5d4acd370"
}
],
"title": "fs: Prevent file descriptor table allocations exceeding INT_MAX",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39756",
"datePublished": "2025-09-11T16:52:26.136Z",
"dateReserved": "2025-04-16T07:20:57.125Z",
"dateUpdated": "2025-11-03T17:43:05.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53631 (GCVE-0-2023-53631)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: dell-sysman: Fix reference leak
If a duplicate attribute is found using kset_find_obj(),
a reference to that attribute is returned. This means
that we need to dispose it accordingly. Use kobject_put()
to dispose the duplicate attribute in such a case.
Compile-tested only.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/dell/dell-wmi-sysman/sysman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d079a3e1ccdd183b75db4f5289be347980b45284",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "6ced15ff1746006476f1407fe722911a45a7874d",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "c5402011992bcc2b5614fe7fef24f9cdaec7473b",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "9d9e03bec147407826266580e7d6ec427241d859",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "7295a996fdab7bf83dc3d4078fa8b139b8e0a1bf",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/dell/dell-wmi-sysman/sysman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-sysman: Fix reference leak\n\nIf a duplicate attribute is found using kset_find_obj(),\na reference to that attribute is returned. This means\nthat we need to dispose it accordingly. Use kobject_put()\nto dispose the duplicate attribute in such a case.\n\nCompile-tested only."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:34.289Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d079a3e1ccdd183b75db4f5289be347980b45284"
},
{
"url": "https://git.kernel.org/stable/c/6ced15ff1746006476f1407fe722911a45a7874d"
},
{
"url": "https://git.kernel.org/stable/c/c5402011992bcc2b5614fe7fef24f9cdaec7473b"
},
{
"url": "https://git.kernel.org/stable/c/9d9e03bec147407826266580e7d6ec427241d859"
},
{
"url": "https://git.kernel.org/stable/c/7295a996fdab7bf83dc3d4078fa8b139b8e0a1bf"
}
],
"title": "platform/x86: dell-sysman: Fix reference leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53631",
"datePublished": "2025-10-07T15:19:34.289Z",
"dateReserved": "2025-10-07T15:16:59.656Z",
"dateUpdated": "2025-10-07T15:19:34.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39684 (GCVE-0-2025-39684)
Vulnerability from cvelistv5
Published
2025-09-05 17:20
Modified
2025-11-03 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel
buffer is allocated to hold `insn->n` samples (each of which is an
`unsigned int`). For some instruction types, `insn->n` samples are
copied back to user-space, unless an error code is being returned. The
problem is that not all the instruction handlers that need to return
data to userspace fill in the whole `insn->n` samples, so that there is
an information leak. There is a similar syzbot report for
`do_insnlist_ioctl()`, although it does not have a reproducer for it at
the time of writing.
One culprit is `insn_rw_emulate_bits()` which is used as the handler for
`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have
a specific handler for that instruction, but do have an `INSN_BITS`
handler. For `INSN_READ` it only fills in at most 1 sample, so if
`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied
to userspace will be uninitialized kernel data.
Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It
never returns an error, even if it fails to fill the buffer.
Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure
that uninitialized parts of the allocated buffer are zeroed before
handling each instruction.
Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix
replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not
always necessary to clear the whole buffer.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:16.502Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "868a1b68dcd9f2805bb86aa64862402f785d8c4a",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "ff4a7c18799c7fe999fa56c5cf276e13866b8c1a",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "d84f6e77ebe3359394df32ecd97e0d76a25283dc",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "f3b0c9ec54736f3b8118f93a473d22e11ee65743",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "aecf0d557ddd95ce68193a5ee1dc4c87415ff08a",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "3cd212e895ca2d58963fdc6422502b10dd3966bb",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()\n\nsyzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel\nbuffer is allocated to hold `insn-\u003en` samples (each of which is an\n`unsigned int`). For some instruction types, `insn-\u003en` samples are\ncopied back to user-space, unless an error code is being returned. The\nproblem is that not all the instruction handlers that need to return\ndata to userspace fill in the whole `insn-\u003en` samples, so that there is\nan information leak. There is a similar syzbot report for\n`do_insnlist_ioctl()`, although it does not have a reproducer for it at\nthe time of writing.\n\nOne culprit is `insn_rw_emulate_bits()` which is used as the handler for\n`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have\na specific handler for that instruction, but do have an `INSN_BITS`\nhandler. For `INSN_READ` it only fills in at most 1 sample, so if\n`insn-\u003en` is greater than 1, the remaining `insn-\u003en - 1` samples copied\nto userspace will be uninitialized kernel data.\n\nAnother culprit is `vm80xx_ai_insn_read()` in the \"vm80xx\" driver. It\nnever returns an error, even if it fails to fill the buffer.\n\nFix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure\nthat uninitialized parts of the allocated buffer are zeroed before\nhandling each instruction.\n\nThanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix\nreplaced the call to `kmalloc_array()` with `kcalloc()`, but it is not\nalways necessary to clear the whole buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:21.980Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a"
},
{
"url": "https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a"
},
{
"url": "https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc"
},
{
"url": "https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743"
},
{
"url": "https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a"
},
{
"url": "https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb"
}
],
"title": "comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39684",
"datePublished": "2025-09-05T17:20:50.827Z",
"dateReserved": "2025-04-16T07:20:57.113Z",
"dateUpdated": "2025-11-03T17:42:16.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49014 (GCVE-0-2022-49014)
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2025-05-04 08:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: tun: Fix use-after-free in tun_detach()
syzbot reported use-after-free in tun_detach() [1]. This causes call
trace like below:
==================================================================
BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673
CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x461 mm/kasan/report.c:395
kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942
call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
call_netdevice_notifiers net/core/dev.c:1997 [inline]
netdev_wait_allrefs_any net/core/dev.c:10237 [inline]
netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351
tun_detach drivers/net/tun.c:704 [inline]
tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467
__fput+0x27c/0xa90 fs/file_table.c:320
task_work_run+0x16f/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb3d/0x2a30 kernel/exit.c:820
do_group_exit+0xd4/0x2a0 kernel/exit.c:950
get_signal+0x21b1/0x2440 kernel/signal.c:2858
arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The cause of the issue is that sock_put() from __tun_detach() drops
last reference count for struct net, and then notifier_call_chain()
from netdev_state_change() accesses that struct net.
This patch fixes the issue by calling sock_put() from tun_detach()
after all necessary accesses for the struct net has done.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-49014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:13:28.883740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:18:38.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f23f1890d91812c35d32eab1b49621b6d32dc7b",
"status": "affected",
"version": "83c1f36f9880814b24cdf6c2f91f66f61db65326",
"versionType": "git"
},
{
"lessThan": "16c244bc65d1175775325ec0489a5a5c830e02c7",
"status": "affected",
"version": "83c1f36f9880814b24cdf6c2f91f66f61db65326",
"versionType": "git"
},
{
"lessThan": "5f442e1d403e0496bacb74a58e2be7f500695e6f",
"status": "affected",
"version": "83c1f36f9880814b24cdf6c2f91f66f61db65326",
"versionType": "git"
},
{
"lessThan": "04b995e963229501401810dab89dc73e7f12d054",
"status": "affected",
"version": "83c1f36f9880814b24cdf6c2f91f66f61db65326",
"versionType": "git"
},
{
"lessThan": "4cde8da2d814a3b7b176db81922d4ddaad7c0f0e",
"status": "affected",
"version": "83c1f36f9880814b24cdf6c2f91f66f61db65326",
"versionType": "git"
},
{
"lessThan": "5daadc86f27ea4d691e2131c04310d0418c6cd12",
"status": "affected",
"version": "83c1f36f9880814b24cdf6c2f91f66f61db65326",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.268",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.226",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.268",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.226",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.158",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.82",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.12",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Fix use-after-free in tun_detach()\n\nsyzbot reported use-after-free in tun_detach() [1]. This causes call\ntrace like below:\n\n==================================================================\nBUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75\nRead of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673\n\nCPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x15e/0x461 mm/kasan/report.c:395\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:495\n notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75\n call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942\n call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]\n call_netdevice_notifiers net/core/dev.c:1997 [inline]\n netdev_wait_allrefs_any net/core/dev.c:10237 [inline]\n netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351\n tun_detach drivers/net/tun.c:704 [inline]\n tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467\n __fput+0x27c/0xa90 fs/file_table.c:320\n task_work_run+0x16f/0x270 kernel/task_work.c:179\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xb3d/0x2a30 kernel/exit.c:820\n do_group_exit+0xd4/0x2a0 kernel/exit.c:950\n get_signal+0x21b1/0x2440 kernel/signal.c:2858\n arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869\n exit_to_user_mode_loop kernel/entry/common.c:168 [inline]\n exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296\n do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe cause of the issue is that sock_put() from __tun_detach() drops\nlast reference count for struct net, and then notifier_call_chain()\nfrom netdev_state_change() accesses that struct net.\n\nThis patch fixes the issue by calling sock_put() from tun_detach()\nafter all necessary accesses for the struct net has done."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:05.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f23f1890d91812c35d32eab1b49621b6d32dc7b"
},
{
"url": "https://git.kernel.org/stable/c/16c244bc65d1175775325ec0489a5a5c830e02c7"
},
{
"url": "https://git.kernel.org/stable/c/5f442e1d403e0496bacb74a58e2be7f500695e6f"
},
{
"url": "https://git.kernel.org/stable/c/04b995e963229501401810dab89dc73e7f12d054"
},
{
"url": "https://git.kernel.org/stable/c/4cde8da2d814a3b7b176db81922d4ddaad7c0f0e"
},
{
"url": "https://git.kernel.org/stable/c/5daadc86f27ea4d691e2131c04310d0418c6cd12"
}
],
"title": "net: tun: Fix use-after-free in tun_detach()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49014",
"datePublished": "2024-10-21T20:06:24.020Z",
"dateReserved": "2024-08-22T01:27:53.645Z",
"dateUpdated": "2025-05-04T08:28:05.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53196 (GCVE-0-2023-53196)
Vulnerability from cvelistv5
Published
2025-09-15 14:06
Modified
2025-09-15 14:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: qcom: Fix potential memory leak
Function dwc3_qcom_probe() allocates memory for resource structure
which is pointed by parent_res pointer. This memory is not
freed. This leads to memory leak. Use stack memory to prevent
memory leak.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2bc02355f8ba2c1f108ec8b16a673b467a17228c Version: 2bc02355f8ba2c1f108ec8b16a673b467a17228c Version: 2bc02355f8ba2c1f108ec8b16a673b467a17228c Version: 2bc02355f8ba2c1f108ec8b16a673b467a17228c Version: 2bc02355f8ba2c1f108ec8b16a673b467a17228c Version: 2bc02355f8ba2c1f108ec8b16a673b467a17228c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/dwc3-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "648a163cff21ea355c8765e882ba8bf66a870a3e",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
},
{
"lessThan": "74f8606ddfa450d2255b4e61472a7632def1e8c4",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
},
{
"lessThan": "b626cd5e4a87a281629e0c2b07519990077c0fbe",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
},
{
"lessThan": "c3b322b84ab5dda7eaca9ded763628b7467734f4",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
},
{
"lessThan": "134a7d4642f11daed6bbc378f930a54dd0322291",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
},
{
"lessThan": "097fb3ee710d4de83b8d4f5589e8ee13e0f0541e",
"status": "affected",
"version": "2bc02355f8ba2c1f108ec8b16a673b467a17228c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/dwc3-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: qcom: Fix potential memory leak\n\nFunction dwc3_qcom_probe() allocates memory for resource structure\nwhich is pointed by parent_res pointer. This memory is not\nfreed. This leads to memory leak. Use stack memory to prevent\nmemory leak.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:06:43.535Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/648a163cff21ea355c8765e882ba8bf66a870a3e"
},
{
"url": "https://git.kernel.org/stable/c/74f8606ddfa450d2255b4e61472a7632def1e8c4"
},
{
"url": "https://git.kernel.org/stable/c/b626cd5e4a87a281629e0c2b07519990077c0fbe"
},
{
"url": "https://git.kernel.org/stable/c/c3b322b84ab5dda7eaca9ded763628b7467734f4"
},
{
"url": "https://git.kernel.org/stable/c/134a7d4642f11daed6bbc378f930a54dd0322291"
},
{
"url": "https://git.kernel.org/stable/c/097fb3ee710d4de83b8d4f5589e8ee13e0f0541e"
}
],
"title": "usb: dwc3: qcom: Fix potential memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53196",
"datePublished": "2025-09-15T14:06:43.535Z",
"dateReserved": "2025-09-15T13:59:19.067Z",
"dateUpdated": "2025-09-15T14:06:43.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53185 (GCVE-0-2023-53185)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-15 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
A bad USB device is able to construct a service connection response
message with target endpoint being ENDPOINT0 which is reserved for
HTC_CTRL_RSVD_SVC and should not be modified to be used for any other
services.
Reject such service connection responses.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db8df00cd6d801b3abdb145201c2bdd1c665f585",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "9e3031eea2d45918dc44cbfc6a6029e82882916f",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "4dc3560561a08842b4a4c07ccc5a90e5067dbb5b",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "1044187e7249073f719ebbf9e5ffb4f16f99e555",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "95b4b940f0fb2873dcedad81699e869eb7581c85",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "09740fa9827cfbaf23ecd041e602a426f99be888",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "6a444dffb75238c47d2d852f12cf53f12ad2cba8",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "be2a546c30fe8d72efa032bee612363bb75314bd",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "061b0cb9327b80d7a0f63a33e7c3e2a91a71f142",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: don\u0027t allow to overwrite ENDPOINT0 attributes\n\nA bad USB device is able to construct a service connection response\nmessage with target endpoint being ENDPOINT0 which is reserved for\nHTC_CTRL_RSVD_SVC and should not be modified to be used for any other\nservices.\n\nReject such service connection responses.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:04:37.921Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db8df00cd6d801b3abdb145201c2bdd1c665f585"
},
{
"url": "https://git.kernel.org/stable/c/9e3031eea2d45918dc44cbfc6a6029e82882916f"
},
{
"url": "https://git.kernel.org/stable/c/4dc3560561a08842b4a4c07ccc5a90e5067dbb5b"
},
{
"url": "https://git.kernel.org/stable/c/1044187e7249073f719ebbf9e5ffb4f16f99e555"
},
{
"url": "https://git.kernel.org/stable/c/95b4b940f0fb2873dcedad81699e869eb7581c85"
},
{
"url": "https://git.kernel.org/stable/c/09740fa9827cfbaf23ecd041e602a426f99be888"
},
{
"url": "https://git.kernel.org/stable/c/6a444dffb75238c47d2d852f12cf53f12ad2cba8"
},
{
"url": "https://git.kernel.org/stable/c/be2a546c30fe8d72efa032bee612363bb75314bd"
},
{
"url": "https://git.kernel.org/stable/c/061b0cb9327b80d7a0f63a33e7c3e2a91a71f142"
}
],
"title": "wifi: ath9k: don\u0027t allow to overwrite ENDPOINT0 attributes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53185",
"datePublished": "2025-09-15T14:04:37.921Z",
"dateReserved": "2025-09-15T13:59:19.065Z",
"dateUpdated": "2025-09-15T14:04:37.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53728 (GCVE-0-2023-53728)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
posix-timers: Ensure timer ID search-loop limit is valid
posix_timer_add() tries to allocate a posix timer ID by starting from the
cached ID which was stored by the last successful allocation.
This is done in a loop searching the ID space for a free slot one by
one. The loop has to terminate when the search wrapped around to the
starting point.
But that's racy vs. establishing the starting point. That is read out
lockless, which leads to the following problem:
CPU0 CPU1
posix_timer_add()
start = sig->posix_timer_id;
lock(hash_lock);
... posix_timer_add()
if (++sig->posix_timer_id < 0)
start = sig->posix_timer_id;
sig->posix_timer_id = 0;
So CPU1 can observe a negative start value, i.e. -1, and the loop break
never happens because the condition can never be true:
if (sig->posix_timer_id == start)
break;
While this is unlikely to ever turn into an endless loop as the ID space is
huge (INT_MAX), the racy read of the start value caught the attention of
KCSAN and Dmitry unearthed that incorrectness.
