Vulnerability-Lookup

Vendor	Product	Description
Ubuntu	Ubuntu	Ubuntu 16.04 ESM
Ubuntu	Ubuntu	Ubuntu 20.04 ESM
Ubuntu	Ubuntu	Ubuntu 24.04 LTS
Ubuntu	Ubuntu	Ubuntu 25.04
Ubuntu	Ubuntu	Ubuntu 18.04 ESM
Ubuntu	Ubuntu	Ubuntu 25.10
Ubuntu	Ubuntu	Ubuntu 14.04 ESM
Ubuntu	Ubuntu	Ubuntu 22.04 LTS

CVE-2025-38707 (GCVE-0-2025-38707)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2025-11-03 17:41

Title

fs/ntfs3: Add sanity check for file name

Summary

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add sanity check for file name The length of the file name should be smaller than the directory entry size.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bde58c1539f3ffddf…
	https://git.kernel.org/stable/c/f99eb9a641f4ef927…
	https://git.kernel.org/stable/c/3572737a768dadea9…
	https://git.kernel.org/stable/c/2ac47f738ddfc1957…
	https://git.kernel.org/stable/c/b51642fc52d1c7243…
	https://git.kernel.org/stable/c/27ee9a42b245efe65…
	https://git.kernel.org/stable/c/e841ecb139339602b…

Impacted products

Vendor

Product

Version

Linux

Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < bde58c1539f3ffddffc94d64007de16964e6b8eb (git)
Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < f99eb9a641f4ef927d8724f4966dcfd1f0e9f835 (git)
Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < 3572737a768dadea904ebc4eb34b6ed575bb72d9 (git)
Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < 2ac47f738ddfc1957a33be163bc97ee8f78e85a6 (git)
Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < b51642fc52d1c7243a9361555d5c4b24d7569d7e (git)
Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < 27ee9a42b245efe6529e28b03453291a775cb3e4 (git)
Affected: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e , < e841ecb139339602bc1853f5f09daa5d1ea920a2 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:37.372Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bde58c1539f3ffddffc94d64007de16964e6b8eb",
              "status": "affected",
              "version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
              "versionType": "git"
            },
            {
              "lessThan": "f99eb9a641f4ef927d8724f4966dcfd1f0e9f835",
              "status": "affected",
              "version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
              "versionType": "git"
            },
            {
              "lessThan": "3572737a768dadea904ebc4eb34b6ed575bb72d9",
              "status": "affected",
              "version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
              "versionType": "git"
            },
            {
              "lessThan": "2ac47f738ddfc1957a33be163bc97ee8f78e85a6",
              "status": "affected",
              "version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
              "versionType": "git"
            },
            {
              "lessThan": "b51642fc52d1c7243a9361555d5c4b24d7569d7e",
              "status": "affected",
              "version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
              "versionType": "git"
            },
            {
              "lessThan": "27ee9a42b245efe6529e28b03453291a775cb3e4",
              "status": "affected",
              "version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
              "versionType": "git"
            },
            {
              "lessThan": "e841ecb139339602bc1853f5f09daa5d1ea920a2",
              "status": "affected",
              "version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add sanity check for file name\n\nThe length of the file name should be smaller than the directory entry size."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:56:27.867Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bde58c1539f3ffddffc94d64007de16964e6b8eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/f99eb9a641f4ef927d8724f4966dcfd1f0e9f835"
        },
        {
          "url": "https://git.kernel.org/stable/c/3572737a768dadea904ebc4eb34b6ed575bb72d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ac47f738ddfc1957a33be163bc97ee8f78e85a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/b51642fc52d1c7243a9361555d5c4b24d7569d7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/27ee9a42b245efe6529e28b03453291a775cb3e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/e841ecb139339602bc1853f5f09daa5d1ea920a2"
        }
      ],
      "title": "fs/ntfs3: Add sanity check for file name",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38707",
    "datePublished": "2025-09-04T15:32:58.386Z",
    "dateReserved": "2025-04-16T04:51:24.032Z",
    "dateUpdated": "2025-11-03T17:41:37.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40026 (GCVE-0-2025-40026)

Vulnerability from cvelistv5 – Published: 2025-10-28 09:32 – Updated: 2025-12-01 06:16

Title

KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access. Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the intended "recipient") can reach the code in question. gp_interception()'s use is mutually exclusive with is_guest_mode(), and complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with EMULTYPE_SKIP. The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction. WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] Modules linked in: kvm_intel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: <TASK> kvm_fast_pio+0xd6/0x1d0 [kvm] vmx_handle_exit+0x149/0x610 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] kvm_vcpu_ioctl+0x244/0x8c0 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0x5d/0xc60 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a908eca437789589d…
	https://git.kernel.org/stable/c/00338255bb1f42264…
	https://git.kernel.org/stable/c/e0ce3ed1048a47986…
	https://git.kernel.org/stable/c/ba35a5d775799ce5a…
	https://git.kernel.org/stable/c/3d3abf3f7e8b1abb0…
	https://git.kernel.org/stable/c/e7177c7e32cb806f3…
	https://git.kernel.org/stable/c/3a062a5c55adc5507…
	https://git.kernel.org/stable/c/7366830642505683b…
	https://git.kernel.org/stable/c/e750f85391286a4c8…

Impacted products

Vendor

Product

Version

Linux

Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < a908eca437789589dd4624da428614c1275064dc (git)
Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 00338255bb1f422642fb2798ebe92e93b6e4209b (git)
Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < e0ce3ed1048a47986d15aef1a98ebda25560d257 (git)
Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < ba35a5d775799ce5ad60230be97336f2fefd518e (git)
Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 3d3abf3f7e8b1abb082070a343de82d7efc80523 (git)
Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < e7177c7e32cb806f348387b7f4faafd4a5b32054 (git)
Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 3a062a5c55adc5507600b9ae6d911e247e2f1d6e (git)
Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 7366830642505683bbe905a2ba5d18d6e4b512b8 (git)
Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < e750f85391286a4c8100275516973324b621a269 (git)

Linux

Affected: 3.0
Unaffected: 0 , < 3.0 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.157 , ≤ 6.1.* (semver)
Unaffected: 6.6.111 , ≤ 6.6.* (semver)
Unaffected: 6.12.52 , ≤ 6.12.* (semver)
Unaffected: 6.16.12 , ≤ 6.16.* (semver)
Unaffected: 6.17.2 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/emulate.c",
            "arch/x86/kvm/kvm_emulate.h",
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a908eca437789589dd4624da428614c1275064dc",
              "status": "affected",
              "version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
              "versionType": "git"
            },
            {
              "lessThan": "00338255bb1f422642fb2798ebe92e93b6e4209b",
              "status": "affected",
              "version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
              "versionType": "git"
            },
            {
              "lessThan": "e0ce3ed1048a47986d15aef1a98ebda25560d257",
              "status": "affected",
              "version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
              "versionType": "git"
            },
            {
              "lessThan": "ba35a5d775799ce5ad60230be97336f2fefd518e",
              "status": "affected",
              "version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
              "versionType": "git"
            },
            {
              "lessThan": "3d3abf3f7e8b1abb082070a343de82d7efc80523",
              "status": "affected",
              "version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
              "versionType": "git"
            },
            {
              "lessThan": "e7177c7e32cb806f348387b7f4faafd4a5b32054",
              "status": "affected",
              "version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
              "versionType": "git"
            },
            {
              "lessThan": "3a062a5c55adc5507600b9ae6d911e247e2f1d6e",
              "status": "affected",
              "version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
              "versionType": "git"
            },
            {
              "lessThan": "7366830642505683bbe905a2ba5d18d6e4b512b8",
              "status": "affected",
              "version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
              "versionType": "git"
            },
            {
              "lessThan": "e750f85391286a4c8100275516973324b621a269",
              "status": "affected",
              "version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/emulate.c",
            "arch/x86/kvm/kvm_emulate.h",
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "lessThan": "3.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.111",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.52",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.111",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.52",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.12",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.2",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Don\u0027t (re)check L1 intercepts when completing userspace I/O\n\nWhen completing emulation of instruction that generated a userspace exit\nfor I/O, don\u0027t recheck L1 intercepts as KVM has already finished that\nphase of instruction execution, i.e. has already committed to allowing L2\nto perform I/O.  If L1 (or host userspace) modifies the I/O permission\nbitmaps during the exit to userspace,  KVM will treat the access as being\nintercepted despite already having emulated the I/O access.\n\nPivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.\nOf the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the\nintended \"recipient\") can reach the code in question.  gp_interception()\u0027s\nuse is mutually exclusive with is_guest_mode(), and\ncomplete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with\nEMULTYPE_SKIP.\n\nThe bad behavior was detected by a syzkaller program that toggles port I/O\ninterception during the userspace I/O exit, ultimately resulting in a WARN\non vcpu-\u003earch.pio.count being non-zero due to KVM no completing emulation\nof the I/O instruction.\n\n  WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]\n  Modules linked in: kvm_intel kvm irqbypass\n  CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n  RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]\n  PKRU: 55555554\n  Call Trace:\n   \u003cTASK\u003e\n   kvm_fast_pio+0xd6/0x1d0 [kvm]\n   vmx_handle_exit+0x149/0x610 [kvm_intel]\n   kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]\n   kvm_vcpu_ioctl+0x244/0x8c0 [kvm]\n   __x64_sys_ioctl+0x8a/0xd0\n   do_syscall_64+0x5d/0xc60\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n   \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:16:28.000Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a908eca437789589dd4624da428614c1275064dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/00338255bb1f422642fb2798ebe92e93b6e4209b"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0ce3ed1048a47986d15aef1a98ebda25560d257"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba35a5d775799ce5ad60230be97336f2fefd518e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d3abf3f7e8b1abb082070a343de82d7efc80523"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7177c7e32cb806f348387b7f4faafd4a5b32054"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a062a5c55adc5507600b9ae6d911e247e2f1d6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7366830642505683bbe905a2ba5d18d6e4b512b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/e750f85391286a4c8100275516973324b621a269"
        }
      ],
      "title": "KVM: x86: Don\u0027t (re)check L1 intercepts when completing userspace I/O",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40026",
    "datePublished": "2025-10-28T09:32:33.075Z",
    "dateReserved": "2025-04-16T07:20:57.152Z",
    "dateUpdated": "2025-12-01T06:16:28.000Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38227 (GCVE-0-2025-38227)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2025-11-03 17:35

Title

media: vidtv: Terminating the subsequent process of initialization failure

Summary

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] After PSI initialization fails, the si member is accessed again, resulting in this uaf. After si initialization fails, the subsequent process needs to be exited. [1] BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline] BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059 CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xd9/0x110 mm/kasan/report.c:634 vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_table.c:464 task_work_run+0x14e/0x250 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 __do_sys_exit_group kernel/exit.c:1098 [inline] __se_sys_exit_group kernel/exit.c:1096 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096 x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f871d58d169 Code: Unable to access opcode bytes at 0x7f871d58d13f. RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 </TASK> Allocated by task 6059: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970 vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423 vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_tabl ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e1d72ff111eceea6b…
	https://git.kernel.org/stable/c/7e62be1f3b241bc9f…
	https://git.kernel.org/stable/c/685c18bc5a36f823e…
	https://git.kernel.org/stable/c/9824e1732a163e005…
	https://git.kernel.org/stable/c/72541cae73d0809a6…
	https://git.kernel.org/stable/c/f8c2483be6e8bb6c2…
	https://git.kernel.org/stable/c/1d5f88f0534803268…

Impacted products

Vendor

Product

Version

Linux

Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < e1d72ff111eceea6b28dccb7ca4e8f4900b11729 (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 7e62be1f3b241bc9faee547864bb39332955509b (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 685c18bc5a36f823ee725e85aac1303ef5f535ba (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 9824e1732a163e005aa84e12ec439493ebd4f097 (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 72541cae73d0809a6416bfcd2ee6473046a0013a (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < f8c2483be6e8bb6c2148315b4a924c65bb442b5e (git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 1d5f88f053480326873115092bc116b7d14916ba (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:44.869Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vidtv/vidtv_channel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e1d72ff111eceea6b28dccb7ca4e8f4900b11729",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "7e62be1f3b241bc9faee547864bb39332955509b",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "685c18bc5a36f823ee725e85aac1303ef5f535ba",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "9824e1732a163e005aa84e12ec439493ebd4f097",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "72541cae73d0809a6416bfcd2ee6473046a0013a",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "f8c2483be6e8bb6c2148315b4a924c65bb442b5e",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "1d5f88f053480326873115092bc116b7d14916ba",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vidtv/vidtv_channel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Terminating the subsequent process of initialization failure\n\nsyzbot reported a slab-use-after-free Read in vidtv_mux_init. [1]\n\nAfter PSI initialization fails, the si member is accessed again, resulting\nin this uaf.\n\nAfter si initialization fails, the subsequent process needs to be exited.\n\n[1]\nBUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline]\nBUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524\nRead of size 8 at addr ffff88802fa42acc by task syz.2.37/6059\n\nCPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0\nHardware name: Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n\u003cTASK\u003e\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:408 [inline]\nprint_report+0xc3/0x670 mm/kasan/report.c:521\nkasan_report+0xd9/0x110 mm/kasan/report.c:634\nvidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78\nvidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524\nvidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194\nvidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239\ndmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973\ndvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]\ndvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537\ndvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564\ndvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\ndvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n__fput+0x3ff/0xb70 fs/file_table.c:464\ntask_work_run+0x14e/0x250 kernel/task_work.c:227\nexit_task_work include/linux/task_work.h:40 [inline]\ndo_exit+0xad8/0x2d70 kernel/exit.c:938\ndo_group_exit+0xd3/0x2a0 kernel/exit.c:1087\n__do_sys_exit_group kernel/exit.c:1098 [inline]\n__se_sys_exit_group kernel/exit.c:1096 [inline]\n__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096\nx64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f871d58d169\nCode: Unable to access opcode bytes at 0x7f871d58d13f.\nRSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169\nRDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0\nR10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003\nR13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840\n \u003c/TASK\u003e\n\nAllocated by task 6059:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970\n vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423\n vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194\n vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239\n dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973\n dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]\n dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537\n dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564\n dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\n dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n __fput+0x3ff/0xb70 fs/file_tabl\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:40.974Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e1d72ff111eceea6b28dccb7ca4e8f4900b11729"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e62be1f3b241bc9faee547864bb39332955509b"
        },
        {
          "url": "https://git.kernel.org/stable/c/685c18bc5a36f823ee725e85aac1303ef5f535ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/9824e1732a163e005aa84e12ec439493ebd4f097"
        },
        {
          "url": "https://git.kernel.org/stable/c/72541cae73d0809a6416bfcd2ee6473046a0013a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8c2483be6e8bb6c2148315b4a924c65bb442b5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d5f88f053480326873115092bc116b7d14916ba"
        }
      ],
      "title": "media: vidtv: Terminating the subsequent process of initialization failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38227",
    "datePublished": "2025-07-04T13:37:41.922Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2025-11-03T17:35:44.869Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38566 (GCVE-0-2025-38566)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-09-29 05:53

Title

sunrpc: fix handling of server side tls alerts

Summary

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer. This patch proposes to rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b1df394621710b312…
	https://git.kernel.org/stable/c/25bb3647d30a20486…
	https://git.kernel.org/stable/c/3b549da875414989f…
	https://git.kernel.org/stable/c/6b33c31cc788073bf…
	https://git.kernel.org/stable/c/bee47cb026e762841…

Impacted products

Vendor

Product

Version

Linux

Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < b1df394621710b312f0393e3f240fdac0764f968 (git)
Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 25bb3647d30a20486b5fe7cff2b0e503c16c9692 (git)
Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 3b549da875414989f480b66835d514be80a0bd9c (git)
Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 6b33c31cc788073bfbed9297e1f4486ed73d87da (git)
Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < bee47cb026e762841f3faece47b51f985e215edb (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/svcsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b1df394621710b312f0393e3f240fdac0764f968",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "25bb3647d30a20486b5fe7cff2b0e503c16c9692",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "3b549da875414989f480b66835d514be80a0bd9c",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "6b33c31cc788073bfbed9297e1f4486ed73d87da",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "bee47cb026e762841f3faece47b51f985e215edb",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/svcsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:53:54.931Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968"
        },
        {
          "url": "https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da"
        },
        {
          "url": "https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb"
        }
      ],
      "title": "sunrpc: fix handling of server side tls alerts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38566",
    "datePublished": "2025-08-19T17:02:42.506Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2025-09-29T05:53:54.931Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38483 (GCVE-0-2025-38483)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-11-03 17:38

Title

comedi: das16m1: Fix bit shift out of bounds

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/539bdff832adac9ea…
	https://git.kernel.org/stable/c/d1291c69f46d6572b…
	https://git.kernel.org/stable/c/b3c95fa508e5dc3da…
	https://git.kernel.org/stable/c/65c03e6fc524eb286…
	https://git.kernel.org/stable/c/adb7df8a8f9d78842…
	https://git.kernel.org/stable/c/076b13ee60eb01ed0…
	https://git.kernel.org/stable/c/f211572818ed5bec2…
	https://git.kernel.org/stable/c/ed93c6f68a3be06e4…