Rewrite it so that all id operations are under the hash lock.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/sched/signal.h",
"kernel/time/posix-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8dc52c200b889bc1cb34288fbf623d4ff381d2ae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9ea26a8494a0a9337e7415eafd6f3ed940327dc5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8ad6679a5bb97cdb3e14942729292b4bfcc0e223",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "322377cc909defcca9451487484845e7e1d20d1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef535e0315afd098c4beb1da364847eca4b56a20",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6a0ac84501b4fec73a1a823c55cf13584c43f418",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "37175e25edf7cc0d5a2cd2c2a1cbe2dcbf4a1937",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8ce8849dd1e78dadcee0ec9acbd259d239b7069f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/sched/signal.h",
"kernel/time/posix-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-timers: Ensure timer ID search-loop limit is valid\n\nposix_timer_add() tries to allocate a posix timer ID by starting from the\ncached ID which was stored by the last successful allocation.\n\nThis is done in a loop searching the ID space for a free slot one by\none. The loop has to terminate when the search wrapped around to the\nstarting point.\n\nBut that\u0027s racy vs. establishing the starting point. That is read out\nlockless, which leads to the following problem:\n\nCPU0\t \t \t \t CPU1\nposix_timer_add()\n start = sig-\u003eposix_timer_id;\n lock(hash_lock);\n ...\t\t\t\t posix_timer_add()\n if (++sig-\u003eposix_timer_id \u003c 0)\n \t\t\t start = sig-\u003eposix_timer_id;\n sig-\u003eposix_timer_id = 0;\n\nSo CPU1 can observe a negative start value, i.e. -1, and the loop break\nnever happens because the condition can never be true:\n\n if (sig-\u003eposix_timer_id == start)\n break;\n\nWhile this is unlikely to ever turn into an endless loop as the ID space is\nhuge (INT_MAX), the racy read of the start value caught the attention of\nKCSAN and Dmitry unearthed that incorrectness.\n\nRewrite it so that all id operations are under the hash lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:57.127Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8dc52c200b889bc1cb34288fbf623d4ff381d2ae"
},
{
"url": "https://git.kernel.org/stable/c/9ea26a8494a0a9337e7415eafd6f3ed940327dc5"
},
{
"url": "https://git.kernel.org/stable/c/8ad6679a5bb97cdb3e14942729292b4bfcc0e223"
},
{
"url": "https://git.kernel.org/stable/c/322377cc909defcca9451487484845e7e1d20d1b"
},
{
"url": "https://git.kernel.org/stable/c/ef535e0315afd098c4beb1da364847eca4b56a20"
},
{
"url": "https://git.kernel.org/stable/c/6a0ac84501b4fec73a1a823c55cf13584c43f418"
},
{
"url": "https://git.kernel.org/stable/c/37175e25edf7cc0d5a2cd2c2a1cbe2dcbf4a1937"
},
{
"url": "https://git.kernel.org/stable/c/8ce8849dd1e78dadcee0ec9acbd259d239b7069f"
}
],
"title": "posix-timers: Ensure timer ID search-loop limit is valid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53728",
"datePublished": "2025-10-22T13:23:57.127Z",
"dateReserved": "2025-10-22T13:21:37.348Z",
"dateUpdated": "2025-10-22T13:23:57.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53564 (GCVE-0-2023-53564)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-04 15:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix defrag path triggering jbd2 ASSERT
code path:
ocfs2_ioctl_move_extents
ocfs2_move_extents
ocfs2_defrag_extent
__ocfs2_move_extent
+ ocfs2_journal_access_di
+ ocfs2_split_extent //sub-paths call jbd2_journal_restart
+ ocfs2_journal_dirty //crash by jbs2 ASSERT
crash stacks:
PID: 11297 TASK: ffff974a676dcd00 CPU: 67 COMMAND: "defragfs.ocfs2"
#0 [ffffb25d8dad3900] machine_kexec at ffffffff8386fe01
#1 [ffffb25d8dad3958] __crash_kexec at ffffffff8395959d
#2 [ffffb25d8dad3a20] crash_kexec at ffffffff8395a45d
#3 [ffffb25d8dad3a38] oops_end at ffffffff83836d3f
#4 [ffffb25d8dad3a58] do_trap at ffffffff83833205
#5 [ffffb25d8dad3aa0] do_invalid_op at ffffffff83833aa6
#6 [ffffb25d8dad3ac0] invalid_op at ffffffff84200d18
[exception RIP: jbd2_journal_dirty_metadata+0x2ba]
RIP: ffffffffc09ca54a RSP: ffffb25d8dad3b70 RFLAGS: 00010207
RAX: 0000000000000000 RBX: ffff9706eedc5248 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff97337029ea28 RDI: ffff9706eedc5250
RBP: ffff9703c3520200 R8: 000000000f46b0b2 R9: 0000000000000000
R10: 0000000000000001 R11: 00000001000000fe R12: ffff97337029ea28
R13: 0000000000000000 R14: ffff9703de59bf60 R15: ffff9706eedc5250
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ffffb25d8dad3ba8] ocfs2_journal_dirty at ffffffffc137fb95 [ocfs2]
#8 [ffffb25d8dad3be8] __ocfs2_move_extent at ffffffffc139a950 [ocfs2]
#9 [ffffb25d8dad3c80] ocfs2_defrag_extent at ffffffffc139b2d2 [ocfs2]
Analysis
This bug has the same root cause of 'commit 7f27ec978b0e ("ocfs2: call
ocfs2_journal_access_di() before ocfs2_journal_dirty() in
ocfs2_write_end_nolock()")'. For this bug, jbd2_journal_restart() is
called by ocfs2_split_extent() during defragmenting.
How to fix
For ocfs2_split_extent() can handle journal operations totally by itself.
Caller doesn't need to call journal access/dirty pair, and caller only
needs to call journal start/stop pair. The fix method is to remove
journal access/dirty from __ocfs2_move_extent().
The discussion for this patch:
https://oss.oracle.com/pipermail/ocfs2-devel/2023-February/000647.html
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f43d34a51ed30e6a60f7e59d224a63014fe2cd5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f3b1c28e2908755fb248d3ee8ff56826f2387db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "669134a66d37258e1c4a5cfbd5b82f547ae30fca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2c559b3ba8e0b9e3c4bb08159a28ccadc698410f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33665d1042666f2e5c736a3df1f453e31f030663",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8163ea90d89b7012dd1fa4b28edf5db0c641eca7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "590507ebabd33cd93324c04f9a5538309a5ba934",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "60eed1e3d45045623e46944ebc7c42c30a4350f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix defrag path triggering jbd2 ASSERT\n\ncode path:\n\nocfs2_ioctl_move_extents\n ocfs2_move_extents\n ocfs2_defrag_extent\n __ocfs2_move_extent\n + ocfs2_journal_access_di\n + ocfs2_split_extent //sub-paths call jbd2_journal_restart\n + ocfs2_journal_dirty //crash by jbs2 ASSERT\n\ncrash stacks:\n\nPID: 11297 TASK: ffff974a676dcd00 CPU: 67 COMMAND: \"defragfs.ocfs2\"\n #0 [ffffb25d8dad3900] machine_kexec at ffffffff8386fe01\n #1 [ffffb25d8dad3958] __crash_kexec at ffffffff8395959d\n #2 [ffffb25d8dad3a20] crash_kexec at ffffffff8395a45d\n #3 [ffffb25d8dad3a38] oops_end at ffffffff83836d3f\n #4 [ffffb25d8dad3a58] do_trap at ffffffff83833205\n #5 [ffffb25d8dad3aa0] do_invalid_op at ffffffff83833aa6\n #6 [ffffb25d8dad3ac0] invalid_op at ffffffff84200d18\n [exception RIP: jbd2_journal_dirty_metadata+0x2ba]\n RIP: ffffffffc09ca54a RSP: ffffb25d8dad3b70 RFLAGS: 00010207\n RAX: 0000000000000000 RBX: ffff9706eedc5248 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: ffff97337029ea28 RDI: ffff9706eedc5250\n RBP: ffff9703c3520200 R8: 000000000f46b0b2 R9: 0000000000000000\n R10: 0000000000000001 R11: 00000001000000fe R12: ffff97337029ea28\n R13: 0000000000000000 R14: ffff9703de59bf60 R15: ffff9706eedc5250\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #7 [ffffb25d8dad3ba8] ocfs2_journal_dirty at ffffffffc137fb95 [ocfs2]\n #8 [ffffb25d8dad3be8] __ocfs2_move_extent at ffffffffc139a950 [ocfs2]\n #9 [ffffb25d8dad3c80] ocfs2_defrag_extent at ffffffffc139b2d2 [ocfs2]\n\nAnalysis\n\nThis bug has the same root cause of \u0027commit 7f27ec978b0e (\"ocfs2: call\nocfs2_journal_access_di() before ocfs2_journal_dirty() in\nocfs2_write_end_nolock()\")\u0027. For this bug, jbd2_journal_restart() is\ncalled by ocfs2_split_extent() during defragmenting.\n\nHow to fix\n\nFor ocfs2_split_extent() can handle journal operations totally by itself. \nCaller doesn\u0027t need to call journal access/dirty pair, and caller only\nneeds to call journal start/stop pair. The fix method is to remove\njournal access/dirty from __ocfs2_move_extent().\n\nThe discussion for this patch:\nhttps://oss.oracle.com/pipermail/ocfs2-devel/2023-February/000647.html"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:17:07.114Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f43d34a51ed30e6a60f7e59d224a63014fe2cd5"
},
{
"url": "https://git.kernel.org/stable/c/7f3b1c28e2908755fb248d3ee8ff56826f2387db"
},
{
"url": "https://git.kernel.org/stable/c/669134a66d37258e1c4a5cfbd5b82f547ae30fca"
},
{
"url": "https://git.kernel.org/stable/c/2c559b3ba8e0b9e3c4bb08159a28ccadc698410f"
},
{
"url": "https://git.kernel.org/stable/c/33665d1042666f2e5c736a3df1f453e31f030663"
},
{
"url": "https://git.kernel.org/stable/c/8163ea90d89b7012dd1fa4b28edf5db0c641eca7"
},
{
"url": "https://git.kernel.org/stable/c/590507ebabd33cd93324c04f9a5538309a5ba934"
},
{
"url": "https://git.kernel.org/stable/c/60eed1e3d45045623e46944ebc7c42c30a4350f0"
}
],
"title": "ocfs2: fix defrag path triggering jbd2 ASSERT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53564",
"datePublished": "2025-10-04T15:17:07.114Z",
"dateReserved": "2025-10-04T15:14:15.923Z",
"dateUpdated": "2025-10-04T15:17:07.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53680 (GCVE-0-2023-53680)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL
OPDESC() simply indexes into nfsd4_ops[] by the op's operation
number, without range checking that value. It assumes callers are
careful to avoid calling it with an out-of-bounds opnum value.
nfsd4_decode_compound() is not so careful, and can invoke OPDESC()
with opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end
of nfsd4_ops[].
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50827896c365e0f6c8b55ed56d444dafd87c92c5",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "a64160124d5a078be0c380b1e8a0bad2d040d3a1",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "ffcbcf087581ae68ddc0a21460f7ecd4315bdd0e",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "f352c41fa718482979e7e6b71b4da2b718e381cc",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
},
{
"lessThan": "804d8e0a6e54427268790472781e03bc243f4ee3",
"status": "affected",
"version": "f4f9ef4a1b0a1ca80b152e28e176d69515bdf7e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.220",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Avoid calling OPDESC() with ops-\u003eopnum == OP_ILLEGAL\n\nOPDESC() simply indexes into nfsd4_ops[] by the op\u0027s operation\nnumber, without range checking that value. It assumes callers are\ncareful to avoid calling it with an out-of-bounds opnum value.\n\nnfsd4_decode_compound() is not so careful, and can invoke OPDESC()\nwith opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end\nof nfsd4_ops[]."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:34.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50827896c365e0f6c8b55ed56d444dafd87c92c5"
},
{
"url": "https://git.kernel.org/stable/c/a64160124d5a078be0c380b1e8a0bad2d040d3a1"
},
{
"url": "https://git.kernel.org/stable/c/ffcbcf087581ae68ddc0a21460f7ecd4315bdd0e"
},
{
"url": "https://git.kernel.org/stable/c/f352c41fa718482979e7e6b71b4da2b718e381cc"
},
{
"url": "https://git.kernel.org/stable/c/804d8e0a6e54427268790472781e03bc243f4ee3"
}
],
"title": "NFSD: Avoid calling OPDESC() with ops-\u003eopnum == OP_ILLEGAL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53680",
"datePublished": "2025-10-07T15:21:34.626Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2025-10-07T15:21:34.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39981 (GCVE-0-2025-39981)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix possible UAFs
This attemps to fix possible UAFs caused by struct mgmt_pending being
freed while still being processed like in the following trace, in order
to fix mgmt_pending_valid is introduce and use to check if the
mgmt_pending hasn't been removed from the pending list, on the complete
callbacks it is used to check and in addtion remove the cmd from the list
while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd
is left on the list it can still be accessed and freed.
BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55
CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 12210:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
__add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247
add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:729
sock_write_iter+0x258/0x330 net/socket.c:1133
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 12221:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4648 [inline]
kfree+0x18e/0x440 mm/slub.c:4847
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
__mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444
hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290
hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526
sock_do_ioctl+0xd9/0x300 net/socket.c:1192
sock_ioctl+0x576/0x790 net/socket.c:1313
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c",
"net/bluetooth/mgmt_util.c",
"net/bluetooth/mgmt_util.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87a1f16f07c6c43771754075e08f45b41d237421",
"status": "affected",
"version": "cf75ad8b41d2aa06f98f365d42a3ae8b059daddd",
"versionType": "git"
},
{
"lessThan": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"status": "affected",
"version": "cf75ad8b41d2aa06f98f365d42a3ae8b059daddd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c",
"net/bluetooth/mgmt_util.c",
"net/bluetooth/mgmt_util.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix possible UAFs\n\nThis attemps to fix possible UAFs caused by struct mgmt_pending being\nfreed while still being processed like in the following trace, in order\nto fix mgmt_pending_valid is introduce and use to check if the\nmgmt_pending hasn\u0027t been removed from the pending list, on the complete\ncallbacks it is used to check and in addtion remove the cmd from the list\nwhile holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd\nis left on the list it can still be accessed and freed.\n\nBUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223\nRead of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55\n\nCPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223\n hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x711/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 12210:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269\n mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296\n __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247\n add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:729\n sock_write_iter+0x258/0x330 net/socket.c:1133\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 12221:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4648 [inline]\n kfree+0x18e/0x440 mm/slub.c:4847\n mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]\n mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257\n __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444\n hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290\n hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]\n hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526\n sock_do_ioctl+0xd9/0x300 net/socket.c:1192\n sock_ioctl+0x576/0x790 net/socket.c:1313\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:00.959Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87a1f16f07c6c43771754075e08f45b41d237421"
},
{
"url": "https://git.kernel.org/stable/c/302a1f674c00dd5581ab8e493ef44767c5101aab"
}
],
"title": "Bluetooth: MGMT: Fix possible UAFs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39981",
"datePublished": "2025-10-15T07:56:00.959Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:00.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31248 (GCVE-0-2023-31248)
Vulnerability from cvelistv5
Published
2023-07-05 18:33
Modified
2025-03-05 18:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux Kernel |
Version: v5.9-rc1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:53:31.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://lore.kernel.org/netfilter-devel/20230705121627.GC19489@breakpoint.cc/T/"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2023/07/05/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/05/2"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5453"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPHI46ROSSLVAV4R5LJWJYU747JGOS6D/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGZC5XOANA75OJ4XARBBXYSLDKUIJI5E/"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/173757/Kernel-Live-Patch-Security-Notice-LSN-0096-1.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00001.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240201-0001/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31248",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:36:50.820740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:54:52.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Linux"
],
"product": "Linux Kernel",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "v5.9-rc1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mingi Cho"
}
],
"datePublic": "2023-07-05T12:12:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-01T17:07:05.274Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://lore.kernel.org/netfilter-devel/20230705121627.GC19489@breakpoint.cc/T/"
},
{
"tags": [
"mailing-list"
],
"url": "https://www.openwall.com/lists/oss-security/2023/07/05/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/05/2"
},
{
"url": "https://www.debian.org/security/2023/dsa-5453"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPHI46ROSSLVAV4R5LJWJYU747JGOS6D/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGZC5XOANA75OJ4XARBBXYSLDKUIJI5E/"
},
{
"url": "http://packetstormsecurity.com/files/173757/Kernel-Live-Patch-Security-Notice-LSN-0096-1.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00001.html"
},
{
"url": "http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240201-0001/"
}
],
"title": "Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2023-31248",
"datePublished": "2023-07-05T18:33:59.665Z",
"dateReserved": "2023-06-29T21:43:35.029Z",
"dateUpdated": "2025-03-05T18:54:52.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39864 (GCVE-0-2025-39864)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: fix use-after-free in cmp_bss()
Following bss_free() quirk introduced in commit 776b3580178f
("cfg80211: track hidden SSID networks properly"), adjust
cfg80211_update_known_bss() to free the last beacon frame
elements only if they're not shared via the corresponding
'hidden_beacon_bss' pointer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 Version: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 Version: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 Version: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 Version: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 Version: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 Version: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 Version: 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:14.486Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8bb681e879ca3c9f722aa08d3d7ae41c42a8807",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "a97a9791e455bb0cd5e7a38b5abcb05523d4e21c",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "ff040562c10a540b8d851f7f4145fa112977f853",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "6854476d9e1aeaaf05ebc98d610061c2075db07d",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "b7d08929178c16398278613df07ad65cf63cce9d",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "5b7ae04969f822283a95c866967e42b4d75e0eef",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "912c4b66bef713a20775cfbf3b5e9bd71525c716",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
},
{
"lessThan": "26e84445f02ce6b2fe5f3e0e28ff7add77f35e08",
"status": "affected",
"version": "3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix use-after-free in cmp_bss()\n\nFollowing bss_free() quirk introduced in commit 776b3580178f\n(\"cfg80211: track hidden SSID networks properly\"), adjust\ncfg80211_update_known_bss() to free the last beacon frame\nelements only if they\u0027re not shared via the corresponding\n\u0027hidden_beacon_bss\u0027 pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:19.987Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8bb681e879ca3c9f722aa08d3d7ae41c42a8807"
},
{
"url": "https://git.kernel.org/stable/c/a97a9791e455bb0cd5e7a38b5abcb05523d4e21c"
},
{
"url": "https://git.kernel.org/stable/c/ff040562c10a540b8d851f7f4145fa112977f853"
},
{
"url": "https://git.kernel.org/stable/c/6854476d9e1aeaaf05ebc98d610061c2075db07d"
},
{
"url": "https://git.kernel.org/stable/c/b7d08929178c16398278613df07ad65cf63cce9d"
},
{
"url": "https://git.kernel.org/stable/c/5b7ae04969f822283a95c866967e42b4d75e0eef"
},
{
"url": "https://git.kernel.org/stable/c/912c4b66bef713a20775cfbf3b5e9bd71525c716"
},
{
"url": "https://git.kernel.org/stable/c/26e84445f02ce6b2fe5f3e0e28ff7add77f35e08"
}
],
"title": "wifi: cfg80211: fix use-after-free in cmp_bss()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39864",
"datePublished": "2025-09-19T15:26:33.787Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:14.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53591 (GCVE-0-2023-53591)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix deadlock in tc route query code
Cited commit causes ABBA deadlock[0] when peer flows are created while
holding the devcom rw semaphore. Due to peer flows offload implementation
the lock is taken much higher up the call chain and there is no obvious way
to easily fix the deadlock. Instead, since tc route query code needs the
peer eswitch structure only to perform a lookup in xarray and doesn't
perform any sleeping operations with it, refactor the code for lockless
execution in following ways:
- RCUify the devcom 'data' pointer. When resetting the pointer
synchronously wait for RCU grace period before returning. This is fine
since devcom is currently only used for synchronization of
pairing/unpairing of eswitches which is rare and already expensive as-is.