Impacted products

Vendor

Product

Version

Linux

Affected: 729988507680b2ce934bce61d9ce0ea7b235914c , < 539bdff832adac9ea653859fa0b6bc62e743329c (git)
Affected: 729988507680b2ce934bce61d9ce0ea7b235914c , < d1291c69f46d6572b2cf75960dd8975d7ab2176b (git)
Affected: 729988507680b2ce934bce61d9ce0ea7b235914c , < b3c95fa508e5dc3da60520eea92a5241095ceef1 (git)
Affected: 729988507680b2ce934bce61d9ce0ea7b235914c , < 65c03e6fc524eb2868abedffd8a4613d78abc288 (git)
Affected: 729988507680b2ce934bce61d9ce0ea7b235914c , < adb7df8a8f9d788423e161b779764527dd3ec2d0 (git)
Affected: 729988507680b2ce934bce61d9ce0ea7b235914c , < 076b13ee60eb01ed0d140ef261f95534562a3077 (git)
Affected: 729988507680b2ce934bce61d9ce0ea7b235914c , < f211572818ed5bec2b3f5d4e0719ef8699b3c269 (git)
Affected: 729988507680b2ce934bce61d9ce0ea7b235914c , < ed93c6f68a3be06e4e0c331c6e751f462dee3932 (git)

Linux

Affected: 3.14
Unaffected: 0 , < 3.14 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:54.170Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/das16m1.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "539bdff832adac9ea653859fa0b6bc62e743329c",
              "status": "affected",
              "version": "729988507680b2ce934bce61d9ce0ea7b235914c",
              "versionType": "git"
            },
            {
              "lessThan": "d1291c69f46d6572b2cf75960dd8975d7ab2176b",
              "status": "affected",
              "version": "729988507680b2ce934bce61d9ce0ea7b235914c",
              "versionType": "git"
            },
            {
              "lessThan": "b3c95fa508e5dc3da60520eea92a5241095ceef1",
              "status": "affected",
              "version": "729988507680b2ce934bce61d9ce0ea7b235914c",
              "versionType": "git"
            },
            {
              "lessThan": "65c03e6fc524eb2868abedffd8a4613d78abc288",
              "status": "affected",
              "version": "729988507680b2ce934bce61d9ce0ea7b235914c",
              "versionType": "git"
            },
            {
              "lessThan": "adb7df8a8f9d788423e161b779764527dd3ec2d0",
              "status": "affected",
              "version": "729988507680b2ce934bce61d9ce0ea7b235914c",
              "versionType": "git"
            },
            {
              "lessThan": "076b13ee60eb01ed0d140ef261f95534562a3077",
              "status": "affected",
              "version": "729988507680b2ce934bce61d9ce0ea7b235914c",
              "versionType": "git"
            },
            {
              "lessThan": "f211572818ed5bec2b3f5d4e0719ef8699b3c269",
              "status": "affected",
              "version": "729988507680b2ce934bce61d9ce0ea7b235914c",
              "versionType": "git"
            },
            {
              "lessThan": "ed93c6f68a3be06e4e0c331c6e751f462dee3932",
              "status": "affected",
              "version": "729988507680b2ce934bce61d9ce0ea7b235914c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/das16m1.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.14"
            },
            {
              "lessThan": "3.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: das16m1: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\t/* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */\n\tif ((1 \u003c\u003c it-\u003eoptions[1]) \u0026 0xdcfc) {\n\nHowever, `it-\u003eoptions[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds.  Fix the test by\nrequiring `it-\u003eoptions[1]` to be within bounds before proceeding with\nthe original test."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:23.600Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/539bdff832adac9ea653859fa0b6bc62e743329c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1291c69f46d6572b2cf75960dd8975d7ab2176b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3c95fa508e5dc3da60520eea92a5241095ceef1"
        },
        {
          "url": "https://git.kernel.org/stable/c/65c03e6fc524eb2868abedffd8a4613d78abc288"
        },
        {
          "url": "https://git.kernel.org/stable/c/adb7df8a8f9d788423e161b779764527dd3ec2d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/076b13ee60eb01ed0d140ef261f95534562a3077"
        },
        {
          "url": "https://git.kernel.org/stable/c/f211572818ed5bec2b3f5d4e0719ef8699b3c269"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed93c6f68a3be06e4e0c331c6e751f462dee3932"
        }
      ],
      "title": "comedi: das16m1: Fix bit shift out of bounds",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38483",
    "datePublished": "2025-07-28T11:21:47.895Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:54.170Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40300 (GCVE-0-2025-40300)

Vulnerability from cvelistv5 – Published: 2025-09-11 16:49 – Updated: 2026-01-02 15:33

Title

x86/vmscape: Add conditional IBPB mitigation

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ac60717f9a8d21c58…
	https://git.kernel.org/stable/c/c08192b5d6730a914…
	https://git.kernel.org/stable/c/d5490dfa35427a296…
	https://git.kernel.org/stable/c/2f4f2f8f860cb4c33…
	https://git.kernel.org/stable/c/15006289e5c38b2a8…
	https://git.kernel.org/stable/c/893387c18612bb452…
	https://git.kernel.org/stable/c/f866eef8d1c65504d…
	https://git.kernel.org/stable/c/34e5667041050711a…
	https://git.kernel.org/stable/c/d7ddc93392e4a7ffc…
	https://git.kernel.org/stable/c/459274c77b37ac63b…
	https://git.kernel.org/stable/c/510603f504796c353…
	https://git.kernel.org/stable/c/9c23a90648e831d61…
	https://git.kernel.org/stable/c/2f8f173413f1cbf52…

Impacted products

Vendor

Product

Version

Linux

Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < ac60717f9a8d21c58617d0b34274babf24135835 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < c08192b5d6730a914dee6175bc71092ee6a65f14 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < d5490dfa35427a2967e00a4c7a1b95fdbc8ede34 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 15006289e5c38b2a830e1fba221977a27598176c (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 893387c18612bb452336a5881da0d015a7e8f4a2 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < f866eef8d1c65504d30923c3f14082ad294d0e6d (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 34e5667041050711a947e260fc9ebebe08bddee5 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < d7ddc93392e4a7ffcccc86edf6ef3e64c778db52 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 459274c77b37ac63b78c928b4b4e748d1f9d05c8 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 510603f504796c3535f67f55fb0b124a303b44c8 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 9c23a90648e831d611152ac08dbcd1283d405e7f (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 2f8f173413f1cbf52660d04df92d0069c4306d25 (git)
Affected: c51f1e5f57cca88d8d5894b6fad1638f643a99d0 (git)
Affected: 4b3870c343a82cd2df7192cc5149c87205dcc611 (git)

Linux

Affected: 4.16
Unaffected: 0 , < 4.16 (semver)
Unaffected: 5.10.244 , ≤ 5.10.* (semver)
Unaffected: 5.15.193 , ≤ 5.15.* (semver)
Unaffected: 6.1.152 , ≤ 6.1.* (semver)
Unaffected: 6.6.106 , ≤ 6.6.* (semver)
Unaffected: 6.12.47 , ≤ 6.12.* (semver)
Unaffected: 6.16.7 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-17T16:05:33.433Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/14/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/14/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/14/6"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/17/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/17/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/cpufeatures.h",
            "arch/x86/include/asm/entry-common.h",
            "arch/x86/include/asm/nospec-branch.h",
            "arch/x86/kernel/cpu/bugs.c",
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac60717f9a8d21c58617d0b34274babf24135835",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "c08192b5d6730a914dee6175bc71092ee6a65f14",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "d5490dfa35427a2967e00a4c7a1b95fdbc8ede34",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "15006289e5c38b2a830e1fba221977a27598176c",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "893387c18612bb452336a5881da0d015a7e8f4a2",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "f866eef8d1c65504d30923c3f14082ad294d0e6d",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "34e5667041050711a947e260fc9ebebe08bddee5",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "d7ddc93392e4a7ffcccc86edf6ef3e64c778db52",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "459274c77b37ac63b78c928b4b4e748d1f9d05c8",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "510603f504796c3535f67f55fb0b124a303b44c8",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "9c23a90648e831d611152ac08dbcd1283d405e7f",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "2f8f173413f1cbf52660d04df92d0069c4306d25",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c51f1e5f57cca88d8d5894b6fad1638f643a99d0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4b3870c343a82cd2df7192cc5149c87205dcc611",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/cpufeatures.h",
            "arch/x86/include/asm/entry-common.h",
            "arch/x86/include/asm/nospec-branch.h",
            "arch/x86/kernel/cpu/bugs.c",
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.244",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.193",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.152",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.106",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.47",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.244",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.244",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.193",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.193",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.152",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.152",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.106",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.106",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.47",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.47",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.7",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.7",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.57",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.168",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/vmscape: Add conditional IBPB mitigation\n\nVMSCAPE is a vulnerability that exploits insufficient branch predictor\nisolation between a guest and a userspace hypervisor (like QEMU). Existing\nmitigations already protect kernel/KVM from a malicious guest. Userspace\ncan additionally be protected by flushing the branch predictors after a\nVMexit.\n\nSince it is the userspace that consumes the poisoned branch predictors,\nconditionally issue an IBPB after a VMexit and before returning to\nuserspace. Workloads that frequently switch between hypervisor and\nuserspace will incur the most overhead from the new IBPB.\n\nThis new IBPB is not integrated with the existing IBPB sites. For\ninstance, a task can use the existing speculation control prctl() to\nget an IBPB at context switch time. With this implementation, the\nIBPB is doubled up: one at context switch and another before running\nuserspace.\n\nThe intent is to integrate and optimize these cases post-embargo.\n\n[ dhansen: elaborate on suboptimal IBPB solution ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:23.260Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac60717f9a8d21c58617d0b34274babf24135835"
        },
        {
          "url": "https://git.kernel.org/stable/c/c08192b5d6730a914dee6175bc71092ee6a65f14"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5490dfa35427a2967e00a4c7a1b95fdbc8ede34"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/15006289e5c38b2a830e1fba221977a27598176c"
        },
        {
          "url": "https://git.kernel.org/stable/c/893387c18612bb452336a5881da0d015a7e8f4a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/f866eef8d1c65504d30923c3f14082ad294d0e6d"
        },
        {
          "url": "https://git.kernel.org/stable/c/34e5667041050711a947e260fc9ebebe08bddee5"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7ddc93392e4a7ffcccc86edf6ef3e64c778db52"
        },
        {
          "url": "https://git.kernel.org/stable/c/459274c77b37ac63b78c928b4b4e748d1f9d05c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/510603f504796c3535f67f55fb0b124a303b44c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c23a90648e831d611152ac08dbcd1283d405e7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f8f173413f1cbf52660d04df92d0069c4306d25"
        }
      ],
      "title": "x86/vmscape: Add conditional IBPB mitigation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40300",
    "datePublished": "2025-09-11T16:49:24.809Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2026-01-02T15:33:23.260Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38510 (GCVE-0-2025-38510)

Vulnerability from cvelistv5 – Published: 2025-08-16 10:54 – Updated: 2025-11-03 17:39

Title

kasan: remove kasan_find_vm_area() to prevent possible deadlock

Summary

In the Linux kernel, the following vulnerability has been resolved: kasan: remove kasan_find_vm_area() to prevent possible deadlock find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin_lock_bh(&some_lock); <interrupt occurs> <in softirq> spin_lock(&some_lock); <access invalid address> kasan_report(); print_report(); print_address_description(); kasan_find_vm_area(); find_vm_area(); spin_lock(&vn->busy.lock) // deadlock! To prevent possible deadlock while kasan reports, remove kasan_find_vm_area().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/595f78d99b9051600…
	https://git.kernel.org/stable/c/8377d7744bdce5c4b…
	https://git.kernel.org/stable/c/2d89dab1ea6086e6c…
	https://git.kernel.org/stable/c/0c3566d831def922c…
	https://git.kernel.org/stable/c/6ee9b3d84775944fb…

Impacted products

Vendor

Product

Version

Linux

Affected: c056a364e9546bd513d1f5205f0ee316d8acb910 , < 595f78d99b9051600233c0a5c4c47e1097e6ed01 (git)
Affected: c056a364e9546bd513d1f5205f0ee316d8acb910 , < 8377d7744bdce5c4b3f1b58924eebd3fdc078dfc (git)
Affected: c056a364e9546bd513d1f5205f0ee316d8acb910 , < 2d89dab1ea6086e6cbe6fe92531b496fb6808cb9 (git)
Affected: c056a364e9546bd513d1f5205f0ee316d8acb910 , < 0c3566d831def922cd56322c772a7b20d8b0e0c0 (git)
Affected: c056a364e9546bd513d1f5205f0ee316d8acb910 , < 6ee9b3d84775944fb8c8a447961cd01274ac671c (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:13.435Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/kasan/report.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "595f78d99b9051600233c0a5c4c47e1097e6ed01",
              "status": "affected",
              "version": "c056a364e9546bd513d1f5205f0ee316d8acb910",
              "versionType": "git"
            },
            {
              "lessThan": "8377d7744bdce5c4b3f1b58924eebd3fdc078dfc",
              "status": "affected",
              "version": "c056a364e9546bd513d1f5205f0ee316d8acb910",
              "versionType": "git"
            },
            {
              "lessThan": "2d89dab1ea6086e6cbe6fe92531b496fb6808cb9",
              "status": "affected",
              "version": "c056a364e9546bd513d1f5205f0ee316d8acb910",
              "versionType": "git"
            },
            {
              "lessThan": "0c3566d831def922cd56322c772a7b20d8b0e0c0",
              "status": "affected",
              "version": "c056a364e9546bd513d1f5205f0ee316d8acb910",
              "versionType": "git"
            },
            {
              "lessThan": "6ee9b3d84775944fb8c8a447961cd01274ac671c",
              "status": "affected",
              "version": "c056a364e9546bd513d1f5205f0ee316d8acb910",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/kasan/report.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkasan: remove kasan_find_vm_area() to prevent possible deadlock\n\nfind_vm_area() couldn\u0027t be called in atomic_context.  If find_vm_area() is\ncalled to reports vm area information, kasan can trigger deadlock like:\n\nCPU0                                CPU1\nvmalloc();\n alloc_vmap_area();\n  spin_lock(\u0026vn-\u003ebusy.lock)\n                                    spin_lock_bh(\u0026some_lock);\n   \u003cinterrupt occurs\u003e\n   \u003cin softirq\u003e\n   spin_lock(\u0026some_lock);\n                                    \u003caccess invalid address\u003e\n                                    kasan_report();\n                                     print_report();\n                                      print_address_description();\n                                       kasan_find_vm_area();\n                                        find_vm_area();\n                                         spin_lock(\u0026vn-\u003ebusy.lock) // deadlock!\n\nTo prevent possible deadlock while kasan reports, remove kasan_find_vm_area()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T10:54:52.438Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/595f78d99b9051600233c0a5c4c47e1097e6ed01"
        },
        {
          "url": "https://git.kernel.org/stable/c/8377d7744bdce5c4b3f1b58924eebd3fdc078dfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d89dab1ea6086e6cbe6fe92531b496fb6808cb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c3566d831def922cd56322c772a7b20d8b0e0c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ee9b3d84775944fb8c8a447961cd01274ac671c"
        }
      ],
      "title": "kasan: remove kasan_find_vm_area() to prevent possible deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38510",
    "datePublished": "2025-08-16T10:54:52.438Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2025-11-03T17:39:13.435Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38665 (GCVE-0-2025-38665)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:02 – Updated: 2025-11-03 17:40

Title

can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode

Summary

In the Linux kernel, the following vulnerability has been resolved: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct can_priv::do_set_mode callback. There are 2 code path that call struct can_priv::do_set_mode: - directly by a manual restart from the user space, via can_changelink() - delayed automatic restart after bus off (deactivated by default) To prevent the NULL pointer deference, refuse a manual restart or configure the automatic restart delay in can_changelink() and report the error via extack to user space. As an additional safety measure let can_restart() return an error if can_priv::do_set_mode is not set instead of dereferencing it unchecked.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6bbcf37c5114926c9…
	https://git.kernel.org/stable/c/cf81a60a973358dea…
	https://git.kernel.org/stable/c/0ca816a96fdcf3264…
	https://git.kernel.org/stable/c/6acceb46180f9e160…
	https://git.kernel.org/stable/c/c1f3f9797c1f44a76…