- Wrap all usages of 'paired' boolean in {READ|WRITE}_ONCE(). The flag has
already been used in some unlocked contexts without proper
annotations (e.g. users of mlx5_devcom_is_paired() function), but it wasn't
an issue since all relevant code paths checked it again after obtaining the
devcom semaphore. Now it is also used by mlx5_devcom_get_peer_data_rcu() as
"best effort" check to return NULL when devcom is being unpaired. Note that
while RCU read lock doesn't prevent the unpaired flag from being changed
concurrently it still guarantees that reader can continue to use 'data'.
- Refactor mlx5e_tc_query_route_vport() function to use new
mlx5_devcom_get_peer_data_rcu() API which fixes the deadlock.
[0]:
[ 164.599612] ======================================================
[ 164.600142] WARNING: possible circular locking dependency detected
[ 164.600667] 6.3.0-rc3+ #1 Not tainted
[ 164.601021] ------------------------------------------------------
[ 164.601557] handler1/3456 is trying to acquire lock:
[ 164.601998] ffff88811f1714b0 (&esw->offloads.encap_tbl_lock){+.+.}-{3:3}, at: mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core]
[ 164.603078]
but task is already holding lock:
[ 164.603617] ffff88810137fc98 (&comp->sem){++++}-{3:3}, at: mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core]
[ 164.604459]
which lock already depends on the new lock.
[ 164.605190]
the existing dependency chain (in reverse order) is:
[ 164.605848]
-> #1 (&comp->sem){++++}-{3:3}:
[ 164.606380] down_read+0x39/0x50
[ 164.606772] mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core]
[ 164.607336] mlx5e_tc_query_route_vport+0x86/0xc0 [mlx5_core]
[ 164.607914] mlx5e_tc_tun_route_lookup+0x1a4/0x1d0 [mlx5_core]
[ 164.608495] mlx5e_attach_decap_route+0xc6/0x1e0 [mlx5_core]
[ 164.609063] mlx5e_tc_add_fdb_flow+0x1ea/0x360 [mlx5_core]
[ 164.609627] __mlx5e_add_fdb_flow+0x2d2/0x430 [mlx5_core]
[ 164.610175] mlx5e_configure_flower+0x952/0x1a20 [mlx5_core]
[ 164.610741] tc_setup_cb_add+0xd4/0x200
[ 164.611146] fl_hw_replace_filter+0x14c/0x1f0 [cls_flower]
[ 164.611661] fl_change+0xc95/0x18a0 [cls_flower]
[ 164.612116] tc_new_tfilter+0x3fc/0xd20
[ 164.612516] rtnetlink_rcv_msg+0x418/0x5b0
[ 164.612936] netlink_rcv_skb+0x54/0x100
[ 164.613339] netlink_unicast+0x190/0x250
[ 164.613746] netlink_sendmsg+0x245/0x4a0
[ 164.614150] sock_sendmsg+0x38/0x60
[ 164.614522] ____sys_sendmsg+0x1d0/0x1e0
[ 164.614934] ___sys_sendmsg+0x80/0xc0
[ 164.615320] __sys_sendmsg+0x51/0x90
[ 164.615701] do_syscall_64+0x3d/0x90
[ 164.616083] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 164.616568]
-> #0 (&esw->offloads.encap_tbl_lock){+.+.}-{3:3}:
[ 164.617210] __lock_acquire+0x159e/0x26e0
[ 164.617638] lock_acquire+0xc2/0x2a0
[ 164.618018] __mutex_lock+0x92/0xcd0
[ 164.618401] mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core]
[ 164.618943] post_process_attr+0x153/0x2d0 [
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f9d196bd632b8b79261ec3366c30ec3923ea9a02 Version: f9d196bd632b8b79261ec3366c30ec3923ea9a02 Version: f9d196bd632b8b79261ec3366c30ec3923ea9a02 Version: f9d196bd632b8b79261ec3366c30ec3923ea9a02 Version: 87a0625cf1c76caeaa15c576a0b2fcad4b9387d0 Version: 7778fe1a6a6c069a460e4e3ff8ed3722392a4b5b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c",
"drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c",
"drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69966bce28da6aadccfd968b75d128a79da32d17",
"status": "affected",
"version": "f9d196bd632b8b79261ec3366c30ec3923ea9a02",
"versionType": "git"
},
{
"lessThan": "362063df6ceec80b0b6798b61ae03504dcc125a5",
"status": "affected",
"version": "f9d196bd632b8b79261ec3366c30ec3923ea9a02",
"versionType": "git"
},
{
"lessThan": "a7236e420a7d8082b1df4b3e05c739dd2642a662",
"status": "affected",
"version": "f9d196bd632b8b79261ec3366c30ec3923ea9a02",
"versionType": "git"
},
{
"lessThan": "691c041bf20899fc13c793f92ba61ab660fa3a30",
"status": "affected",
"version": "f9d196bd632b8b79261ec3366c30ec3923ea9a02",
"versionType": "git"
},
{
"status": "affected",
"version": "87a0625cf1c76caeaa15c576a0b2fcad4b9387d0",
"versionType": "git"
},
{
"status": "affected",
"version": "7778fe1a6a6c069a460e4e3ff8ed3722392a4b5b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c",
"drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c",
"drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.115",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix deadlock in tc route query code\n\nCited commit causes ABBA deadlock[0] when peer flows are created while\nholding the devcom rw semaphore. Due to peer flows offload implementation\nthe lock is taken much higher up the call chain and there is no obvious way\nto easily fix the deadlock. Instead, since tc route query code needs the\npeer eswitch structure only to perform a lookup in xarray and doesn\u0027t\nperform any sleeping operations with it, refactor the code for lockless\nexecution in following ways:\n\n- RCUify the devcom \u0027data\u0027 pointer. When resetting the pointer\nsynchronously wait for RCU grace period before returning. This is fine\nsince devcom is currently only used for synchronization of\npairing/unpairing of eswitches which is rare and already expensive as-is.\n\n- Wrap all usages of \u0027paired\u0027 boolean in {READ|WRITE}_ONCE(). The flag has\nalready been used in some unlocked contexts without proper\nannotations (e.g. users of mlx5_devcom_is_paired() function), but it wasn\u0027t\nan issue since all relevant code paths checked it again after obtaining the\ndevcom semaphore. Now it is also used by mlx5_devcom_get_peer_data_rcu() as\n\"best effort\" check to return NULL when devcom is being unpaired. Note that\nwhile RCU read lock doesn\u0027t prevent the unpaired flag from being changed\nconcurrently it still guarantees that reader can continue to use \u0027data\u0027.\n\n- Refactor mlx5e_tc_query_route_vport() function to use new\nmlx5_devcom_get_peer_data_rcu() API which fixes the deadlock.\n\n[0]:\n\n[ 164.599612] ======================================================\n[ 164.600142] WARNING: possible circular locking dependency detected\n[ 164.600667] 6.3.0-rc3+ #1 Not tainted\n[ 164.601021] ------------------------------------------------------\n[ 164.601557] handler1/3456 is trying to acquire lock:\n[ 164.601998] ffff88811f1714b0 (\u0026esw-\u003eoffloads.encap_tbl_lock){+.+.}-{3:3}, at: mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core]\n[ 164.603078]\n but task is already holding lock:\n[ 164.603617] ffff88810137fc98 (\u0026comp-\u003esem){++++}-{3:3}, at: mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core]\n[ 164.604459]\n which lock already depends on the new lock.\n\n[ 164.605190]\n the existing dependency chain (in reverse order) is:\n[ 164.605848]\n -\u003e #1 (\u0026comp-\u003esem){++++}-{3:3}:\n[ 164.606380] down_read+0x39/0x50\n[ 164.606772] mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core]\n[ 164.607336] mlx5e_tc_query_route_vport+0x86/0xc0 [mlx5_core]\n[ 164.607914] mlx5e_tc_tun_route_lookup+0x1a4/0x1d0 [mlx5_core]\n[ 164.608495] mlx5e_attach_decap_route+0xc6/0x1e0 [mlx5_core]\n[ 164.609063] mlx5e_tc_add_fdb_flow+0x1ea/0x360 [mlx5_core]\n[ 164.609627] __mlx5e_add_fdb_flow+0x2d2/0x430 [mlx5_core]\n[ 164.610175] mlx5e_configure_flower+0x952/0x1a20 [mlx5_core]\n[ 164.610741] tc_setup_cb_add+0xd4/0x200\n[ 164.611146] fl_hw_replace_filter+0x14c/0x1f0 [cls_flower]\n[ 164.611661] fl_change+0xc95/0x18a0 [cls_flower]\n[ 164.612116] tc_new_tfilter+0x3fc/0xd20\n[ 164.612516] rtnetlink_rcv_msg+0x418/0x5b0\n[ 164.612936] netlink_rcv_skb+0x54/0x100\n[ 164.613339] netlink_unicast+0x190/0x250\n[ 164.613746] netlink_sendmsg+0x245/0x4a0\n[ 164.614150] sock_sendmsg+0x38/0x60\n[ 164.614522] ____sys_sendmsg+0x1d0/0x1e0\n[ 164.614934] ___sys_sendmsg+0x80/0xc0\n[ 164.615320] __sys_sendmsg+0x51/0x90\n[ 164.615701] do_syscall_64+0x3d/0x90\n[ 164.616083] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 164.616568]\n -\u003e #0 (\u0026esw-\u003eoffloads.encap_tbl_lock){+.+.}-{3:3}:\n[ 164.617210] __lock_acquire+0x159e/0x26e0\n[ 164.617638] lock_acquire+0xc2/0x2a0\n[ 164.618018] __mutex_lock+0x92/0xcd0\n[ 164.618401] mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core]\n[ 164.618943] post_process_attr+0x153/0x2d0 [\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:05.430Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69966bce28da6aadccfd968b75d128a79da32d17"
},
{
"url": "https://git.kernel.org/stable/c/362063df6ceec80b0b6798b61ae03504dcc125a5"
},
{
"url": "https://git.kernel.org/stable/c/a7236e420a7d8082b1df4b3e05c739dd2642a662"
},
{
"url": "https://git.kernel.org/stable/c/691c041bf20899fc13c793f92ba61ab660fa3a30"
}
],
"title": "net/mlx5e: Fix deadlock in tc route query code",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53591",
"datePublished": "2025-10-04T15:44:05.430Z",
"dateReserved": "2025-10-04T15:40:38.478Z",
"dateUpdated": "2025-10-04T15:44:05.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53654 (GCVE-0-2023-53654)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-af: Add validation before accessing cgx and lmac
with the addition of new MAC blocks like CN10K RPM and CN10KB
RPM_USX, LMACs are noncontiguous and CGX blocks are also
noncontiguous. But during RVU driver initialization, the driver
is assuming they are contiguous and trying to access
cgx or lmac with their id which is resulting in kernel panic.
This patch fixes the issue by adding proper checks.
[ 23.219150] pc : cgx_lmac_read+0x38/0x70
[ 23.219154] lr : rvu_program_channels+0x3f0/0x498
[ 23.223852] sp : ffff000100d6fc80
[ 23.227158] x29: ffff000100d6fc80 x28: ffff00010009f880 x27:
000000000000005a
[ 23.234288] x26: ffff000102586768 x25: 0000000000002500 x24:
fffffffffff0f000
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/af/cgx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e425e2ba933618ee5ec8e4f3eb341efeb6c9ddef",
"status": "affected",
"version": "91c6945ea1f9059fea886630d0fd8070740e2aaf",
"versionType": "git"
},
{
"lessThan": "a5485a943193e55c79150382e6461e8ea759e96e",
"status": "affected",
"version": "91c6945ea1f9059fea886630d0fd8070740e2aaf",
"versionType": "git"
},
{
"lessThan": "b04872e15f3df62cb2fd530950f769626e1ef489",
"status": "affected",
"version": "91c6945ea1f9059fea886630d0fd8070740e2aaf",
"versionType": "git"
},
{
"lessThan": "79ebb53772c95d3a6ae51b3c65f9985fdd430df6",
"status": "affected",
"version": "91c6945ea1f9059fea886630d0fd8070740e2aaf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/af/cgx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Add validation before accessing cgx and lmac\n\nwith the addition of new MAC blocks like CN10K RPM and CN10KB\nRPM_USX, LMACs are noncontiguous and CGX blocks are also\nnoncontiguous. But during RVU driver initialization, the driver\nis assuming they are contiguous and trying to access\ncgx or lmac with their id which is resulting in kernel panic.\n\nThis patch fixes the issue by adding proper checks.\n\n[ 23.219150] pc : cgx_lmac_read+0x38/0x70\n[ 23.219154] lr : rvu_program_channels+0x3f0/0x498\n[ 23.223852] sp : ffff000100d6fc80\n[ 23.227158] x29: ffff000100d6fc80 x28: ffff00010009f880 x27:\n000000000000005a\n[ 23.234288] x26: ffff000102586768 x25: 0000000000002500 x24:\nfffffffffff0f000"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:49.985Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e425e2ba933618ee5ec8e4f3eb341efeb6c9ddef"
},
{
"url": "https://git.kernel.org/stable/c/a5485a943193e55c79150382e6461e8ea759e96e"
},
{
"url": "https://git.kernel.org/stable/c/b04872e15f3df62cb2fd530950f769626e1ef489"
},
{
"url": "https://git.kernel.org/stable/c/79ebb53772c95d3a6ae51b3c65f9985fdd430df6"
}
],
"title": "octeontx2-af: Add validation before accessing cgx and lmac",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53654",
"datePublished": "2025-10-07T15:19:49.985Z",
"dateReserved": "2025-10-07T15:16:59.661Z",
"dateUpdated": "2025-10-07T15:19:49.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39812 (GCVE-0-2025-39812)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-11-03 17:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: initialize more fields in sctp_v6_from_sk()
syzbot found that sin6_scope_id was not properly initialized,
leading to undefined behavior.
Clear sin6_scope_id and sin6_flowinfo.
BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649
__sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649
sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983
sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390
sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452
sctp_get_port net/sctp/socket.c:8523 [inline]
sctp_listen_start net/sctp/socket.c:8567 [inline]
sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636
__sys_listen_socket net/socket.c:1912 [inline]
__sys_listen net/socket.c:1927 [inline]
__do_sys_listen net/socket.c:1932 [inline]
__se_sys_listen net/socket.c:1930 [inline]
__x64_sys_listen+0x343/0x4c0 net/socket.c:1930
x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable addr.i.i created at:
sctp_get_port net/sctp/socket.c:8515 [inline]
sctp_listen_start net/sctp/socket.c:8567 [inline]
sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636
__sys_listen_socket net/socket.c:1912 [inline]
__sys_listen net/socket.c:1927 [inline]
__do_sys_listen net/socket.c:1932 [inline]
__se_sys_listen net/socket.c:1930 [inline]
__x64_sys_listen+0x343/0x4c0 net/socket.c:1930
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:36.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "45e4b36593edffb7bbee5828ae820bc10a9fa0f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9546934c2054bba1bd605c44e936619159a34027",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17d6c7747045e9b802c2f5dfaba260d309d831ae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "65b4693d8bab5370cfcb44a275b4d8dcb06e56bf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "463aa96fca6209bb205f49f7deea3817d7ddaa3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bbc0c02aea1f1c405bd1271466889c25a1fe01b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6c2cc99fc2387ba6499facd6108f6543382792d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e8750469242cad8f01f320131fd5a6f540dbb99",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: initialize more fields in sctp_v6_from_sk()\n\nsyzbot found that sin6_scope_id was not properly initialized,\nleading to undefined behavior.\n\nClear sin6_scope_id and sin6_flowinfo.\n\nBUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983\n sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390\n sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452\n sctp_get_port net/sctp/socket.c:8523 [inline]\n sctp_listen_start net/sctp/socket.c:8567 [inline]\n sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636\n __sys_listen_socket net/socket.c:1912 [inline]\n __sys_listen net/socket.c:1927 [inline]\n __do_sys_listen net/socket.c:1932 [inline]\n __se_sys_listen net/socket.c:1930 [inline]\n __x64_sys_listen+0x343/0x4c0 net/socket.c:1930\n x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable addr.i.i created at:\n sctp_get_port net/sctp/socket.c:8515 [inline]\n sctp_listen_start net/sctp/socket.c:8567 [inline]\n sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636\n __sys_listen_socket net/socket.c:1912 [inline]\n __sys_listen net/socket.c:1927 [inline]\n __do_sys_listen net/socket.c:1932 [inline]\n __se_sys_listen net/socket.c:1930 [inline]\n __x64_sys_listen+0x343/0x4c0 net/socket.c:1930"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:56.151Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/45e4b36593edffb7bbee5828ae820bc10a9fa0f3"
},
{
"url": "https://git.kernel.org/stable/c/9546934c2054bba1bd605c44e936619159a34027"
},
{
"url": "https://git.kernel.org/stable/c/17d6c7747045e9b802c2f5dfaba260d309d831ae"
},
{
"url": "https://git.kernel.org/stable/c/65b4693d8bab5370cfcb44a275b4d8dcb06e56bf"
},
{
"url": "https://git.kernel.org/stable/c/463aa96fca6209bb205f49f7deea3817d7ddaa3a"
},
{
"url": "https://git.kernel.org/stable/c/1bbc0c02aea1f1c405bd1271466889c25a1fe01b"
},
{
"url": "https://git.kernel.org/stable/c/f6c2cc99fc2387ba6499facd6108f6543382792d"
},
{
"url": "https://git.kernel.org/stable/c/2e8750469242cad8f01f320131fd5a6f540dbb99"
}
],
"title": "sctp: initialize more fields in sctp_v6_from_sk()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39812",
"datePublished": "2025-09-16T13:00:14.103Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-11-03T17:43:36.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40061 (GCVE-0-2025-40061)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-10-28 11:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix race in do_task() when draining
When do_task() exhausts its iteration budget (!ret), it sets the state
to TASK_STATE_IDLE to reschedule, without a secondary check on the
current task->state. This can overwrite the TASK_STATE_DRAINING state
set by a concurrent call to rxe_cleanup_task() or rxe_disable_task().