Impacted products

Vendor

Product

Version

Linux

Affected: 39549eef3587f1c1e8c65c88a2400d10fd30ea17 , < 6bbcf37c5114926c99a1d1e6993a5b35689d2599 (git)
Affected: 39549eef3587f1c1e8c65c88a2400d10fd30ea17 , < cf81a60a973358dea163f6b14062f17831ceb894 (git)
Affected: 39549eef3587f1c1e8c65c88a2400d10fd30ea17 , < 0ca816a96fdcf32644c80cbe7a82c7b6ce6ddda5 (git)
Affected: 39549eef3587f1c1e8c65c88a2400d10fd30ea17 , < 6acceb46180f9e160d4f0c56fcaf39ba562822ae (git)
Affected: 39549eef3587f1c1e8c65c88a2400d10fd30ea17 , < c1f3f9797c1f44a762e6f5f72520b2e520537b52 (git)

Linux

Affected: 2.6.31
Unaffected: 0 , < 2.6.31 (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.101 , ≤ 6.6.* (semver)
Unaffected: 6.12.41 , ≤ 6.12.* (semver)
Unaffected: 6.15.9 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:51.309Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/dev/dev.c",
            "drivers/net/can/dev/netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6bbcf37c5114926c99a1d1e6993a5b35689d2599",
              "status": "affected",
              "version": "39549eef3587f1c1e8c65c88a2400d10fd30ea17",
              "versionType": "git"
            },
            {
              "lessThan": "cf81a60a973358dea163f6b14062f17831ceb894",
              "status": "affected",
              "version": "39549eef3587f1c1e8c65c88a2400d10fd30ea17",
              "versionType": "git"
            },
            {
              "lessThan": "0ca816a96fdcf32644c80cbe7a82c7b6ce6ddda5",
              "status": "affected",
              "version": "39549eef3587f1c1e8c65c88a2400d10fd30ea17",
              "versionType": "git"
            },
            {
              "lessThan": "6acceb46180f9e160d4f0c56fcaf39ba562822ae",
              "status": "affected",
              "version": "39549eef3587f1c1e8c65c88a2400d10fd30ea17",
              "versionType": "git"
            },
            {
              "lessThan": "c1f3f9797c1f44a762e6f5f72520b2e520537b52",
              "status": "affected",
              "version": "39549eef3587f1c1e8c65c88a2400d10fd30ea17",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/dev/dev.c",
            "drivers/net/can/dev/netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.31"
            },
            {
              "lessThan": "2.6.31",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.101",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.101",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.41",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.9",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode\n\nAndrei Lalaev reported a NULL pointer deref when a CAN device is\nrestarted from Bus Off and the driver does not implement the struct\ncan_priv::do_set_mode callback.\n\nThere are 2 code path that call struct can_priv::do_set_mode:\n- directly by a manual restart from the user space, via\n  can_changelink()\n- delayed automatic restart after bus off (deactivated by default)\n\nTo prevent the NULL pointer deference, refuse a manual restart or\nconfigure the automatic restart delay in can_changelink() and report\nthe error via extack to user space.\n\nAs an additional safety measure let can_restart() return an error if\ncan_priv::do_set_mode is not set instead of dereferencing it\nunchecked."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-22T16:02:57.458Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6bbcf37c5114926c99a1d1e6993a5b35689d2599"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf81a60a973358dea163f6b14062f17831ceb894"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ca816a96fdcf32644c80cbe7a82c7b6ce6ddda5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6acceb46180f9e160d4f0c56fcaf39ba562822ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1f3f9797c1f44a762e6f5f72520b2e520537b52"
        }
      ],
      "title": "can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38665",
    "datePublished": "2025-08-22T16:02:57.458Z",
    "dateReserved": "2025-04-16T04:51:24.031Z",
    "dateUpdated": "2025-11-03T17:40:51.309Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39817 (GCVE-0-2025-39817)

Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43

Title

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

Summary

In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0 If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename: T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oob Fix it by checking 'guid' before cmp.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0f63fbabeaaaaaaf5…
	https://git.kernel.org/stable/c/794399019301944fd…
	https://git.kernel.org/stable/c/568e7761279b99c6d…
	https://git.kernel.org/stable/c/d7f5e35e70507d10c…
	https://git.kernel.org/stable/c/925599eba46045930…
	https://git.kernel.org/stable/c/c2925cd6207079c3f…
	https://git.kernel.org/stable/c/71581a82f38e5a4d8…
	https://git.kernel.org/stable/c/a6358f8cf64850f3f…

Impacted products

Vendor

Product

Version

Linux

Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6 (git)
Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 794399019301944fd6d2e0d7a51b3327e26c410e (git)
Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 568e7761279b99c6daa3002290fd6d8047ddb6d2 (git)
Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7 (git)
Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 925599eba46045930b850a98ae594d2e3028ac40 (git)
Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < c2925cd6207079c3f4d040d082515db78d63afbf (git)
Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < 71581a82f38e5a4d807d71fc1bb59aead80ccf95 (git)
Affected: da27a24383b2b10bf6ebd0db29b325548aafecb4 , < a6358f8cf64850f3f27857b8ed8c1b08cfc4685c (git)
Affected: 688289c4b745c018b3449b4b4c5a2030083c8eaf (git)

Linux

Affected: 3.9
Unaffected: 0 , < 3.9 (semver)
Unaffected: 5.4.298 , ≤ 5.4.* (semver)
Unaffected: 5.10.242 , ≤ 5.10.* (semver)
Unaffected: 5.15.191 , ≤ 5.15.* (semver)
Unaffected: 6.1.150 , ≤ 6.1.* (semver)
Unaffected: 6.6.104 , ≤ 6.6.* (semver)
Unaffected: 6.12.45 , ≤ 6.12.* (semver)
Unaffected: 6.16.5 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:43:40.463Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/efivarfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6",
              "status": "affected",
              "version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
              "versionType": "git"
            },
            {
              "lessThan": "794399019301944fd6d2e0d7a51b3327e26c410e",
              "status": "affected",
              "version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
              "versionType": "git"
            },
            {
              "lessThan": "568e7761279b99c6daa3002290fd6d8047ddb6d2",
              "status": "affected",
              "version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
              "versionType": "git"
            },
            {
              "lessThan": "d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7",
              "status": "affected",
              "version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
              "versionType": "git"
            },
            {
              "lessThan": "925599eba46045930b850a98ae594d2e3028ac40",
              "status": "affected",
              "version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
              "versionType": "git"
            },
            {
              "lessThan": "c2925cd6207079c3f4d040d082515db78d63afbf",
              "status": "affected",
              "version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
              "versionType": "git"
            },
            {
              "lessThan": "71581a82f38e5a4d807d71fc1bb59aead80ccf95",
              "status": "affected",
              "version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
              "versionType": "git"
            },
            {
              "lessThan": "a6358f8cf64850f3f27857b8ed8c1b08cfc4685c",
              "status": "affected",
              "version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "688289c4b745c018b3449b4b4c5a2030083c8eaf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/efivarfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.298",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.242",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.191",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.104",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.45",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.298",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.242",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.191",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.150",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.104",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.45",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.5",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.8.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Fix slab-out-of-bounds in efivarfs_d_compare\n\nObserved on kernel 6.6 (present on master as well):\n\n  BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0\n  Call trace:\n   kasan_check_range+0xe8/0x190\n   __asan_loadN+0x1c/0x28\n   memcmp+0x98/0xd0\n   efivarfs_d_compare+0x68/0xd8\n   __d_lookup_rcu_op_compare+0x178/0x218\n   __d_lookup_rcu+0x1f8/0x228\n   d_alloc_parallel+0x150/0x648\n   lookup_open.isra.0+0x5f0/0x8d0\n   open_last_lookups+0x264/0x828\n   path_openat+0x130/0x3f8\n   do_filp_open+0x114/0x248\n   do_sys_openat2+0x340/0x3c0\n   __arm64_sys_openat+0x120/0x1a0\n\nIf dentry-\u003ed_name.len \u003c EFI_VARIABLE_GUID_LEN , \u0027guid\u0027 can become\nnegative, leadings to oob. The issue can be triggered by parallel\nlookups using invalid filename:\n\n  T1\t\t\tT2\n  lookup_open\n   -\u003elookup\n    simple_lookup\n     d_add\n     // invalid dentry is added to hash list\n\n\t\t\tlookup_open\n\t\t\t d_alloc_parallel\n\t\t\t  __d_lookup_rcu\n\t\t\t   __d_lookup_rcu_op_compare\n\t\t\t    hlist_bl_for_each_entry_rcu\n\t\t\t    // invalid dentry can be retrieved\n\t\t\t     -\u003ed_compare\n\t\t\t      efivarfs_d_compare\n\t\t\t      // oob\n\nFix it by checking \u0027guid\u0027 before cmp."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T06:00:15.470Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/794399019301944fd6d2e0d7a51b3327e26c410e"
        },
        {
          "url": "https://git.kernel.org/stable/c/568e7761279b99c6daa3002290fd6d8047ddb6d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/925599eba46045930b850a98ae594d2e3028ac40"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2925cd6207079c3f4d040d082515db78d63afbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/71581a82f38e5a4d807d71fc1bb59aead80ccf95"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6358f8cf64850f3f27857b8ed8c1b08cfc4685c"
        }
      ],
      "title": "efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39817",
    "datePublished": "2025-09-16T13:00:17.776Z",
    "dateReserved": "2025-04-16T07:20:57.138Z",
    "dateUpdated": "2025-11-03T17:43:40.463Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39844 (GCVE-0-2025-39844)

Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:43

Title

mm: move page table sync declarations to linux/pgtable.h

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It turns out that the kernel panics while initializing vmemmap (struct page array) when the vmemmap region spans two PGD entries, because the new PGD entry is only installed in init_mm.pgd, but not in the page tables of other tasks. And looking at __populate_section_memmap(): if (vmemmap_can_optimize(altmap, pgmap)) // does not sync top level page tables r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap); else // sync top level page tables in x86 r = vmemmap_populate(start, end, nid, altmap); In the normal path, vmemmap_populate() in arch/x86/mm/init_64.c synchronizes the top level page table (See commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes")) so that all tasks in the system can see the new vmemmap area. However, when vmemmap_can_optimize() returns true, the optimized path skips synchronization of top-level page tables. This is because vmemmap_populate_compound_pages() is implemented in core MM code, which does not handle synchronization of the top-level page tables. Instead, the core MM has historically relied on each architecture to perform this synchronization manually. We're not the first party to encounter a crash caused by not-sync'd top level page tables: earlier this year, Gwan-gyeong Mun attempted to address the issue [1] [2] after hitting a kernel panic when x86 code accessed the vmemmap area before the corresponding top-level entries were synced. At that time, the issue was believed to be triggered only when struct page was enlarged for debugging purposes, and the patch did not get further updates. It turns out that current approach of relying on each arch to handle the page table sync manually is fragile because 1) it's easy to forget to sync the top level page table, and 2) it's also easy to overlook that the kernel should not access the vmemmap and direct mapping areas before the sync. # The solution: Make page table sync more code robust and harder to miss To address this, Dave Hansen suggested [3] [4] introducing {pgd,p4d}_populate_kernel() for updating kernel portion of the page tables and allow each architecture to explicitly perform synchronization when installing top-level entries. With this approach, we no longer need to worry about missing the sync step, reducing the risk of future regressions. The new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK, PGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by vmalloc and ioremap to synchronize page tables. pgd_populate_kernel() looks like this: static inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd, p4d_t *p4d) { pgd_populate(&init_mm, pgd, p4d); if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) arch_sync_kernel_mappings(addr, addr); } It is worth noting that vmalloc() and apply_to_range() carefully synchronizes page tables by calling p*d_alloc_track() and arch_sync_kernel_mappings(), and thus they are not affected by ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/732e62212f49d549c…
	https://git.kernel.org/stable/c/eceb44e1f94bd641b…
	https://git.kernel.org/stable/c/6797a8b3f71b2cb55…
	https://git.kernel.org/stable/c/4f7537772011fad83…
	https://git.kernel.org/stable/c/469f9d22751472b81…
	https://git.kernel.org/stable/c/7cc183f2e67d19b03…

Impacted products

Vendor

Product

Version

Linux

Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 732e62212f49d549c91071b4da7942ee3058f7a2 (git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < eceb44e1f94bd641b2a4e8c09b64c797c4eabc15 (git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 6797a8b3f71b2cb558b8771a03450dc3e004e453 (git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 4f7537772011fad832f83d6848f8eab282545bef (git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 469f9d22751472b81eaaf8a27fcdb5a70741c342 (git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 7cc183f2e67d19b03ee5c13a6664b8c6cc37ff9d (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.16.6 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:43:59.901Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/pgtable.h",
            "include/linux/vmalloc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "732e62212f49d549c91071b4da7942ee3058f7a2",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            },
            {
              "lessThan": "eceb44e1f94bd641b2a4e8c09b64c797c4eabc15",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            },
            {
              "lessThan": "6797a8b3f71b2cb558b8771a03450dc3e004e453",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            },
            {
              "lessThan": "4f7537772011fad832f83d6848f8eab282545bef",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            },
            {
              "lessThan": "469f9d22751472b81eaaf8a27fcdb5a70741c342",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            },
            {
              "lessThan": "7cc183f2e67d19b03ee5c13a6664b8c6cc37ff9d",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/pgtable.h",
            "include/linux/vmalloc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.6",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: move page table sync declarations to linux/pgtable.h\n\nDuring our internal testing, we started observing intermittent boot\nfailures when the machine uses 4-level paging and has a large amount of\npersistent memory:\n\n  BUG: unable to handle page fault for address: ffffe70000000034\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x0002) - not-present page\n  PGD 0 P4D 0 \n  Oops: 0002 [#1] SMP NOPTI\n  RIP: 0010:__init_single_page+0x9/0x6d\n  Call Trace:\n   \u003cTASK\u003e\n   __init_zone_device_page+0x17/0x5d\n   memmap_init_zone_device+0x154/0x1bb\n   pagemap_range+0x2e0/0x40f\n   memremap_pages+0x10b/0x2f0\n   devm_memremap_pages+0x1e/0x60\n   dev_dax_probe+0xce/0x2ec [device_dax]\n   dax_bus_probe+0x6d/0xc9\n   [... snip ...]\n   \u003c/TASK\u003e\n\nIt turns out that the kernel panics while initializing vmemmap (struct\npage array) when the vmemmap region spans two PGD entries, because the new\nPGD entry is only installed in init_mm.pgd, but not in the page tables of\nother tasks.\n\nAnd looking at __populate_section_memmap():\n  if (vmemmap_can_optimize(altmap, pgmap))                                \n          // does not sync top level page tables\n          r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap);\n  else                                                                    \n          // sync top level page tables in x86\n          r = vmemmap_populate(start, end, nid, altmap);\n\nIn the normal path, vmemmap_populate() in arch/x86/mm/init_64.c\nsynchronizes the top level page table (See commit 9b861528a801 (\"x86-64,\nmem: Update all PGDs for direct mapping and vmemmap mapping changes\")) so\nthat all tasks in the system can see the new vmemmap area.\n\nHowever, when vmemmap_can_optimize() returns true, the optimized path\nskips synchronization of top-level page tables.  This is because\nvmemmap_populate_compound_pages() is implemented in core MM code, which\ndoes not handle synchronization of the top-level page tables.  Instead,\nthe core MM has historically relied on each architecture to perform this\nsynchronization manually.\n\nWe\u0027re not the first party to encounter a crash caused by not-sync\u0027d top\nlevel page tables: earlier this year, Gwan-gyeong Mun attempted to address\nthe issue [1] [2] after hitting a kernel panic when x86 code accessed the\nvmemmap area before the corresponding top-level entries were synced.  At\nthat time, the issue was believed to be triggered only when struct page\nwas enlarged for debugging purposes, and the patch did not get further\nupdates.\n\nIt turns out that current approach of relying on each arch to handle the\npage table sync manually is fragile because 1) it\u0027s easy to forget to sync\nthe top level page table, and 2) it\u0027s also easy to overlook that the\nkernel should not access the vmemmap and direct mapping areas before the\nsync.\n\n# The solution: Make page table sync more code robust and harder to miss\n\nTo address this, Dave Hansen suggested [3] [4] introducing\n{pgd,p4d}_populate_kernel() for updating kernel portion of the page tables\nand allow each architecture to explicitly perform synchronization when\ninstalling top-level entries.  With this approach, we no longer need to\nworry about missing the sync step, reducing the risk of future\nregressions.\n\nThe new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK,\nPGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by\nvmalloc and ioremap to synchronize page tables.\n\npgd_populate_kernel() looks like this:\nstatic inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd,\n                                       p4d_t *p4d)\n{\n        pgd_populate(\u0026init_mm, pgd, p4d);\n        if (ARCH_PAGE_TABLE_SYNC_MASK \u0026 PGTBL_PGD_MODIFIED)\n                arch_sync_kernel_mappings(addr, addr);\n}\n\nIt is worth noting that vmalloc() and apply_to_range() carefully\nsynchronizes page tables by calling p*d_alloc_track() and\narch_sync_kernel_mappings(), and thus they are not affected by\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T06:00:53.654Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/732e62212f49d549c91071b4da7942ee3058f7a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/eceb44e1f94bd641b2a4e8c09b64c797c4eabc15"
        },
        {
          "url": "https://git.kernel.org/stable/c/6797a8b3f71b2cb558b8771a03450dc3e004e453"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f7537772011fad832f83d6848f8eab282545bef"
        },
        {
          "url": "https://git.kernel.org/stable/c/469f9d22751472b81eaaf8a27fcdb5a70741c342"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cc183f2e67d19b03ee5c13a6664b8c6cc37ff9d"
        }
      ],
      "title": "mm: move page table sync declarations to linux/pgtable.h",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39844",
    "datePublished": "2025-09-19T15:26:18.471Z",
    "dateReserved": "2025-04-16T07:20:57.141Z",
    "dateUpdated": "2025-11-03T17:43:59.901Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38472 (GCVE-0-2025-38472)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-11-03 17:38

Title

netfilter: nf_conntrack: fix crash due to removal of uninitialised entry

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry A crash in conntrack was reported while trying to unlink the conntrack entry from the hash bucket list: [exception RIP: __nf_ct_delete_from_lists+172] [..] #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack] #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack] #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack] [..] The nf_conn struct is marked as allocated from slab but appears to be in a partially initialised state: ct hlist pointer is garbage; looks like the ct hash value (hence crash). ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected ct->timeout is 30000 (=30s), which is unexpected. Everything else looks like normal udp conntrack entry. If we ignore ct->status and pretend its 0, the entry matches those that are newly allocated but not yet inserted into the hash: - ct hlist pointers are overloaded and store/cache the raw tuple hash - ct->timeout matches the relative time expected for a new udp flow rather than the absolute 'jiffies' value. If it were not for the presence of IPS_CONFIRMED, __nf_conntrack_find_get() would have skipped the entry. Theory is that we did hit following race: cpu x cpu y cpu z found entry E found entry E E is expired <preemption> nf_ct_delete() return E to rcu slab init_conntrack E is re-inited, ct->status set to 0 reply tuplehash hnnode.pprev stores hash value. cpu y found E right before it was deleted on cpu x. E is now re-inited on cpu z. cpu y was preempted before checking for expiry and/or confirm bit. ->refcnt set to 1 E now owned by skb ->timeout set to 30000 If cpu y were to resume now, it would observe E as expired but would skip E due to missing CONFIRMED bit. nf_conntrack_confirm gets called sets: ct->status |= CONFIRMED This is wrong: E is not yet added to hashtable. cpu y resumes, it observes E as expired but CONFIRMED: <resumes> nf_ct_expired() -> yes (ct->timeout is 30s) confirmed bit set. cpu y will try to delete E from the hashtable: nf_ct_delete() -> set DYING bit __nf_ct_delete_from_lists Even this scenario doesn't guarantee a crash: cpu z still holds the table bucket lock(s) so y blocks: wait for spinlock held by z CONFIRMED is set but there is no guarantee ct will be added to hash: "chaintoolong" or "clash resolution" logic both skip the insert step. reply hnnode.pprev still stores the hash value. unlocks spinlock return NF_DROP <unblocks, then crashes on hlist_nulls_del_rcu pprev> In case CPU z does insert the entry into the hashtable, cpu y will unlink E again right away but no crash occurs. Without 'cpu y' race, 'garbage' hlist is of no consequence: ct refcnt remains at 1, eventually skb will be free'd and E gets destroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy. To resolve this, move the IPS_CONFIRMED assignment after the table insertion but before the unlock. Pablo points out that the confirm-bit-store could be reordered to happen before hlist add resp. the timeout fixup, so switch to set_bit and before_atomic memory barrier to prevent this. It doesn't matter if other CPUs can observe a newly inserted entry right before the CONFIRMED bit was set: Such event cannot be distinguished from above "E is the old incarnation" case: the entry will be skipped. Also change nf_ct_should_gc() to first check the confirmed bit. The gc sequence is: 1. Check if entry has expired, if not skip to next entry 2. Obtain a reference to the expired entry. 3. Call nf_ct_should_gc() to double-check step 1. nf_ct_should_gc() is thus called only for entries that already failed an expiry check. After this patch, once the confirmed bit check pas ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a47ef874189d47f93…
	https://git.kernel.org/stable/c/76179961c423cd698…
	https://git.kernel.org/stable/c/fc38c249c622ff5e3…
	https://git.kernel.org/stable/c/938ce0e8422d3793f…
	https://git.kernel.org/stable/c/2d72afb340657f03f…

Impacted products

Vendor

Product

Version

Linux

Affected: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 , < a47ef874189d47f934d0809ae738886307c0ea22 (git)
Affected: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 , < 76179961c423cd698080b5e4d5583cf7f4fcdde9 (git)
Affected: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 , < fc38c249c622ff5e3011b8845fd49dbfd9289afc (git)
Affected: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 , < 938ce0e8422d3793fe30df2ed0e37f6bc0598379 (git)
Affected: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 , < 2d72afb340657f03f7261e9243b44457a9228ac7 (git)
Affected: 594cea2c09f7cd440d1ee1c4547d5bc6a646b0e4 (git)

Linux

Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:37.206Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_conntrack.h",
            "net/netfilter/nf_conntrack_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a47ef874189d47f934d0809ae738886307c0ea22",
              "status": "affected",
              "version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912",
              "versionType": "git"
            },
            {
              "lessThan": "76179961c423cd698080b5e4d5583cf7f4fcdde9",
              "status": "affected",
              "version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912",
              "versionType": "git"
            },
            {
              "lessThan": "fc38c249c622ff5e3011b8845fd49dbfd9289afc",
              "status": "affected",
              "version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912",
              "versionType": "git"
            },
            {
              "lessThan": "938ce0e8422d3793fe30df2ed0e37f6bc0598379",
              "status": "affected",
              "version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912",
              "versionType": "git"
            },
            {
              "lessThan": "2d72afb340657f03f7261e9243b44457a9228ac7",
              "status": "affected",
              "version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "594cea2c09f7cd440d1ee1c4547d5bc6a646b0e4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_conntrack.h",
            "net/netfilter/nf_conntrack_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: fix crash due to removal of uninitialised entry\n\nA crash in conntrack was reported while trying to unlink the conntrack\nentry from the hash bucket list:\n    [exception RIP: __nf_ct_delete_from_lists+172]\n    [..]\n #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]\n #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]\n #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]\n    [..]\n\nThe nf_conn struct is marked as allocated from slab but appears to be in\na partially initialised state:\n\n ct hlist pointer is garbage; looks like the ct hash value\n (hence crash).\n ct-\u003estatus is equal to IPS_CONFIRMED|IPS_DYING, which is expected\n ct-\u003etimeout is 30000 (=30s), which is unexpected.\n\nEverything else looks like normal udp conntrack entry.  If we ignore\nct-\u003estatus and pretend its 0, the entry matches those that are newly\nallocated but not yet inserted into the hash:\n  - ct hlist pointers are overloaded and store/cache the raw tuple hash\n  - ct-\u003etimeout matches the relative time expected for a new udp flow\n    rather than the absolute \u0027jiffies\u0027 value.\n\nIf it were not for the presence of IPS_CONFIRMED,\n__nf_conntrack_find_get() would have skipped the entry.\n\nTheory is that we did hit following race:\n\ncpu x \t\t\tcpu y\t\t\tcpu z\n found entry E\t\tfound entry E\n E is expired\t\t\u003cpreemption\u003e\n nf_ct_delete()\n return E to rcu slab\n\t\t\t\t\tinit_conntrack\n\t\t\t\t\tE is re-inited,\n\t\t\t\t\tct-\u003estatus set to 0\n\t\t\t\t\treply tuplehash hnnode.pprev\n\t\t\t\t\tstores hash value.\n\ncpu y found E right before it was deleted on cpu x.\nE is now re-inited on cpu z.  cpu y was preempted before\nchecking for expiry and/or confirm bit.\n\n\t\t\t\t\t-\u003erefcnt set to 1\n\t\t\t\t\tE now owned by skb\n\t\t\t\t\t-\u003etimeout set to 30000\n\nIf cpu y were to resume now, it would observe E as\nexpired but would skip E due to missing CONFIRMED bit.\n\n\t\t\t\t\tnf_conntrack_confirm gets called\n\t\t\t\t\tsets: ct-\u003estatus |= CONFIRMED\n\t\t\t\t\tThis is wrong: E is not yet added\n\t\t\t\t\tto hashtable.\n\ncpu y resumes, it observes E as expired but CONFIRMED:\n\t\t\t\u003cresumes\u003e\n\t\t\tnf_ct_expired()\n\t\t\t -\u003e yes (ct-\u003etimeout is 30s)\n\t\t\tconfirmed bit set.\n\ncpu y will try to delete E from the hashtable:\n\t\t\tnf_ct_delete() -\u003e set DYING bit\n\t\t\t__nf_ct_delete_from_lists\n\nEven this scenario doesn\u0027t guarantee a crash:\ncpu z still holds the table bucket lock(s) so y blocks:\n\n\t\t\twait for spinlock held by z\n\n\t\t\t\t\tCONFIRMED is set but there is no\n\t\t\t\t\tguarantee ct will be added to hash:\n\t\t\t\t\t\"chaintoolong\" or \"clash resolution\"\n\t\t\t\t\tlogic both skip the insert step.\n\t\t\t\t\treply hnnode.pprev still stores the\n\t\t\t\t\thash value.\n\n\t\t\t\t\tunlocks spinlock\n\t\t\t\t\treturn NF_DROP\n\t\t\t\u003cunblocks, then\n\t\t\t crashes on hlist_nulls_del_rcu pprev\u003e\n\nIn case CPU z does insert the entry into the hashtable, cpu y will unlink\nE again right away but no crash occurs.\n\nWithout \u0027cpu y\u0027 race, \u0027garbage\u0027 hlist is of no consequence:\nct refcnt remains at 1, eventually skb will be free\u0027d and E gets\ndestroyed via: nf_conntrack_put -\u003e nf_conntrack_destroy -\u003e nf_ct_destroy.\n\nTo resolve this, move the IPS_CONFIRMED assignment after the table\ninsertion but before the unlock.\n\nPablo points out that the confirm-bit-store could be reordered to happen\nbefore hlist add resp. the timeout fixup, so switch to set_bit and\nbefore_atomic memory barrier to prevent this.\n\nIt doesn\u0027t matter if other CPUs can observe a newly inserted entry right\nbefore the CONFIRMED bit was set:\n\nSuch event cannot be distinguished from above \"E is the old incarnation\"\ncase: the entry will be skipped.\n\nAlso change nf_ct_should_gc() to first check the confirmed bit.\n\nThe gc sequence is:\n 1. Check if entry has expired, if not skip to next entry\n 2. Obtain a reference to the expired entry.\n 3. Call nf_ct_should_gc() to double-check step 1.\n\nnf_ct_should_gc() is thus called only for entries that already failed an\nexpiry check. After this patch, once the confirmed bit check pas\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:21:33.977Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a47ef874189d47f934d0809ae738886307c0ea22"
        },
        {
          "url": "https://git.kernel.org/stable/c/76179961c423cd698080b5e4d5583cf7f4fcdde9"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc38c249c622ff5e3011b8845fd49dbfd9289afc"
        },
        {
          "url": "https://git.kernel.org/stable/c/938ce0e8422d3793fe30df2ed0e37f6bc0598379"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d72afb340657f03f7261e9243b44457a9228ac7"
        }
      ],
      "title": "netfilter: nf_conntrack: fix crash due to removal of uninitialised entry",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38472",
    "datePublished": "2025-07-28T11:21:33.977Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:37.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50327 (GCVE-0-2022-50327)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:49 – Updated: 2025-12-23 13:28