While state changes are protected by a spinlock, both rxe_cleanup_task()
and rxe_disable_task() release the lock while waiting for the task to
finish draining in the while(!is_done(task)) loop. The race occurs if
do_task() hits its iteration limit and acquires the lock in this window.
The cleanup logic may then proceed while the task incorrectly
reschedules itself, leading to a potential use-after-free.
This bug was introduced during the migration from tasklets to workqueues,
where the special handling for the draining case was lost.
Fix this by restoring the original pre-migration behavior. If the state is
TASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to
force a new loop iteration. This allows the task to finish its work, so
that a subsequent iteration can reach the switch statement and correctly
transition the state to TASK_STATE_DRAINED, stopping the task as intended.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_task.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "85288bcf7ffe11e7b036edf91937bc62fd384076",
"status": "affected",
"version": "9b4b7c1f9f54120940e243251e2b1407767b3381",
"versionType": "git"
},
{
"lessThan": "52edccfb555142678c836c285bf5b4ec760bd043",
"status": "affected",
"version": "9b4b7c1f9f54120940e243251e2b1407767b3381",
"versionType": "git"
},
{
"lessThan": "660b6959c4170637f5db2279d1f71af33a49e49b",
"status": "affected",
"version": "9b4b7c1f9f54120940e243251e2b1407767b3381",
"versionType": "git"
},
{
"lessThan": "8ca7eada62fcfabf6ec1dc7468941e791c1d8729",
"status": "affected",
"version": "9b4b7c1f9f54120940e243251e2b1407767b3381",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_task.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix race in do_task() when draining\n\nWhen do_task() exhausts its iteration budget (!ret), it sets the state\nto TASK_STATE_IDLE to reschedule, without a secondary check on the\ncurrent task-\u003estate. This can overwrite the TASK_STATE_DRAINING state\nset by a concurrent call to rxe_cleanup_task() or rxe_disable_task().\n\nWhile state changes are protected by a spinlock, both rxe_cleanup_task()\nand rxe_disable_task() release the lock while waiting for the task to\nfinish draining in the while(!is_done(task)) loop. The race occurs if\ndo_task() hits its iteration limit and acquires the lock in this window.\nThe cleanup logic may then proceed while the task incorrectly\nreschedules itself, leading to a potential use-after-free.\n\nThis bug was introduced during the migration from tasklets to workqueues,\nwhere the special handling for the draining case was lost.\n\nFix this by restoring the original pre-migration behavior. If the state is\nTASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to\nforce a new loop iteration. This allows the task to finish its work, so\nthat a subsequent iteration can reach the switch statement and correctly\ntransition the state to TASK_STATE_DRAINED, stopping the task as intended."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T11:48:33.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/85288bcf7ffe11e7b036edf91937bc62fd384076"
},
{
"url": "https://git.kernel.org/stable/c/52edccfb555142678c836c285bf5b4ec760bd043"
},
{
"url": "https://git.kernel.org/stable/c/660b6959c4170637f5db2279d1f71af33a49e49b"
},
{
"url": "https://git.kernel.org/stable/c/8ca7eada62fcfabf6ec1dc7468941e791c1d8729"
}
],
"title": "RDMA/rxe: Fix race in do_task() when draining",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40061",
"datePublished": "2025-10-28T11:48:33.361Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-10-28T11:48:33.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53651 (GCVE-0-2023-53651)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: exc3000 - properly stop timer on shutdown
We need to stop the timer on driver unbind or probe failures, otherwise
we get UAF/Oops.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/exc3000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "526a177ac6353d65057eadb5d6edafc168f64484",
"status": "affected",
"version": "7e577a17f2eefeef32f1106ebf91e7cd143ba654",
"versionType": "git"
},
{
"lessThan": "bee57c20fc0ca5ef9b9a53a0335eab2ac9e9cae1",
"status": "affected",
"version": "7e577a17f2eefeef32f1106ebf91e7cd143ba654",
"versionType": "git"
},
{
"lessThan": "79c81d137d36f9635bbcbc3916c0cccb418a61dd",
"status": "affected",
"version": "7e577a17f2eefeef32f1106ebf91e7cd143ba654",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/exc3000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.20",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: exc3000 - properly stop timer on shutdown\n\nWe need to stop the timer on driver unbind or probe failures, otherwise\nwe get UAF/Oops."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:47.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/526a177ac6353d65057eadb5d6edafc168f64484"
},
{
"url": "https://git.kernel.org/stable/c/bee57c20fc0ca5ef9b9a53a0335eab2ac9e9cae1"
},
{
"url": "https://git.kernel.org/stable/c/79c81d137d36f9635bbcbc3916c0cccb418a61dd"
}
],
"title": "Input: exc3000 - properly stop timer on shutdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53651",
"datePublished": "2025-10-07T15:19:47.832Z",
"dateReserved": "2025-10-07T15:16:59.660Z",
"dateUpdated": "2025-10-07T15:19:47.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53554 (GCVE-0-2023-53554)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()
The "exc->key_len" is a u16 that comes from the user. If it's over
IW_ENCODING_TOKEN_MAX (64) that could lead to memory corruption.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b121d84882b97b8668be0b95e9ba50cfd01aa0f1 Version: b121d84882b97b8668be0b95e9ba50cfd01aa0f1 Version: b121d84882b97b8668be0b95e9ba50cfd01aa0f1 Version: b121d84882b97b8668be0b95e9ba50cfd01aa0f1 Version: b121d84882b97b8668be0b95e9ba50cfd01aa0f1 Version: b121d84882b97b8668be0b95e9ba50cfd01aa0f1 Version: b121d84882b97b8668be0b95e9ba50cfd01aa0f1 Version: b121d84882b97b8668be0b95e9ba50cfd01aa0f1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/ks7010/ks_wlan_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9496fb96ddeb740dc6b966f4a7d8dfb8b93921c6",
"status": "affected",
"version": "b121d84882b97b8668be0b95e9ba50cfd01aa0f1",
"versionType": "git"
},
{
"lessThan": "663fff29fd613e2b0d30c4138157312ba93c4939",
"status": "affected",
"version": "b121d84882b97b8668be0b95e9ba50cfd01aa0f1",
"versionType": "git"
},
{
"lessThan": "5373a1aa91b2298f9305794b8270cf9896be96b6",
"status": "affected",
"version": "b121d84882b97b8668be0b95e9ba50cfd01aa0f1",
"versionType": "git"
},
{
"lessThan": "caac4b6c15b66feae4d83f602e1e46f124540202",
"status": "affected",
"version": "b121d84882b97b8668be0b95e9ba50cfd01aa0f1",
"versionType": "git"
},
{
"lessThan": "baf420e30364ef9efe3e29a5c0e01e612aebf3fe",
"status": "affected",
"version": "b121d84882b97b8668be0b95e9ba50cfd01aa0f1",
"versionType": "git"
},
{
"lessThan": "7ae9f55a495077f838bab466411ee6f38574df9b",
"status": "affected",
"version": "b121d84882b97b8668be0b95e9ba50cfd01aa0f1",
"versionType": "git"
},
{
"lessThan": "b1b04b56745bc79286c80aa876fabfab1e08ebf1",
"status": "affected",
"version": "b121d84882b97b8668be0b95e9ba50cfd01aa0f1",
"versionType": "git"
},
{
"lessThan": "5f1c7031e044cb2fba82836d55cc235e2ad619dc",
"status": "affected",
"version": "b121d84882b97b8668be0b95e9ba50cfd01aa0f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/ks7010/ks_wlan_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()\n\nThe \"exc-\u003ekey_len\" is a u16 that comes from the user. If it\u0027s over\nIW_ENCODING_TOKEN_MAX (64) that could lead to memory corruption."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:59.749Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9496fb96ddeb740dc6b966f4a7d8dfb8b93921c6"
},
{
"url": "https://git.kernel.org/stable/c/663fff29fd613e2b0d30c4138157312ba93c4939"
},
{
"url": "https://git.kernel.org/stable/c/5373a1aa91b2298f9305794b8270cf9896be96b6"
},
{
"url": "https://git.kernel.org/stable/c/caac4b6c15b66feae4d83f602e1e46f124540202"
},
{
"url": "https://git.kernel.org/stable/c/baf420e30364ef9efe3e29a5c0e01e612aebf3fe"
},
{
"url": "https://git.kernel.org/stable/c/7ae9f55a495077f838bab466411ee6f38574df9b"
},
{
"url": "https://git.kernel.org/stable/c/b1b04b56745bc79286c80aa876fabfab1e08ebf1"
},
{
"url": "https://git.kernel.org/stable/c/5f1c7031e044cb2fba82836d55cc235e2ad619dc"
}
],
"title": "staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53554",
"datePublished": "2025-10-04T15:16:59.749Z",
"dateReserved": "2025-10-04T15:14:15.922Z",
"dateUpdated": "2025-10-04T15:16:59.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53462 (GCVE-0-2023-53462)
Vulnerability from cvelistv5
Published
2025-10-01 11:42
Modified
2025-10-01 11:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hsr: Fix uninit-value access in fill_frame_info()
Syzbot reports the following uninit-value access problem.
=====================================================
BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:601 [inline]
BUG: KMSAN: uninit-value in hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616
fill_frame_info net/hsr/hsr_forward.c:601 [inline]
hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616
hsr_dev_xmit+0x192/0x330 net/hsr/hsr_device.c:223
__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
netdev_start_xmit include/linux/netdevice.h:4903 [inline]
xmit_one net/core/dev.c:3544 [inline]
dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560
__dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340
dev_queue_xmit include/linux/netdevice.h:3082 [inline]
packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3087 [inline]
packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
__sys_sendto+0x781/0xa30 net/socket.c:2176
__do_sys_sendto net/socket.c:2188 [inline]
__se_sys_sendto net/socket.c:2184 [inline]
__ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
Uninit was created at:
slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559
__alloc_skb+0x318/0x740 net/core/skbuff.c:644
alloc_skb include/linux/skbuff.h:1286 [inline]
alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299
sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794
packet_alloc_skb net/packet/af_packet.c:2936 [inline]
packet_snd net/packet/af_packet.c:3030 [inline]
packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
__sys_sendto+0x781/0xa30 net/socket.c:2176
__do_sys_sendto net/socket.c:2188 [inline]
__se_sys_sendto net/socket.c:2184 [inline]
__ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
It is because VLAN not yet supported in hsr driver. Return error
when protocol is ETH_P_8021Q in fill_frame_info() now to fix it.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e90a93ac4845c31724ec5dc96fb51e608435a9d",
"status": "affected",
"version": "451d8123f89791bb628277c0bdb4cae34a3563e6",
"versionType": "git"
},
{
"lessThan": "6a4480c5e6ebaf9f797ac300e2a97a02d4e70cfd",
"status": "affected",
"version": "451d8123f89791bb628277c0bdb4cae34a3563e6",
"versionType": "git"
},
{
"lessThan": "61866f7d814e5792bf47410d7d3ff32e49bd292a",
"status": "affected",
"version": "451d8123f89791bb628277c0bdb4cae34a3563e6",
"versionType": "git"
},
{
"lessThan": "ed7a0ba7e840dc5d54cdbd8466be27e6aedce1e5",
"status": "affected",
"version": "451d8123f89791bb628277c0bdb4cae34a3563e6",
"versionType": "git"
},
{
"lessThan": "484b4833c604c0adcf19eac1ca14b60b757355b5",
"status": "affected",
"version": "451d8123f89791bb628277c0bdb4cae34a3563e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Fix uninit-value access in fill_frame_info()\n\nSyzbot reports the following uninit-value access problem.\n\n=====================================================\nBUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:601 [inline]\nBUG: KMSAN: uninit-value in hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616\n fill_frame_info net/hsr/hsr_forward.c:601 [inline]\n hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616\n hsr_dev_xmit+0x192/0x330 net/hsr/hsr_device.c:223\n __netdev_start_xmit include/linux/netdevice.h:4889 [inline]\n netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n xmit_one net/core/dev.c:3544 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560\n __dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340\n dev_queue_xmit include/linux/netdevice.h:3082 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n __sys_sendto+0x781/0xa30 net/socket.c:2176\n __do_sys_sendto net/socket.c:2188 [inline]\n __se_sys_sendto net/socket.c:2184 [inline]\n __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:644\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794\n packet_alloc_skb net/packet/af_packet.c:2936 [inline]\n packet_snd net/packet/af_packet.c:3030 [inline]\n packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n __sys_sendto+0x781/0xa30 net/socket.c:2176\n __do_sys_sendto net/socket.c:2188 [inline]\n __se_sys_sendto net/socket.c:2184 [inline]\n __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nIt is because VLAN not yet supported in hsr driver. Return error\nwhen protocol is ETH_P_8021Q in fill_frame_info() now to fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:33.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e90a93ac4845c31724ec5dc96fb51e608435a9d"
},
{
"url": "https://git.kernel.org/stable/c/6a4480c5e6ebaf9f797ac300e2a97a02d4e70cfd"
},
{
"url": "https://git.kernel.org/stable/c/61866f7d814e5792bf47410d7d3ff32e49bd292a"
},
{
"url": "https://git.kernel.org/stable/c/ed7a0ba7e840dc5d54cdbd8466be27e6aedce1e5"
},
{
"url": "https://git.kernel.org/stable/c/484b4833c604c0adcf19eac1ca14b60b757355b5"
}
],
"title": "hsr: Fix uninit-value access in fill_frame_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53462",
"datePublished": "2025-10-01T11:42:33.434Z",
"dateReserved": "2025-10-01T11:39:39.399Z",
"dateUpdated": "2025-10-01T11:42:33.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50542 (GCVE-0-2022-50542)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: si470x: Fix use-after-free in si470x_int_in_callback()
syzbot reported use-after-free in si470x_int_in_callback() [1]. This
indicates that urb->context, which contains struct si470x_device
object, is freed when si470x_int_in_callback() is called.
The cause of this issue is that si470x_int_in_callback() is called for
freed urb.
si470x_usb_driver_probe() calls si470x_start_usb(), which then calls
usb_submit_urb() and si470x_start(). If si470x_start_usb() fails,
si470x_usb_driver_probe() doesn't kill urb, but it just frees struct
si470x_device object, as depicted below:
si470x_usb_driver_probe()
...
si470x_start_usb()
...
usb_submit_urb()
retval = si470x_start()
return retval
if (retval < 0)
free struct si470x_device object, but don't kill urb
This patch fixes this issue by killing urb when si470x_start_usb()
fails and urb is submitted. If si470x_start_usb() fails and urb is
not submitted, i.e. submitting usb fails, it just frees struct
si470x_device object.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/radio/si470x/radio-si470x-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "146bd005ebb01ae190c22af050cb98623958c373",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8c6151b8e8dd2d98ad2cd725d26d1e103d989891",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "52f54fe78cca24850a30865037250f63eb3d5bf7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0ca298d548461d29615f9a2b1309e8dcf4a352c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1c6447d0fc68650e51586dde79b5090d9d77f13a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6c8aee0c8fcc6dda94315f7908e8fa9bc75abe75",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "63648a7bd1a7599bcc2040a6d1792363ae4c2e1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "92b0888398e4ba51d93b618a6506781f4e3879c9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d21e0b1b41b21d628bf2afce777727bd4479aa5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/radio/si470x/radio-si470x-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: si470x: Fix use-after-free in si470x_int_in_callback()\n\nsyzbot reported use-after-free in si470x_int_in_callback() [1]. This\nindicates that urb-\u003econtext, which contains struct si470x_device\nobject, is freed when si470x_int_in_callback() is called.\n\nThe cause of this issue is that si470x_int_in_callback() is called for\nfreed urb.\n\nsi470x_usb_driver_probe() calls si470x_start_usb(), which then calls\nusb_submit_urb() and si470x_start(). If si470x_start_usb() fails,\nsi470x_usb_driver_probe() doesn\u0027t kill urb, but it just frees struct\nsi470x_device object, as depicted below:\n\nsi470x_usb_driver_probe()\n ...\n si470x_start_usb()\n ...\n usb_submit_urb()\n retval = si470x_start()\n return retval\n if (retval \u003c 0)\n free struct si470x_device object, but don\u0027t kill urb\n\nThis patch fixes this issue by killing urb when si470x_start_usb()\nfails and urb is submitted. If si470x_start_usb() fails and urb is\nnot submitted, i.e. submitting usb fails, it just frees struct\nsi470x_device object."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:07.236Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/146bd005ebb01ae190c22af050cb98623958c373"
},
{
"url": "https://git.kernel.org/stable/c/8c6151b8e8dd2d98ad2cd725d26d1e103d989891"
},
{
"url": "https://git.kernel.org/stable/c/52f54fe78cca24850a30865037250f63eb3d5bf7"
},
{
"url": "https://git.kernel.org/stable/c/0ca298d548461d29615f9a2b1309e8dcf4a352c6"
},
{
"url": "https://git.kernel.org/stable/c/1c6447d0fc68650e51586dde79b5090d9d77f13a"
},
{
"url": "https://git.kernel.org/stable/c/6c8aee0c8fcc6dda94315f7908e8fa9bc75abe75"
},
{
"url": "https://git.kernel.org/stable/c/63648a7bd1a7599bcc2040a6d1792363ae4c2e1b"
},
{
"url": "https://git.kernel.org/stable/c/92b0888398e4ba51d93b618a6506781f4e3879c9"
},
{
"url": "https://git.kernel.org/stable/c/7d21e0b1b41b21d628bf2afce777727bd4479aa5"
}
],
"title": "media: si470x: Fix use-after-free in si470x_int_in_callback()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50542",
"datePublished": "2025-10-07T15:21:07.236Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:07.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50504 (GCVE-0-2022-50504)
Vulnerability from cvelistv5
Published
2025-10-04 15:43
Modified
2025-10-04 15:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/rtas: avoid scheduling in rtas_os_term()
It's unsafe to use rtas_busy_delay() to handle a busy status from
the ibm,os-term RTAS function in rtas_os_term():
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
BUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:618
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0
preempt_count: 2, expected: 0
CPU: 7 PID: 1 Comm: swapper/0 Tainted: G D 6.0.0-rc5-02182-gf8553a572277-dirty #9
Call Trace:
[c000000007b8f000] [c000000001337110] dump_stack_lvl+0xb4/0x110 (unreliable)
[c000000007b8f040] [c0000000002440e4] __might_resched+0x394/0x3c0
[c000000007b8f0e0] [c00000000004f680] rtas_busy_delay+0x120/0x1b0
[c000000007b8f100] [c000000000052d04] rtas_os_term+0xb8/0xf4
[c000000007b8f180] [c0000000001150fc] pseries_panic+0x50/0x68
[c000000007b8f1f0] [c000000000036354] ppc_panic_platform_handler+0x34/0x50
[c000000007b8f210] [c0000000002303c4] notifier_call_chain+0xd4/0x1c0
[c000000007b8f2b0] [c0000000002306cc] atomic_notifier_call_chain+0xac/0x1c0
[c000000007b8f2f0] [c0000000001d62b8] panic+0x228/0x4d0
[c000000007b8f390] [c0000000001e573c] do_exit+0x140c/0x1420
[c000000007b8f480] [c0000000001e586c] make_task_dead+0xdc/0x200
Use rtas_busy_delay_time() instead, which signals without side effects
whether to attempt the ibm,os-term RTAS call again.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/rtas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f413135b337c4e90c1e593c6613f8717e17bc724",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4768935b8cc2d2afeb7956292df0f6e2c49ca0a5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ffa991a003abb4f8cb9e5004646bfe2d9a46912c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "515959eb49e6d218a46979d66f36fdef329ac7d2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6f7e2fcab73372a371ab4017cbedf7a71f4f9b40",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7280fdb80bf0fe35d9b799fc7009f2cbe0a397d7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bed48651c87bef59ea1a9d6dbc381bcbc452f4ff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "482d990a5dd1027ee0b70a8a570d56749cac8103",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6c606e57eecc37d6b36d732b1ff7e55b7dc32dd4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/rtas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: avoid scheduling in rtas_os_term()\n\nIt\u0027s unsafe to use rtas_busy_delay() to handle a busy status from\nthe ibm,os-term RTAS function in rtas_os_term():\n\nKernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\nBUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:618\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0\npreempt_count: 2, expected: 0\nCPU: 7 PID: 1 Comm: swapper/0 Tainted: G D 6.0.0-rc5-02182-gf8553a572277-dirty #9\nCall Trace:\n[c000000007b8f000] [c000000001337110] dump_stack_lvl+0xb4/0x110 (unreliable)\n[c000000007b8f040] [c0000000002440e4] __might_resched+0x394/0x3c0\n[c000000007b8f0e0] [c00000000004f680] rtas_busy_delay+0x120/0x1b0\n[c000000007b8f100] [c000000000052d04] rtas_os_term+0xb8/0xf4\n[c000000007b8f180] [c0000000001150fc] pseries_panic+0x50/0x68\n[c000000007b8f1f0] [c000000000036354] ppc_panic_platform_handler+0x34/0x50\n[c000000007b8f210] [c0000000002303c4] notifier_call_chain+0xd4/0x1c0\n[c000000007b8f2b0] [c0000000002306cc] atomic_notifier_call_chain+0xac/0x1c0\n[c000000007b8f2f0] [c0000000001d62b8] panic+0x228/0x4d0\n[c000000007b8f390] [c0000000001e573c] do_exit+0x140c/0x1420\n[c000000007b8f480] [c0000000001e586c] make_task_dead+0xdc/0x200\n\nUse rtas_busy_delay_time() instead, which signals without side effects\nwhether to attempt the ibm,os-term RTAS call again."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:53.523Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f413135b337c4e90c1e593c6613f8717e17bc724"
},
{
"url": "https://git.kernel.org/stable/c/4768935b8cc2d2afeb7956292df0f6e2c49ca0a5"
},
{
"url": "https://git.kernel.org/stable/c/ffa991a003abb4f8cb9e5004646bfe2d9a46912c"
},
{
"url": "https://git.kernel.org/stable/c/515959eb49e6d218a46979d66f36fdef329ac7d2"
},
{
"url": "https://git.kernel.org/stable/c/6f7e2fcab73372a371ab4017cbedf7a71f4f9b40"
},
{
"url": "https://git.kernel.org/stable/c/7280fdb80bf0fe35d9b799fc7009f2cbe0a397d7"
},
{
"url": "https://git.kernel.org/stable/c/bed48651c87bef59ea1a9d6dbc381bcbc452f4ff"
},
{
"url": "https://git.kernel.org/stable/c/482d990a5dd1027ee0b70a8a570d56749cac8103"
},
{
"url": "https://git.kernel.org/stable/c/6c606e57eecc37d6b36d732b1ff7e55b7dc32dd4"
}
],
"title": "powerpc/rtas: avoid scheduling in rtas_os_term()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50504",
"datePublished": "2025-10-04T15:43:53.523Z",
"dateReserved": "2025-10-04T15:39:19.465Z",
"dateUpdated": "2025-10-04T15:43:53.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53249 (GCVE-0-2023-53249)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-15 14:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe
Use devm_of_iomap() instead of of_iomap() to automatically handle
the unused ioremap region.
If any error occurs, regions allocated by kzalloc() will leak,
but using devm_kzalloc() instead will automatically free the memory
using devm_kfree().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 96d6392b54dbb1ff2b39448a2516fa6abb33114b Version: 96d6392b54dbb1ff2b39448a2516fa6abb33114b Version: 96d6392b54dbb1ff2b39448a2516fa6abb33114b Version: 96d6392b54dbb1ff2b39448a2516fa6abb33114b Version: 96d6392b54dbb1ff2b39448a2516fa6abb33114b Version: 96d6392b54dbb1ff2b39448a2516fa6abb33114b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-imx8mn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "294321349bd3b0680847fc2bbe66b9ab3e522fea",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
},
{
"lessThan": "50b5ddde8fad5f0ffd239029d0956af633a0f9b1",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
},
{
"lessThan": "9ba3693b0350b154fdd7830559bbc7b04c067096",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
},
{
"lessThan": "9428cf0fbf4be9a24f3e15a0c166b861b12666af",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
},
{
"lessThan": "d4fa5e47af1e7bb2bbcaac062b14216c00e92148",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
},
{
"lessThan": "188d070de9132667956f5aadd98d2bd87d3eac89",
"status": "affected",
"version": "96d6392b54dbb1ff2b39448a2516fa6abb33114b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-imx8mn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe\n\nUse devm_of_iomap() instead of of_iomap() to automatically handle\nthe unused ioremap region.\n\nIf any error occurs, regions allocated by kzalloc() will leak,\nbut using devm_kzalloc() instead will automatically free the memory\nusing devm_kfree()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:19.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/294321349bd3b0680847fc2bbe66b9ab3e522fea"
},
{
"url": "https://git.kernel.org/stable/c/50b5ddde8fad5f0ffd239029d0956af633a0f9b1"
},
{
"url": "https://git.kernel.org/stable/c/9ba3693b0350b154fdd7830559bbc7b04c067096"
},
{
"url": "https://git.kernel.org/stable/c/9428cf0fbf4be9a24f3e15a0c166b861b12666af"
},
{
"url": "https://git.kernel.org/stable/c/d4fa5e47af1e7bb2bbcaac062b14216c00e92148"
},
{
"url": "https://git.kernel.org/stable/c/188d070de9132667956f5aadd98d2bd87d3eac89"
}
],
"title": "clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53249",
"datePublished": "2025-09-15T14:46:19.184Z",
"dateReserved": "2025-09-15T14:19:21.849Z",
"dateUpdated": "2025-09-15T14:46:19.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53257 (GCVE-0-2023-53257)
Vulnerability from cvelistv5
Published
2025-09-15 14:46
Modified
2025-09-15 14:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: check S1G action frame size
Before checking the action code, check that it even
exists in the frame.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fedd9377dd9c71a950d432fbe1628eebfbed70a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ae7a1378a119780c8c17a6b5fc03011c3bb7029",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5e030a2509be72b452b6f4a800786d43229414db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "19e4a47ee74718a22e963e8a647c8c3bfe8bb05c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check S1G action frame size\n\nBefore checking the action code, check that it even\nexists in the frame."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:46:29.009Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fedd9377dd9c71a950d432fbe1628eebfbed70a1"
},
{
"url": "https://git.kernel.org/stable/c/7ae7a1378a119780c8c17a6b5fc03011c3bb7029"
},
{
"url": "https://git.kernel.org/stable/c/5e030a2509be72b452b6f4a800786d43229414db"
},
{
"url": "https://git.kernel.org/stable/c/19e4a47ee74718a22e963e8a647c8c3bfe8bb05c"
}
],
"title": "wifi: mac80211: check S1G action frame size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53257",
"datePublished": "2025-09-15T14:46:29.009Z",
"dateReserved": "2025-09-15T14:19:21.850Z",
"dateUpdated": "2025-09-15T14:46:29.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53611 (GCVE-0-2023-53611)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipmi_si: fix a memleak in try_smi_init()
Kmemleak reported the following leak info in try_smi_init():
unreferenced object 0xffff00018ecf9400 (size 1024):
comm "modprobe", pid 2707763, jiffies 4300851415 (age 773.308s)
backtrace:
[<000000004ca5b312>] __kmalloc+0x4b8/0x7b0
[<00000000953b1072>] try_smi_init+0x148/0x5dc [ipmi_si]
[<000000006460d325>] 0xffff800081b10148
[<0000000039206ea5>] do_one_initcall+0x64/0x2a4
[<00000000601399ce>] do_init_module+0x50/0x300
[<000000003c12ba3c>] load_module+0x7a8/0x9e0
[<00000000c246fffe>] __se_sys_init_module+0x104/0x180
[<00000000eea99093>] __arm64_sys_init_module+0x24/0x30
[<0000000021b1ef87>] el0_svc_common.constprop.0+0x94/0x250
[<0000000070f4f8b7>] do_el0_svc+0x48/0xe0
[<000000005a05337f>] el0_svc+0x24/0x3c
[<000000005eb248d6>] el0_sync_handler+0x160/0x164
[<0000000030a59039>] el0_sync+0x160/0x180
The problem was that when an error occurred before handlers registration
and after allocating `new_smi->si_sm`, the variable wouldn't be freed in
the error handling afterwards since `shutdown_smi()` hadn't been
registered yet. Fix it by adding a `kfree()` in the error handling path
in `try_smi_init()`.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7960f18a56475bf2177c5ff56c72eb4c12c56440 Version: 7960f18a56475bf2177c5ff56c72eb4c12c56440 Version: 7960f18a56475bf2177c5ff56c72eb4c12c56440 Version: 7960f18a56475bf2177c5ff56c72eb4c12c56440 Version: 7960f18a56475bf2177c5ff56c72eb4c12c56440 Version: 7960f18a56475bf2177c5ff56c72eb4c12c56440 Version: 7960f18a56475bf2177c5ff56c72eb4c12c56440 Version: 7960f18a56475bf2177c5ff56c72eb4c12c56440 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_si_intf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9bc8fbb2d416ce87f0342478dc9fcfd79f2c65f",
"status": "affected",
"version": "7960f18a56475bf2177c5ff56c72eb4c12c56440",
"versionType": "git"
},
{
"lessThan": "f53ab5a2bf20fed59a2f7542d3453228b8056358",
"status": "affected",
"version": "7960f18a56475bf2177c5ff56c72eb4c12c56440",
"versionType": "git"
},
{
"lessThan": "5c5f02e16b919c8cb6024dc3778c8d8f1fb1f26b",
"status": "affected",
"version": "7960f18a56475bf2177c5ff56c72eb4c12c56440",
"versionType": "git"
},
{
"lessThan": "cbb7d8a4b4beb3061b3a1847a742983a01dca381",
"status": "affected",
"version": "7960f18a56475bf2177c5ff56c72eb4c12c56440",
"versionType": "git"
},
{
"lessThan": "09cb2a71b2e982015fe0464f28da1ab42b8e6375",
"status": "affected",
"version": "7960f18a56475bf2177c5ff56c72eb4c12c56440",
"versionType": "git"
},
{
"lessThan": "1bfcfea0fae0d0a6c6ff5543e6d704b3807b83ce",
"status": "affected",
"version": "7960f18a56475bf2177c5ff56c72eb4c12c56440",
"versionType": "git"
},
{
"lessThan": "7291af9a738d936c2d6869d030711dceb68404d0",
"status": "affected",
"version": "7960f18a56475bf2177c5ff56c72eb4c12c56440",
"versionType": "git"
},
{
"lessThan": "6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f",
"status": "affected",
"version": "7960f18a56475bf2177c5ff56c72eb4c12c56440",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_si_intf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi_si: fix a memleak in try_smi_init()\n\nKmemleak reported the following leak info in try_smi_init():\n\nunreferenced object 0xffff00018ecf9400 (size 1024):\n comm \"modprobe\", pid 2707763, jiffies 4300851415 (age 773.308s)\n backtrace:\n [\u003c000000004ca5b312\u003e] __kmalloc+0x4b8/0x7b0\n [\u003c00000000953b1072\u003e] try_smi_init+0x148/0x5dc [ipmi_si]\n [\u003c000000006460d325\u003e] 0xffff800081b10148\n [\u003c0000000039206ea5\u003e] do_one_initcall+0x64/0x2a4\n [\u003c00000000601399ce\u003e] do_init_module+0x50/0x300\n [\u003c000000003c12ba3c\u003e] load_module+0x7a8/0x9e0\n [\u003c00000000c246fffe\u003e] __se_sys_init_module+0x104/0x180\n [\u003c00000000eea99093\u003e] __arm64_sys_init_module+0x24/0x30\n [\u003c0000000021b1ef87\u003e] el0_svc_common.constprop.0+0x94/0x250\n [\u003c0000000070f4f8b7\u003e] do_el0_svc+0x48/0xe0\n [\u003c000000005a05337f\u003e] el0_svc+0x24/0x3c\n [\u003c000000005eb248d6\u003e] el0_sync_handler+0x160/0x164\n [\u003c0000000030a59039\u003e] el0_sync+0x160/0x180\n\nThe problem was that when an error occurred before handlers registration\nand after allocating `new_smi-\u003esi_sm`, the variable wouldn\u0027t be freed in\nthe error handling afterwards since `shutdown_smi()` hadn\u0027t been\nregistered yet. Fix it by adding a `kfree()` in the error handling path\nin `try_smi_init()`."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:19.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9bc8fbb2d416ce87f0342478dc9fcfd79f2c65f"
},
{
"url": "https://git.kernel.org/stable/c/f53ab5a2bf20fed59a2f7542d3453228b8056358"
},
{
"url": "https://git.kernel.org/stable/c/5c5f02e16b919c8cb6024dc3778c8d8f1fb1f26b"
},
{
"url": "https://git.kernel.org/stable/c/cbb7d8a4b4beb3061b3a1847a742983a01dca381"
},
{
"url": "https://git.kernel.org/stable/c/09cb2a71b2e982015fe0464f28da1ab42b8e6375"
},
{
"url": "https://git.kernel.org/stable/c/1bfcfea0fae0d0a6c6ff5543e6d704b3807b83ce"
},
{
"url": "https://git.kernel.org/stable/c/7291af9a738d936c2d6869d030711dceb68404d0"
},
{
"url": "https://git.kernel.org/stable/c/6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f"
}
],
"title": "ipmi_si: fix a memleak in try_smi_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53611",
"datePublished": "2025-10-04T15:44:19.593Z",
"dateReserved": "2025-10-04T15:40:38.480Z",
"dateUpdated": "2025-10-04T15:44:19.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53638 (GCVE-0-2023-53638)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeon_ep: cancel queued works in probe error path
If it fails to get the devices's MAC address, octep_probe exits while
leaving the delayed work intr_poll_task queued. When the work later
runs, it's a use after free.
Move the cancelation of intr_poll_task from octep_remove into
octep_device_cleanup. This does not change anything in the octep_remove
flow, but octep_device_cleanup is called also in the octep_probe error
path, where the cancelation is needed.
Note that the cancelation of ctrl_mbox_task has to follow
intr_poll_task's, because the ctrl_mbox_task may be queued by
intr_poll_task.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeon_ep/octep_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62312e2f6466b5f0a120542a38b410d88a34ed00",
"status": "affected",
"version": "24d4333233b378114106a1327d3d635a004f4387",
"versionType": "git"
},
{
"lessThan": "758c91078165ae641b698750a72eafe7968b3756",
"status": "affected",
"version": "24d4333233b378114106a1327d3d635a004f4387",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeon_ep/octep_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: cancel queued works in probe error path\n\nIf it fails to get the devices\u0027s MAC address, octep_probe exits while\nleaving the delayed work intr_poll_task queued. When the work later\nruns, it\u0027s a use after free.\n\nMove the cancelation of intr_poll_task from octep_remove into\noctep_device_cleanup. This does not change anything in the octep_remove\nflow, but octep_device_cleanup is called also in the octep_probe error\npath, where the cancelation is needed.\n\nNote that the cancelation of ctrl_mbox_task has to follow\nintr_poll_task\u0027s, because the ctrl_mbox_task may be queued by\nintr_poll_task."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:38.989Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62312e2f6466b5f0a120542a38b410d88a34ed00"
},
{
"url": "https://git.kernel.org/stable/c/758c91078165ae641b698750a72eafe7968b3756"
}
],
"title": "octeon_ep: cancel queued works in probe error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53638",
"datePublished": "2025-10-07T15:19:38.989Z",
"dateReserved": "2025-10-07T15:16:59.658Z",
"dateUpdated": "2025-10-07T15:19:38.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53650 (GCVE-0-2023-53650)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()
If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 Version: 66d2f99d0bb5a2972fb5c1d88b61169510e540d6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/omap/lcd_mipid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d97840bf5a388c6cbf6e46216887bf17be62acc2",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "7a8f9293bee51183023c5e37e7ebf0543cd2a134",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "9e3858f82e3ced1e990ef7116c3a16c84e62093e",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "ce6e0434e502abdf966164b7c72523fb5fe54635",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "716efd08985e3104031d1b655930b1f1c45fa8a7",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "3b4c21804076e461a6453ee4d09872172336aa1d",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "7cca0af3167dd9603da5fa6fff3392f8338e97e1",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "09ea1ae4a2ec17774892cfcff50f6d33dfa1e06f",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
},
{
"lessThan": "79a3908d1ea6c35157a6d907b1a9d8ec06015e7a",
"status": "affected",
"version": "66d2f99d0bb5a2972fb5c1d88b61169510e540d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/omap/lcd_mipid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()\n\nIf \u0027mipid_detect()\u0027 fails, we must free \u0027md\u0027 to avoid a memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:47.118Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d97840bf5a388c6cbf6e46216887bf17be62acc2"
},
{
"url": "https://git.kernel.org/stable/c/7a8f9293bee51183023c5e37e7ebf0543cd2a134"
},
{
"url": "https://git.kernel.org/stable/c/9e3858f82e3ced1e990ef7116c3a16c84e62093e"
},
{
"url": "https://git.kernel.org/stable/c/ce6e0434e502abdf966164b7c72523fb5fe54635"
},
{
"url": "https://git.kernel.org/stable/c/716efd08985e3104031d1b655930b1f1c45fa8a7"
},
{
"url": "https://git.kernel.org/stable/c/3b4c21804076e461a6453ee4d09872172336aa1d"
},
{
"url": "https://git.kernel.org/stable/c/7cca0af3167dd9603da5fa6fff3392f8338e97e1"
},
{
"url": "https://git.kernel.org/stable/c/09ea1ae4a2ec17774892cfcff50f6d33dfa1e06f"
},
{
"url": "https://git.kernel.org/stable/c/79a3908d1ea6c35157a6d907b1a9d8ec06015e7a"
}
],
"title": "fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53650",
"datePublished": "2025-10-07T15:19:47.118Z",
"dateReserved": "2025-10-07T15:16:59.659Z",
"dateUpdated": "2025-10-07T15:19:47.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58240 (GCVE-0-2024-58240)
Vulnerability from cvelistv5
Published
2025-08-28 09:40
Modified
2025-11-03 17:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: separate no-async decryption request handling from async
If we're not doing async, the handling is much simpler. There's no
reference counting, we just need to wait for the completion to wake us
up and return its result.
We should preferably also use a separate crypto_wait. I'm not seeing a
UAF as I did in the past, I think aec7961916f3 ("tls: fix race between
async notify and socket close") took care of it.
This will make the next fix easier.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:31:32.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48905146d11dbf1ddbb2967319016a83976953f5",
"status": "affected",
"version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
"versionType": "git"
},
{
"lessThan": "dec5b6e7b211e405d3bcb504562ab21aa7e5a64d",
"status": "affected",
"version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
"versionType": "git"
},
{
"lessThan": "999115298017a675d8ddf61414fc7a85c89f1186",
"status": "affected",
"version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
"versionType": "git"
},
{
"lessThan": "41532b785e9d79636b3815a64ddf6a096647d011",
"status": "affected",
"version": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.21",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.9",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: separate no-async decryption request handling from async\n\nIf we\u0027re not doing async, the handling is much simpler. There\u0027s no\nreference counting, we just need to wait for the completion to wake us\nup and return its result.\n\nWe should preferably also use a separate crypto_wait. I\u0027m not seeing a\nUAF as I did in the past, I think aec7961916f3 (\"tls: fix race between\nasync notify and socket close\") took care of it.\n\nThis will make the next fix easier."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T15:21:47.570Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48905146d11dbf1ddbb2967319016a83976953f5"
},
{
"url": "https://git.kernel.org/stable/c/dec5b6e7b211e405d3bcb504562ab21aa7e5a64d"
},
{
"url": "https://git.kernel.org/stable/c/999115298017a675d8ddf61414fc7a85c89f1186"
},
{
"url": "https://git.kernel.org/stable/c/41532b785e9d79636b3815a64ddf6a096647d011"
}
],
"title": "tls: separate no-async decryption request handling from async",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58240",
"datePublished": "2025-08-28T09:40:33.466Z",
"dateReserved": "2025-04-16T07:19:43.804Z",
"dateUpdated": "2025-11-03T17:31:32.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53696 (GCVE-0-2023-53696)
Vulnerability from cvelistv5
Published
2025-10-22 13:23
Modified
2025-10-22 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix memory leak in qla2x00_probe_one()
There is a memory leak reported by kmemleak:
unreferenced object 0xffffc900003f0000 (size 12288):
comm "modprobe", pid 19117, jiffies 4299751452 (age 42490.264s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000629261a8>] __vmalloc_node_range+0xe56/0x1110
[<0000000001906886>] __vmalloc_node+0xbd/0x150
[<000000005bb4dc34>] vmalloc+0x25/0x30
[<00000000a2dc1194>] qla2x00_create_host+0x7a0/0xe30 [qla2xxx]
[<0000000062b14b47>] qla2x00_probe_one+0x2eb8/0xd160 [qla2xxx]
[<00000000641ccc04>] local_pci_probe+0xeb/0x1a0
The root cause is traced to an error-handling path in qla2x00_probe_one()
when the adapter "base_vha" initialize failed. The fab_scan_rp "scan.l" is
used to record the port information and it is allocated in
qla2x00_create_host(). However, it is not released in the error handling
path "probe_failed".
Fix this by freeing the memory of "scan.l" when an error occurs in the
adapter initialization process.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae73c4dd48f2c79d515d509a0cbe9efb0a197f44",
"status": "affected",
"version": "a4239945b8ad112fb914d0605c8f6c5fd3330f61",
"versionType": "git"
},
{
"lessThan": "44374911ac63f769c442f56fdfadea673c5f4425",
"status": "affected",
"version": "a4239945b8ad112fb914d0605c8f6c5fd3330f61",
"versionType": "git"
},
{
"lessThan": "582e35e97318ccd9c81774bac08938291679525f",
"status": "affected",
"version": "a4239945b8ad112fb914d0605c8f6c5fd3330f61",
"versionType": "git"
},
{
"lessThan": "85ade4010e13ef152ea925c74d94253db92e5428",
"status": "affected",
"version": "a4239945b8ad112fb914d0605c8f6c5fd3330f61",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix memory leak in qla2x00_probe_one()\n\nThere is a memory leak reported by kmemleak:\n\n unreferenced object 0xffffc900003f0000 (size 12288):\n comm \"modprobe\", pid 19117, jiffies 4299751452 (age 42490.264s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c00000000629261a8\u003e] __vmalloc_node_range+0xe56/0x1110\n [\u003c0000000001906886\u003e] __vmalloc_node+0xbd/0x150\n [\u003c000000005bb4dc34\u003e] vmalloc+0x25/0x30\n [\u003c00000000a2dc1194\u003e] qla2x00_create_host+0x7a0/0xe30 [qla2xxx]\n [\u003c0000000062b14b47\u003e] qla2x00_probe_one+0x2eb8/0xd160 [qla2xxx]\n [\u003c00000000641ccc04\u003e] local_pci_probe+0xeb/0x1a0\n\nThe root cause is traced to an error-handling path in qla2x00_probe_one()\nwhen the adapter \"base_vha\" initialize failed. The fab_scan_rp \"scan.l\" is\nused to record the port information and it is allocated in\nqla2x00_create_host(). However, it is not released in the error handling\npath \"probe_failed\".\n\nFix this by freeing the memory of \"scan.l\" when an error occurs in the\nadapter initialization process."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:37.110Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae73c4dd48f2c79d515d509a0cbe9efb0a197f44"
},
{
"url": "https://git.kernel.org/stable/c/44374911ac63f769c442f56fdfadea673c5f4425"
},
{
"url": "https://git.kernel.org/stable/c/582e35e97318ccd9c81774bac08938291679525f"
},
{
"url": "https://git.kernel.org/stable/c/85ade4010e13ef152ea925c74d94253db92e5428"
}
],
"title": "scsi: qla2xxx: Fix memory leak in qla2x00_probe_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53696",
"datePublished": "2025-10-22T13:23:37.110Z",
"dateReserved": "2025-10-22T13:21:37.344Z",
"dateUpdated": "2025-10-22T13:23:37.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50544 (GCVE-0-2022-50544)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2025-10-07 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()
xhci_alloc_stream_info() allocates stream context array for stream_info
->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs,
stream_info->stream_ctx_array is not released, which will lead to a
memory leak.
We can fix it by releasing the stream_info->stream_ctx_array with
xhci_free_stream_ctx() on the error path to avoid the potential memory
leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-mem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7fc6bab3413e6a42bb1264ff7c9149808c93a4c7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e702de2f5c893bf2cdb0152191f99a6ad1411823",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ddab9fe76296840aad686c66888a9c1dfdbff5ff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9fa81cbd2dd300aa8fe9bac70e068b9a11cbb144",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "91271a3e772e180bbb8afb114c72fd294a02f93d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fcd594da0b5955119d9707e4e0a8d0fb1c969101",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a40ad475236022f3432880e3091c380e46e71a71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "782c873f8e7686f5b3c47e8b099f7e08c3dd1fdc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7e271f42a5cc3768cd2622b929ba66859ae21f97",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-mem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()\n\nxhci_alloc_stream_info() allocates stream context array for stream_info\n-\u003estream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs,\nstream_info-\u003estream_ctx_array is not released, which will lead to a\nmemory leak.\n\nWe can fix it by releasing the stream_info-\u003estream_ctx_array with\nxhci_free_stream_ctx() on the error path to avoid the potential memory\nleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:21:08.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7fc6bab3413e6a42bb1264ff7c9149808c93a4c7"
},
{
"url": "https://git.kernel.org/stable/c/e702de2f5c893bf2cdb0152191f99a6ad1411823"
},
{
"url": "https://git.kernel.org/stable/c/ddab9fe76296840aad686c66888a9c1dfdbff5ff"
},
{
"url": "https://git.kernel.org/stable/c/9fa81cbd2dd300aa8fe9bac70e068b9a11cbb144"
},
{
"url": "https://git.kernel.org/stable/c/91271a3e772e180bbb8afb114c72fd294a02f93d"
},
{
"url": "https://git.kernel.org/stable/c/fcd594da0b5955119d9707e4e0a8d0fb1c969101"
},
{
"url": "https://git.kernel.org/stable/c/a40ad475236022f3432880e3091c380e46e71a71"
},
{
"url": "https://git.kernel.org/stable/c/782c873f8e7686f5b3c47e8b099f7e08c3dd1fdc"
},
{
"url": "https://git.kernel.org/stable/c/7e271f42a5cc3768cd2622b929ba66859ae21f97"
}
],
"title": "usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50544",
"datePublished": "2025-10-07T15:21:08.629Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2025-10-07T15:21:08.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39900 (GCVE-0-2025-39900)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y
syzbot reported a WARNING in est_timer() [1]
Problem here is that with CONFIG_PREEMPT_RT=y, timer callbacks
can be preempted.
Adopt preempt_disable_nested()/preempt_enable_nested() to fix this.
[1]
WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 __seqprop_assert include/linux/seqlock.h:221 [inline]
WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93
Modules linked in:
CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:__seqprop_assert include/linux/seqlock.h:221 [inline]
RIP: 0010:est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93
Call Trace:
<TASK>
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x648/0x970 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
handle_softirqs+0x22c/0x710 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
run_ktimerd+0xcf/0x190 kernel/softirq.c:1043
smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gen_estimator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a22ec2ee824be30803068a52f78f7ffe3bc879fb",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
},
{
"lessThan": "e79923824c48b930609680be04cb29253fc4a17d",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
},
{
"lessThan": "9f74c0ea9b26d1505d55b61e36b1623dd347e1d1",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gen_estimator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y\n\nsyzbot reported a WARNING in est_timer() [1]\n\nProblem here is that with CONFIG_PREEMPT_RT=y, timer callbacks\ncan be preempted.\n\nAdopt preempt_disable_nested()/preempt_enable_nested() to fix this.\n\n[1]\n WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 __seqprop_assert include/linux/seqlock.h:221 [inline]\n WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93\nModules linked in:\nCPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:__seqprop_assert include/linux/seqlock.h:221 [inline]\n RIP: 0010:est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93\nCall Trace:\n \u003cTASK\u003e\n call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\n expire_timers kernel/time/timer.c:1798 [inline]\n __run_timers kernel/time/timer.c:2372 [inline]\n __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\n run_timer_base kernel/time/timer.c:2393 [inline]\n run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\n handle_softirqs+0x22c/0x710 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n run_ktimerd+0xcf/0x190 kernel/softirq.c:1043\n smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:47.785Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a22ec2ee824be30803068a52f78f7ffe3bc879fb"
},
{
"url": "https://git.kernel.org/stable/c/e79923824c48b930609680be04cb29253fc4a17d"
},
{
"url": "https://git.kernel.org/stable/c/9f74c0ea9b26d1505d55b61e36b1623dd347e1d1"
}
],
"title": "net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39900",
"datePublished": "2025-10-01T07:42:47.785Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:47.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53558 (GCVE-0-2023-53558)
Vulnerability from cvelistv5
Published
2025-10-04 15:17
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic()
pr_info() is called with rtp->cbs_gbl_lock spin lock locked. Because
pr_info() calls printk() that might sleep, this will result in BUG
like below:
[ 0.206455] cblist_init_generic: Setting adjustable number of callback queues.
[ 0.206463]
[ 0.206464] =============================
[ 0.206464] [ BUG: Invalid wait context ]
[ 0.206465] 5.19.0-00428-g9de1f9c8ca51 #5 Not tainted
[ 0.206466] -----------------------------
[ 0.206466] swapper/0/1 is trying to lock:
[ 0.206467] ffffffffa0167a58 (&port_lock_key){....}-{3:3}, at: serial8250_console_write+0x327/0x4a0
[ 0.206473] other info that might help us debug this:
[ 0.206473] context-{5:5}
[ 0.206474] 3 locks held by swapper/0/1:
[ 0.206474] #0: ffffffff9eb597e0 (rcu_tasks.cbs_gbl_lock){....}-{2:2}, at: cblist_init_generic.constprop.0+0x14/0x1f0
[ 0.206478] #1: ffffffff9eb579c0 (console_lock){+.+.}-{0:0}, at: _printk+0x63/0x7e
[ 0.206482] #2: ffffffff9ea77780 (console_owner){....}-{0:0}, at: console_emit_next_record.constprop.0+0x111/0x330
[ 0.206485] stack backtrace:
[ 0.206486] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-00428-g9de1f9c8ca51 #5
[ 0.206488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
[ 0.206489] Call Trace:
[ 0.206490] <TASK>
[ 0.206491] dump_stack_lvl+0x6a/0x9f
[ 0.206493] __lock_acquire.cold+0x2d7/0x2fe
[ 0.206496] ? stack_trace_save+0x46/0x70
[ 0.206497] lock_acquire+0xd1/0x2f0
[ 0.206499] ? serial8250_console_write+0x327/0x4a0
[ 0.206500] ? __lock_acquire+0x5c7/0x2720
[ 0.206502] _raw_spin_lock_irqsave+0x3d/0x90
[ 0.206504] ? serial8250_console_write+0x327/0x4a0
[ 0.206506] serial8250_console_write+0x327/0x4a0
[ 0.206508] console_emit_next_record.constprop.0+0x180/0x330
[ 0.206511] console_unlock+0xf7/0x1f0
[ 0.206512] vprintk_emit+0xf7/0x330
[ 0.206514] _printk+0x63/0x7e
[ 0.206516] cblist_init_generic.constprop.0.cold+0x24/0x32
[ 0.206518] rcu_init_tasks_generic+0x5/0xd9
[ 0.206522] kernel_init_freeable+0x15b/0x2a2
[ 0.206523] ? rest_init+0x160/0x160
[ 0.206526] kernel_init+0x11/0x120
[ 0.206527] ret_from_fork+0x1f/0x30
[ 0.206530] </TASK>
[ 0.207018] cblist_init_generic: Setting shift to 1 and lim to 1.
This patch moves pr_info() so that it is called without
rtp->cbs_gbl_lock locked.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/rcu/tasks.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9027d69221ff96e1356f070f7feb2ff989ae7388",
"status": "affected",
"version": "ab97152f88a4d580b89f0b7cc3028ffac438216f",
"versionType": "git"
},
{
"lessThan": "ea9b81c7d9104040b46a84d2303045de267f5557",
"status": "affected",
"version": "ab97152f88a4d580b89f0b7cc3028ffac438216f",
"versionType": "git"
},
{
"lessThan": "5fc8cbe4cf0fd34ded8045c385790c3bf04f6785",
"status": "affected",
"version": "ab97152f88a4d580b89f0b7cc3028ffac438216f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/rcu/tasks.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic()\n\npr_info() is called with rtp-\u003ecbs_gbl_lock spin lock locked. Because\npr_info() calls printk() that might sleep, this will result in BUG\nlike below:\n\n[ 0.206455] cblist_init_generic: Setting adjustable number of callback queues.\n[ 0.206463]\n[ 0.206464] =============================\n[ 0.206464] [ BUG: Invalid wait context ]\n[ 0.206465] 5.19.0-00428-g9de1f9c8ca51 #5 Not tainted\n[ 0.206466] -----------------------------\n[ 0.206466] swapper/0/1 is trying to lock:\n[ 0.206467] ffffffffa0167a58 (\u0026port_lock_key){....}-{3:3}, at: serial8250_console_write+0x327/0x4a0\n[ 0.206473] other info that might help us debug this:\n[ 0.206473] context-{5:5}\n[ 0.206474] 3 locks held by swapper/0/1:\n[ 0.206474] #0: ffffffff9eb597e0 (rcu_tasks.cbs_gbl_lock){....}-{2:2}, at: cblist_init_generic.constprop.0+0x14/0x1f0\n[ 0.206478] #1: ffffffff9eb579c0 (console_lock){+.+.}-{0:0}, at: _printk+0x63/0x7e\n[ 0.206482] #2: ffffffff9ea77780 (console_owner){....}-{0:0}, at: console_emit_next_record.constprop.0+0x111/0x330\n[ 0.206485] stack backtrace:\n[ 0.206486] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-00428-g9de1f9c8ca51 #5\n[ 0.206488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014\n[ 0.206489] Call Trace:\n[ 0.206490] \u003cTASK\u003e\n[ 0.206491] dump_stack_lvl+0x6a/0x9f\n[ 0.206493] __lock_acquire.cold+0x2d7/0x2fe\n[ 0.206496] ? stack_trace_save+0x46/0x70\n[ 0.206497] lock_acquire+0xd1/0x2f0\n[ 0.206499] ? serial8250_console_write+0x327/0x4a0\n[ 0.206500] ? __lock_acquire+0x5c7/0x2720\n[ 0.206502] _raw_spin_lock_irqsave+0x3d/0x90\n[ 0.206504] ? serial8250_console_write+0x327/0x4a0\n[ 0.206506] serial8250_console_write+0x327/0x4a0\n[ 0.206508] console_emit_next_record.constprop.0+0x180/0x330\n[ 0.206511] console_unlock+0xf7/0x1f0\n[ 0.206512] vprintk_emit+0xf7/0x330\n[ 0.206514] _printk+0x63/0x7e\n[ 0.206516] cblist_init_generic.constprop.0.cold+0x24/0x32\n[ 0.206518] rcu_init_tasks_generic+0x5/0xd9\n[ 0.206522] kernel_init_freeable+0x15b/0x2a2\n[ 0.206523] ? rest_init+0x160/0x160\n[ 0.206526] kernel_init+0x11/0x120\n[ 0.206527] ret_from_fork+0x1f/0x30\n[ 0.206530] \u003c/TASK\u003e\n[ 0.207018] cblist_init_generic: Setting shift to 1 and lim to 1.\n\nThis patch moves pr_info() so that it is called without\nrtp-\u003ecbs_gbl_lock locked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:31.749Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9027d69221ff96e1356f070f7feb2ff989ae7388"
},
{
"url": "https://git.kernel.org/stable/c/ea9b81c7d9104040b46a84d2303045de267f5557"
},
{
"url": "https://git.kernel.org/stable/c/5fc8cbe4cf0fd34ded8045c385790c3bf04f6785"
}
],
"title": "rcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53558",
"datePublished": "2025-10-04T15:17:02.822Z",
"dateReserved": "2025-10-04T15:14:15.923Z",
"dateUpdated": "2025-10-29T10:50:31.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53183 (GCVE-0-2023-53183)
Vulnerability from cvelistv5
Published
2025-09-15 14:04
Modified
2025-09-15 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: exit gracefully if reloc roots don't match
[BUG]
Syzbot reported a crash that an ASSERT() got triggered inside
prepare_to_merge().
[CAUSE]
The root cause of the triggered ASSERT() is we can have a race between
quota tree creation and relocation.
This leads us to create a duplicated quota tree in the
btrfs_read_fs_root() path, and since it's treated as fs tree, it would
have ROOT_SHAREABLE flag, causing us to create a reloc tree for it.
The bug itself is fixed by a dedicated patch for it, but this already
taught us the ASSERT() is not something straightforward for
developers.
[ENHANCEMENT]
Instead of using an ASSERT(), let's handle it gracefully and output
extra info about the mismatch reloc roots to help debug.
Also with the above ASSERT() removed, we can trigger ASSERT(0)s inside
merge_reloc_roots() later.
Also replace those ASSERT(0)s with WARN_ON()s.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/relocation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69dd147de419b04d1d8d2ca67ef424cddd5b8fd5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d04716e36654275aea00fb93fc9b30b850925e7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a96b6519ac71583835cb46d74bc450de5a13877f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "05d7ce504545f7874529701664c90814ca645c5d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/relocation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: exit gracefully if reloc roots don\u0027t match\n\n[BUG]\nSyzbot reported a crash that an ASSERT() got triggered inside\nprepare_to_merge().\n\n[CAUSE]\nThe root cause of the triggered ASSERT() is we can have a race between\nquota tree creation and relocation.\n\nThis leads us to create a duplicated quota tree in the\nbtrfs_read_fs_root() path, and since it\u0027s treated as fs tree, it would\nhave ROOT_SHAREABLE flag, causing us to create a reloc tree for it.\n\nThe bug itself is fixed by a dedicated patch for it, but this already\ntaught us the ASSERT() is not something straightforward for\ndevelopers.\n\n[ENHANCEMENT]\nInstead of using an ASSERT(), let\u0027s handle it gracefully and output\nextra info about the mismatch reloc roots to help debug.\n\nAlso with the above ASSERT() removed, we can trigger ASSERT(0)s inside\nmerge_reloc_roots() later.\nAlso replace those ASSERT(0)s with WARN_ON()s."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:04:35.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69dd147de419b04d1d8d2ca67ef424cddd5b8fd5"
},
{
"url": "https://git.kernel.org/stable/c/9d04716e36654275aea00fb93fc9b30b850925e7"
},
{
"url": "https://git.kernel.org/stable/c/a96b6519ac71583835cb46d74bc450de5a13877f"
},
{
"url": "https://git.kernel.org/stable/c/05d7ce504545f7874529701664c90814ca645c5d"
}
],
"title": "btrfs: exit gracefully if reloc roots don\u0027t match",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53183",
"datePublished": "2025-09-15T14:04:35.399Z",
"dateReserved": "2025-09-15T13:59:19.065Z",
"dateUpdated": "2025-09-15T14:04:35.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38212 (GCVE-0-2025-38212)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2025-11-03 17:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipc: fix to protect IPCS lookups using RCU
syzbot reported that it discovered a use-after-free vulnerability, [0]
[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/
idr_for_each() is protected by rwsem, but this is not enough. If it is
not protected by RCU read-critical region, when idr_for_each() calls
radix_tree_node_free() through call_rcu() to free the radix_tree_node
structure, the node will be freed immediately, and when reading the next
node in radix_tree_for_each_slot(), the already freed memory may be read.
Therefore, we need to add code to make sure that idr_for_each() is
protected within the RCU read-critical region when we call it in
shm_destroy_orphaned().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 Version: b34a6b1da371ed8af1221459a18c67970f7e3d53 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:35:31.589Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"ipc/shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f1e1573bf103303944fd7225559de5d8297539c",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "b968ba8bfd9f90914957bbbd815413bf6a98eca7",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "74bc813d11c30e28fc5261dc877cca662ccfac68",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "78297d53d3878d43c1d627d20cd09f611fa4b91d",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "5180561afff8e0f029073c8c8117c95c6512d1f9",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "68c173ea138b66d7dd1fd980c9bc578a18e11884",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "b0b6bf90ce2699a574b3683e22c44d0dcdd7a057",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
},
{
"lessThan": "d66adabe91803ef34a8b90613c81267b5ded1472",
"status": "affected",
"version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"ipc/shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: fix to protect IPCS lookups using RCU\n\nsyzbot reported that it discovered a use-after-free vulnerability, [0]\n\n[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/\n\nidr_for_each() is protected by rwsem, but this is not enough. If it is\nnot protected by RCU read-critical region, when idr_for_each() calls\nradix_tree_node_free() through call_rcu() to free the radix_tree_node\nstructure, the node will be freed immediately, and when reading the next\nnode in radix_tree_for_each_slot(), the already freed memory may be read.\n\nTherefore, we need to add code to make sure that idr_for_each() is\nprotected within the RCU read-critical region when we call it in\nshm_destroy_orphaned()."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:15:19.169Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f1e1573bf103303944fd7225559de5d8297539c"
},
{
"url": "https://git.kernel.org/stable/c/b968ba8bfd9f90914957bbbd815413bf6a98eca7"
},
{
"url": "https://git.kernel.org/stable/c/74bc813d11c30e28fc5261dc877cca662ccfac68"
},
{
"url": "https://git.kernel.org/stable/c/78297d53d3878d43c1d627d20cd09f611fa4b91d"
},
{
"url": "https://git.kernel.org/stable/c/5180561afff8e0f029073c8c8117c95c6512d1f9"
},
{
"url": "https://git.kernel.org/stable/c/68c173ea138b66d7dd1fd980c9bc578a18e11884"
},
{
"url": "https://git.kernel.org/stable/c/b0b6bf90ce2699a574b3683e22c44d0dcdd7a057"
},
{
"url": "https://git.kernel.org/stable/c/d66adabe91803ef34a8b90613c81267b5ded1472"
}
],
"title": "ipc: fix to protect IPCS lookups using RCU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38212",
"datePublished": "2025-07-04T13:37:30.957Z",
"dateReserved": "2025-04-16T04:51:23.994Z",
"dateUpdated": "2025-11-03T17:35:31.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50478 (GCVE-0-2022-50478)
Vulnerability from cvelistv5
Published
2025-10-04 15:16
Modified
2025-10-04 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
Patch series "nilfs2: fix UBSAN shift-out-of-bounds warnings on mount
time".
The first patch fixes a bug reported by syzbot, and the second one fixes
the remaining bug of the same kind. Although they are triggered by the
same super block data anomaly, I divided it into the above two because the
details of the issues and how to fix it are different.
Both are required to eliminate the shift-out-of-bounds issues at mount
time.
This patch (of 2):
If the block size exponent information written in an on-disk superblock is
corrupted, nilfs_sb2_bad_offset helper function can trigger
shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn
is set):
shift exponent 38983 is too large for 64-bit type 'unsigned long long'
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322
nilfs_sb2_bad_offset fs/nilfs2/the_nilfs.c:449 [inline]
nilfs_load_super_block+0xdf5/0xe00 fs/nilfs2/the_nilfs.c:523
init_nilfs+0xb7/0x7d0 fs/nilfs2/the_nilfs.c:577
nilfs_fill_super+0xb1/0x5d0 fs/nilfs2/super.c:1047
nilfs_mount+0x613/0x9b0 fs/nilfs2/super.c:1317
...
In addition, since nilfs_sb2_bad_offset() performs multiplication without
considering the upper bound, the computation may overflow if the disk
layout parameters are not normal.
This fixes these issues by inserting preliminary sanity checks for those
parameters and by converting the comparison from one involving
multiplication and left bit-shifting to one using division and right
bit-shifting.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/the_nilfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b0ea3df56cccd53398d0289f399f19d43136b2e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a6f89b10042baca218c8598d6db5a44c7e32625f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9b3ba54025357440d6c4414c670984f628c6f6bf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d706485dffbbbf848e681edda29c7a46ac55698c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d464b035c0613856d012cf1704879d3ff3f057fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b47f5c579c8186f7f5ab5e4254e0734ea5b7bf7a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1012ff77284e3bec0ec0a35a820b03ec43dec2cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "62d11ec205ef14d8acf172cfc9904fdbf200025a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "610a2a3d7d8be3537458a378ec69396a76c385b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/the_nilfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()\n\nPatch series \"nilfs2: fix UBSAN shift-out-of-bounds warnings on mount\ntime\".\n\nThe first patch fixes a bug reported by syzbot, and the second one fixes\nthe remaining bug of the same kind. Although they are triggered by the\nsame super block data anomaly, I divided it into the above two because the\ndetails of the issues and how to fix it are different.\n\nBoth are required to eliminate the shift-out-of-bounds issues at mount\ntime.\n\n\nThis patch (of 2):\n\nIf the block size exponent information written in an on-disk superblock is\ncorrupted, nilfs_sb2_bad_offset helper function can trigger\nshift-out-of-bounds warning followed by a kernel panic (if panic_on_warn\nis set):\n\n shift exponent 38983 is too large for 64-bit type \u0027unsigned long long\u0027\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322\n nilfs_sb2_bad_offset fs/nilfs2/the_nilfs.c:449 [inline]\n nilfs_load_super_block+0xdf5/0xe00 fs/nilfs2/the_nilfs.c:523\n init_nilfs+0xb7/0x7d0 fs/nilfs2/the_nilfs.c:577\n nilfs_fill_super+0xb1/0x5d0 fs/nilfs2/super.c:1047\n nilfs_mount+0x613/0x9b0 fs/nilfs2/super.c:1317\n ...\n\nIn addition, since nilfs_sb2_bad_offset() performs multiplication without\nconsidering the upper bound, the computation may overflow if the disk\nlayout parameters are not normal.\n\nThis fixes these issues by inserting preliminary sanity checks for those\nparameters and by converting the comparison from one involving\nmultiplication and left bit-shifting to one using division and right\nbit-shifting."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:16:38.346Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b0ea3df56cccd53398d0289f399f19d43136b2e"
},
{
"url": "https://git.kernel.org/stable/c/a6f89b10042baca218c8598d6db5a44c7e32625f"
},
{
"url": "https://git.kernel.org/stable/c/9b3ba54025357440d6c4414c670984f628c6f6bf"
},
{
"url": "https://git.kernel.org/stable/c/d706485dffbbbf848e681edda29c7a46ac55698c"
},
{
"url": "https://git.kernel.org/stable/c/d464b035c0613856d012cf1704879d3ff3f057fb"
},
{
"url": "https://git.kernel.org/stable/c/b47f5c579c8186f7f5ab5e4254e0734ea5b7bf7a"
},
{
"url": "https://git.kernel.org/stable/c/1012ff77284e3bec0ec0a35a820b03ec43dec2cc"
},
{
"url": "https://git.kernel.org/stable/c/62d11ec205ef14d8acf172cfc9904fdbf200025a"
},
{
"url": "https://git.kernel.org/stable/c/610a2a3d7d8be3537458a378ec69396a76c385b6"
}
],
"title": "nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50478",
"datePublished": "2025-10-04T15:16:38.346Z",
"dateReserved": "2025-10-04T15:13:33.467Z",
"dateUpdated": "2025-10-04T15:16:38.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39797 (GCVE-0-2025-39797)
Vulnerability from cvelistv5
Published
2025-09-12 15:59
Modified
2025-09-29 05:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Duplicate SPI Handling
The issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI
Netlink message, which triggers the kernel function xfrm_alloc_spi().
This function is expected to ensure uniqueness of the Security Parameter
Index (SPI) for inbound Security Associations (SAs). However, it can
return success even when the requested SPI is already in use, leading
to duplicate SPIs assigned to multiple inbound SAs, differentiated
only by their destination addresses.
This behavior causes inconsistencies during SPI lookups for inbound packets.
Since the lookup may return an arbitrary SA among those with the same SPI,
packet processing can fail, resulting in packet drops.
According to RFC 4301 section 4.4.2 , for inbound processing a unicast SA
is uniquely identified by the SPI and optionally protocol.
Reproducing the Issue Reliably:
To consistently reproduce the problem, restrict the available SPI range in
charon.conf : spi_min = 0x10000000 spi_max = 0x10000002
This limits the system to only 2 usable SPI values.
Next, create more than 2 Child SA. each using unique pair of src/dst address.
As soon as the 3rd Child SA is initiated, it will be assigned a duplicate
SPI, since the SPI pool is already exhausted.
With a narrow SPI range, the issue is consistently reproducible.
With a broader/default range, it becomes rare and unpredictable.
Current implementation:
xfrm_spi_hash() lookup function computes hash using daddr, proto, and family.
So if two SAs have the same SPI but different destination addresses, then
they will:
a. Hash into different buckets
b. Be stored in different linked lists (byspi + h)
c. Not be seen in the same hlist_for_each_entry_rcu() iteration.
As a result, the lookup will result in NULL and kernel allows that Duplicate SPI
Proposed Change:
xfrm_state_lookup_spi_proto() does a truly global search - across all states,
regardless of hash bucket and matches SPI and proto.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d8090bb53424432fa788fe9a49e8ceca74f0544",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2fc5b54368a1bf1d2d74b4d3b8eea5309a653e38",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c67d4e7a8f90fb6361ca89d4d5c9a28f4e935e47",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "29e9158f91f99057dbd35db5e8674d93b38549fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "94f39804d891cffe4ce17737d295f3b195bc7299",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Duplicate SPI Handling\n\nThe issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI\nNetlink message, which triggers the kernel function xfrm_alloc_spi().\nThis function is expected to ensure uniqueness of the Security Parameter\nIndex (SPI) for inbound Security Associations (SAs). However, it can\nreturn success even when the requested SPI is already in use, leading\nto duplicate SPIs assigned to multiple inbound SAs, differentiated\nonly by their destination addresses.\n\nThis behavior causes inconsistencies during SPI lookups for inbound packets.\nSince the lookup may return an arbitrary SA among those with the same SPI,\npacket processing can fail, resulting in packet drops.\n\nAccording to RFC 4301 section 4.4.2 , for inbound processing a unicast SA\nis uniquely identified by the SPI and optionally protocol.\n\nReproducing the Issue Reliably:\nTo consistently reproduce the problem, restrict the available SPI range in\ncharon.conf : spi_min = 0x10000000 spi_max = 0x10000002\nThis limits the system to only 2 usable SPI values.\nNext, create more than 2 Child SA. each using unique pair of src/dst address.\nAs soon as the 3rd Child SA is initiated, it will be assigned a duplicate\nSPI, since the SPI pool is already exhausted.\nWith a narrow SPI range, the issue is consistently reproducible.\nWith a broader/default range, it becomes rare and unpredictable.\n\nCurrent implementation:\nxfrm_spi_hash() lookup function computes hash using daddr, proto, and family.\nSo if two SAs have the same SPI but different destination addresses, then\nthey will:\na. Hash into different buckets\nb. Be stored in different linked lists (byspi + h)\nc. Not be seen in the same hlist_for_each_entry_rcu() iteration.\nAs a result, the lookup will result in NULL and kernel allows that Duplicate SPI\n\nProposed Change:\nxfrm_state_lookup_spi_proto() does a truly global search - across all states,\nregardless of hash bucket and matches SPI and proto."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:59:38.268Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d8090bb53424432fa788fe9a49e8ceca74f0544"
},
{
"url": "https://git.kernel.org/stable/c/2fc5b54368a1bf1d2d74b4d3b8eea5309a653e38"
},
{
"url": "https://git.kernel.org/stable/c/c67d4e7a8f90fb6361ca89d4d5c9a28f4e935e47"
},
{
"url": "https://git.kernel.org/stable/c/29e9158f91f99057dbd35db5e8674d93b38549fe"
},
{
"url": "https://git.kernel.org/stable/c/94f39804d891cffe4ce17737d295f3b195bc7299"
}
],
"title": "xfrm: Duplicate SPI Handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39797",
"datePublished": "2025-09-12T15:59:33.639Z",
"dateReserved": "2025-04-16T07:20:57.132Z",
"dateUpdated": "2025-09-29T05:59:38.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53156 (GCVE-0-2024-53156)
Vulnerability from cvelistv5
Published
2024-12-24 11:28
Modified
2025-11-03 20:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
I found the following bug in my fuzzer:
UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
index 255 is out of range for type 'htc_endpoint [22]'
CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events request_firmware_work_func
Call Trace:
<TASK>
dump_stack_lvl+0x180/0x1b0
__ubsan_handle_out_of_bounds+0xd4/0x130
htc_issue_send.constprop.0+0x20c/0x230
? _raw_spin_unlock_irqrestore+0x3c/0x70
ath9k_wmi_cmd+0x41d/0x610
? mark_held_locks+0x9f/0xe0
...
Since this bug has been confirmed to be caused by insufficient verification
of conn_rsp_epid, I think it would be appropriate to add a range check for
conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:09:36.136027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129 Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:08.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:46:44.047Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f177fb9d01355ac183e65ad8909ea8ef734e0cf",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "cb480ae80fd4d0f1ac9e107ce799183beee5124b",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "c941af142200d975dd3be632aeb490f4cb91dae4",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "8965db7fe2e913ee0802b05fc94c6d6aa74e0596",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "70eae50d2156cb6e078d0d78809b49bf2f4c7540",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "b6551479daf2bfa80bfd5d9016b02a810e508bfb",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "3fe99b9690b99606d3743c9961ebee865cfa1ab8",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "bc981179ab5d1a2715f35e3db4e4bb822bacc849",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "8619593634cbdf5abf43f5714df49b04e4ef09ab",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.325",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.325",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()\n\nI found the following bug in my fuzzer:\n\n UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51\n index 255 is out of range for type \u0027htc_endpoint [22]\u0027\n CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Workqueue: events request_firmware_work_func\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x180/0x1b0\n __ubsan_handle_out_of_bounds+0xd4/0x130\n htc_issue_send.constprop.0+0x20c/0x230\n ? _raw_spin_unlock_irqrestore+0x3c/0x70\n ath9k_wmi_cmd+0x41d/0x610\n ? mark_held_locks+0x9f/0xe0\n ...\n\nSince this bug has been confirmed to be caused by insufficient verification\nof conn_rsp_epid, I think it would be appropriate to add a range check for\nconn_rsp_epid to htc_connect_service() to prevent the bug from occurring."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:54:28.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f177fb9d01355ac183e65ad8909ea8ef734e0cf"
},
{
"url": "https://git.kernel.org/stable/c/cb480ae80fd4d0f1ac9e107ce799183beee5124b"
},
{
"url": "https://git.kernel.org/stable/c/c941af142200d975dd3be632aeb490f4cb91dae4"
},
{
"url": "https://git.kernel.org/stable/c/8965db7fe2e913ee0802b05fc94c6d6aa74e0596"
},
{
"url": "https://git.kernel.org/stable/c/70eae50d2156cb6e078d0d78809b49bf2f4c7540"
},
{
"url": "https://git.kernel.org/stable/c/b6551479daf2bfa80bfd5d9016b02a810e508bfb"
},
{
"url": "https://git.kernel.org/stable/c/3fe99b9690b99606d3743c9961ebee865cfa1ab8"
},
{
"url": "https://git.kernel.org/stable/c/bc981179ab5d1a2715f35e3db4e4bb822bacc849"
},
{
"url": "https://git.kernel.org/stable/c/8619593634cbdf5abf43f5714df49b04e4ef09ab"
}
],
"title": "wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53156",
"datePublished": "2024-12-24T11:28:55.275Z",
"dateReserved": "2024-11-19T17:17:25.001Z",
"dateUpdated": "2025-11-03T20:46:44.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39833 (GCVE-0-2025-39833)
Vulnerability from cvelistv5
Published
2025-09-16 13:08
Modified
2025-09-29 06:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mISDN: hfcpci: Fix warning when deleting uninitialized timer
With CONFIG_DEBUG_OBJECTS_TIMERS unloading hfcpci module leads
to the following splat:
[ 250.215892] ODEBUG: assert_init not available (active state 0) object: ffffffffc01a3dc0 object type: timer_list hint: 0x0
[ 250.217520] WARNING: CPU: 0 PID: 233 at lib/debugobjects.c:612 debug_print_object+0x1b6/0x2c0
[ 250.218775] Modules linked in: hfcpci(-) mISDN_core
[ 250.219537] CPU: 0 UID: 0 PID: 233 Comm: rmmod Not tainted 6.17.0-rc2-g6f713187ac98 #2 PREEMPT(voluntary)
[ 250.220940] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 250.222377] RIP: 0010:debug_print_object+0x1b6/0x2c0
[ 250.223131] Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 41 56 48 8b 14 dd a0 4e 01 9f 48 89 ee 48 c7 c7 20 46 01 9f e8 cb 84d
[ 250.225805] RSP: 0018:ffff888015ea7c08 EFLAGS: 00010286
[ 250.226608] RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff9be93a95
[ 250.227708] RDX: 1ffff1100d945138 RSI: 0000000000000008 RDI: ffff88806ca289c0
[ 250.228993] RBP: ffffffff9f014a00 R08: 0000000000000001 R09: ffffed1002bd4f39
[ 250.230043] R10: ffff888015ea79cf R11: 0000000000000001 R12: 0000000000000001
[ 250.231185] R13: ffffffff9eea0520 R14: 0000000000000000 R15: ffff888015ea7cc8
[ 250.232454] FS: 00007f3208f01540(0000) GS:ffff8880caf5a000(0000) knlGS:0000000000000000
[ 250.233851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 250.234856] CR2: 00007f32090a7421 CR3: 0000000004d63000 CR4: 00000000000006f0
[ 250.236117] Call Trace:
[ 250.236599] <TASK>
[ 250.236967] ? trace_irq_enable.constprop.0+0xd4/0x130
[ 250.237920] debug_object_assert_init+0x1f6/0x310
[ 250.238762] ? __pfx_debug_object_assert_init+0x10/0x10
[ 250.239658] ? __lock_acquire+0xdea/0x1c70
[ 250.240369] __try_to_del_timer_sync+0x69/0x140
[ 250.241172] ? __pfx___try_to_del_timer_sync+0x10/0x10
[ 250.242058] ? __timer_delete_sync+0xc6/0x120
[ 250.242842] ? lock_acquire+0x30/0x80
[ 250.243474] ? __timer_delete_sync+0xc6/0x120
[ 250.244262] __timer_delete_sync+0x98/0x120
[ 250.245015] HFC_cleanup+0x10/0x20 [hfcpci]
[ 250.245704] __do_sys_delete_module+0x348/0x510
[ 250.246461] ? __pfx___do_sys_delete_module+0x10/0x10
[ 250.247338] do_syscall_64+0xc1/0x360
[ 250.247924] entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fix this by initializing hfc_tl timer with DEFINE_TIMER macro.
Also, use mod_timer instead of manual timeout update.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcpci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43fc5da8133badf17f5df250ba03b9d882254845",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
},
{
"lessThan": "97766512a9951b9fd6fc97f1b93211642bb0b220",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcpci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: hfcpci: Fix warning when deleting uninitialized timer\n\nWith CONFIG_DEBUG_OBJECTS_TIMERS unloading hfcpci module leads\nto the following splat:\n\n[ 250.215892] ODEBUG: assert_init not available (active state 0) object: ffffffffc01a3dc0 object type: timer_list hint: 0x0\n[ 250.217520] WARNING: CPU: 0 PID: 233 at lib/debugobjects.c:612 debug_print_object+0x1b6/0x2c0\n[ 250.218775] Modules linked in: hfcpci(-) mISDN_core\n[ 250.219537] CPU: 0 UID: 0 PID: 233 Comm: rmmod Not tainted 6.17.0-rc2-g6f713187ac98 #2 PREEMPT(voluntary)\n[ 250.220940] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 250.222377] RIP: 0010:debug_print_object+0x1b6/0x2c0\n[ 250.223131] Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 41 56 48 8b 14 dd a0 4e 01 9f 48 89 ee 48 c7 c7 20 46 01 9f e8 cb 84d\n[ 250.225805] RSP: 0018:ffff888015ea7c08 EFLAGS: 00010286\n[ 250.226608] RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff9be93a95\n[ 250.227708] RDX: 1ffff1100d945138 RSI: 0000000000000008 RDI: ffff88806ca289c0\n[ 250.228993] RBP: ffffffff9f014a00 R08: 0000000000000001 R09: ffffed1002bd4f39\n[ 250.230043] R10: ffff888015ea79cf R11: 0000000000000001 R12: 0000000000000001\n[ 250.231185] R13: ffffffff9eea0520 R14: 0000000000000000 R15: ffff888015ea7cc8\n[ 250.232454] FS: 00007f3208f01540(0000) GS:ffff8880caf5a000(0000) knlGS:0000000000000000\n[ 250.233851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 250.234856] CR2: 00007f32090a7421 CR3: 0000000004d63000 CR4: 00000000000006f0\n[ 250.236117] Call Trace:\n[ 250.236599] \u003cTASK\u003e\n[ 250.236967] ? trace_irq_enable.constprop.0+0xd4/0x130\n[ 250.237920] debug_object_assert_init+0x1f6/0x310\n[ 250.238762] ? __pfx_debug_object_assert_init+0x10/0x10\n[ 250.239658] ? __lock_acquire+0xdea/0x1c70\n[ 250.240369] __try_to_del_timer_sync+0x69/0x140\n[ 250.241172] ? __pfx___try_to_del_timer_sync+0x10/0x10\n[ 250.242058] ? __timer_delete_sync+0xc6/0x120\n[ 250.242842] ? lock_acquire+0x30/0x80\n[ 250.243474] ? __timer_delete_sync+0xc6/0x120\n[ 250.244262] __timer_delete_sync+0x98/0x120\n[ 250.245015] HFC_cleanup+0x10/0x20 [hfcpci]\n[ 250.245704] __do_sys_delete_module+0x348/0x510\n[ 250.246461] ? __pfx___do_sys_delete_module+0x10/0x10\n[ 250.247338] do_syscall_64+0xc1/0x360\n[ 250.247924] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFix this by initializing hfc_tl timer with DEFINE_TIMER macro.\nAlso, use mod_timer instead of manual timeout update."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:00:36.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43fc5da8133badf17f5df250ba03b9d882254845"
},
{
"url": "https://git.kernel.org/stable/c/97766512a9951b9fd6fc97f1b93211642bb0b220"
}
],
"title": "mISDN: hfcpci: Fix warning when deleting uninitialized timer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39833",
"datePublished": "2025-09-16T13:08:50.192Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-29T06:00:36.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38617 (GCVE-0-2025-38617)
Vulnerability from cvelistv5
Published
2025-08-22 13:01
Modified
2025-11-03 17:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/packet: fix a race in packet_set_ring() and packet_notifier()
When packet_set_ring() releases po->bind_lock, another thread can
run packet_notifier() and process an NETDEV_UP event.
This race and the fix are both similar to that of commit 15fe076edea7
("net/packet: fix a race in packet_bind() and packet_notifier()").
There too the packet_notifier NETDEV_UP event managed to run while a
po->bind_lock critical section had to be temporarily released. And
the fix was similarly to temporarily set po->num to zero to keep
the socket unhooked until the lock is retaken.
The po->bind_lock in packet_set_ring and packet_notifier precede the
introduction of git history.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:28.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18f13f2a83eb81be349a9757ba2141ff1da9ad73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7da733f117533e9b2ebbd530a22ae4028713955c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ba2257034755ae773722f15f4c3ad1dcdad15ca9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7de07705007c7e34995a5599aaab1d23e762d7ca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "88caf46db8239e6471413d28aabaa6b8bd552805",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2e8fcfd2b1bc754920108b7f2cd75082c5a18df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e50ccfaca9e3c671cae917dcb994831a859cf588",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f1791fd7b845bea0ce9674fcf2febee7bc87a893",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "01d3c8417b9c1b884a8a981a3b886da556512f36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix a race in packet_set_ring() and packet_notifier()\n\nWhen packet_set_ring() releases po-\u003ebind_lock, another thread can\nrun packet_notifier() and process an NETDEV_UP event.\n\nThis race and the fix are both similar to that of commit 15fe076edea7\n(\"net/packet: fix a race in packet_bind() and packet_notifier()\").\n\nThere too the packet_notifier NETDEV_UP event managed to run while a\npo-\u003ebind_lock critical section had to be temporarily released. And\nthe fix was similarly to temporarily set po-\u003enum to zero to keep\nthe socket unhooked until the lock is retaken.\n\nThe po-\u003ebind_lock in packet_set_ring and packet_notifier precede the\nintroduction of git history."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:52.280Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18f13f2a83eb81be349a9757ba2141ff1da9ad73"
},
{
"url": "https://git.kernel.org/stable/c/7da733f117533e9b2ebbd530a22ae4028713955c"
},
{
"url": "https://git.kernel.org/stable/c/ba2257034755ae773722f15f4c3ad1dcdad15ca9"
},
{
"url": "https://git.kernel.org/stable/c/7de07705007c7e34995a5599aaab1d23e762d7ca"
},
{
"url": "https://git.kernel.org/stable/c/88caf46db8239e6471413d28aabaa6b8bd552805"
},
{
"url": "https://git.kernel.org/stable/c/f2e8fcfd2b1bc754920108b7f2cd75082c5a18df"
},
{
"url": "https://git.kernel.org/stable/c/e50ccfaca9e3c671cae917dcb994831a859cf588"
},
{
"url": "https://git.kernel.org/stable/c/f1791fd7b845bea0ce9674fcf2febee7bc87a893"
},
{
"url": "https://git.kernel.org/stable/c/01d3c8417b9c1b884a8a981a3b886da556512f36"
}
],
"title": "net/packet: fix a race in packet_set_ring() and packet_notifier()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38617",
"datePublished": "2025-08-22T13:01:23.963Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-11-03T17:40:28.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53588 (GCVE-0-2023-53588)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: check for station first in client probe
When probing a client, first check if we have it, and then
check for the channel context, otherwise you can trigger
the warning there easily by probing when the AP isn't even
started yet. Since a client existing means the AP is also
operating, we can then keep the warning.
Also simplify the moved code a bit.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/cfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e1cda5cf07f848e6b50b4e5e7761ffbce905a3d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7dce2deb0b03aaf46c87ceedea81ef4153e26c40",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "67dfa589aa8806c7959cbca2f4613b8d41c75a06",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/cfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check for station first in client probe\n\nWhen probing a client, first check if we have it, and then\ncheck for the channel context, otherwise you can trigger\nthe warning there easily by probing when the AP isn\u0027t even\nstarted yet. Since a client existing means the AP is also\noperating, we can then keep the warning.\n\nAlso simplify the moved code a bit."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:03.354Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e1cda5cf07f848e6b50b4e5e7761ffbce905a3d"
},
{
"url": "https://git.kernel.org/stable/c/7dce2deb0b03aaf46c87ceedea81ef4153e26c40"
},
{
"url": "https://git.kernel.org/stable/c/67dfa589aa8806c7959cbca2f4613b8d41c75a06"
}
],
"title": "wifi: mac80211: check for station first in client probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53588",
"datePublished": "2025-10-04T15:44:03.354Z",
"dateReserved": "2025-10-04T15:40:38.477Z",
"dateUpdated": "2025-10-04T15:44:03.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…