Title

ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value The return value of acpi_fetch_acpi_dev() could be NULL, which would cause a NULL pointer dereference to occur in acpi_device_hid(). [ rjw: Subject and changelog edits, added empty line after if () ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8e8b5f12ee4ab6f5d…
	https://git.kernel.org/stable/c/fdee7a0acc566c419…
	https://git.kernel.org/stable/c/ad1190744da9d812d…
	https://git.kernel.org/stable/c/2ecd629c788bbfb96…
	https://git.kernel.org/stable/c/b85f0e292f73f353e…
	https://git.kernel.org/stable/c/2437513a814b3e93b…

Impacted products

Vendor

Product

Version

Linux

Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < 8e8b5f12ee4ab6f5d252c9ca062a4ada9554e6d9 (git)
Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < fdee7a0acc566c4194d40a501b8a1584e86cc208 (git)
Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < ad1190744da9d812da55b76f2afce750afb0a3bd (git)
Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < 2ecd629c788bbfb96be058edade2e934d3763eaf (git)
Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < b85f0e292f73f353eea915499604fbf50c8238b4 (git)
Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < 2437513a814b3e93bd02879740a8a06e52e2cf7d (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:03.047Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/processor_idle.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8e8b5f12ee4ab6f5d252c9ca062a4ada9554e6d9",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            },
            {
              "lessThan": "fdee7a0acc566c4194d40a501b8a1584e86cc208",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            },
            {
              "lessThan": "ad1190744da9d812da55b76f2afce750afb0a3bd",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            },
            {
              "lessThan": "2ecd629c788bbfb96be058edade2e934d3763eaf",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            },
            {
              "lessThan": "b85f0e292f73f353eea915499604fbf50c8238b4",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            },
            {
              "lessThan": "2437513a814b3e93bd02879740a8a06e52e2cf7d",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/processor_idle.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: idle: Check acpi_fetch_acpi_dev() return value\n\nThe return value of acpi_fetch_acpi_dev() could be NULL, which would\ncause a NULL pointer dereference to occur in acpi_device_hid().\n\n[ rjw: Subject and changelog edits, added empty line after if () ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:28:29.153Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8e8b5f12ee4ab6f5d252c9ca062a4ada9554e6d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdee7a0acc566c4194d40a501b8a1584e86cc208"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad1190744da9d812da55b76f2afce750afb0a3bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ecd629c788bbfb96be058edade2e934d3763eaf"
        },
        {
          "url": "https://git.kernel.org/stable/c/b85f0e292f73f353eea915499604fbf50c8238b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2437513a814b3e93bd02879740a8a06e52e2cf7d"
        }
      ],
      "title": "ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50327",
    "datePublished": "2025-09-15T14:49:26.711Z",
    "dateReserved": "2025-09-15T14:18:36.815Z",
    "dateUpdated": "2025-12-23T13:28:29.153Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38622 (GCVE-0-2025-38622)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-11-03 17:40

Title

net: drop UFO packets in udp_rcv_segment()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: drop UFO packets in udp_rcv_segment() When sending a packet with virtio_net_hdr to tun device, if the gso_type in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr size, below crash may happen. ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:4572! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:skb_pull_rcsum+0x8e/0xa0 Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc <0f> 0b 0f 0b 66 66 2e 0f 1f 84 00 000 RSP: 0018:ffffc900001fba38 EFLAGS: 00000297 RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948 RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062 RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001 R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000 R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900 FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0 Call Trace: <TASK> udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445 udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475 udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626 __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690 ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233 ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579 ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636 ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670 __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067 netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210 napi_complete_done+0x78/0x180 net/core/dev.c:6580 tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909 tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984 vfs_write+0x300/0x420 fs/read_write.c:593 ksys_write+0x60/0xd0 fs/read_write.c:686 do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63 </TASK> To trigger gso segment in udp_queue_rcv_skb(), we should also set option UDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv hook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try to pull udphdr, but the skb size has been segmented to gso size, which leads to this crash. Previous commit cf329aa42b66 ("udp: cope with UDP GRO packet misdirection") introduces segmentation in UDP receive path only for GRO, which was never intended to be used for UFO, so drop UFO packets in udp_rcv_segment().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/72f97d3cb791e2649…
	https://git.kernel.org/stable/c/df6ad849d59256dcc…
	https://git.kernel.org/stable/c/4c1022220b1b6fea8…
	https://git.kernel.org/stable/c/791f32c5eab33ca3a…
	https://git.kernel.org/stable/c/0d45954034f8edd6d…
	https://git.kernel.org/stable/c/c0ec2e47f1e92d69b…
	https://git.kernel.org/stable/c/fc45b3f9599b657d4…
	https://git.kernel.org/stable/c/0c639c6479ec44803…
	https://git.kernel.org/stable/c/d46e51f1c78b9ab93…

Impacted products

Vendor

Product

Version

Linux

Affected: cf329aa42b6659204fee865bbce0ea20462552eb , < 72f97d3cb791e26492236b2be7fd70d2c6222555 (git)
Affected: cf329aa42b6659204fee865bbce0ea20462552eb , < df6ad849d59256dcc0e2234844ef9f0daf885f5c (git)
Affected: cf329aa42b6659204fee865bbce0ea20462552eb , < 4c1022220b1b6fea802175e80444923a3bbf93a5 (git)
Affected: cf329aa42b6659204fee865bbce0ea20462552eb , < 791f32c5eab33ca3a153f8f6f763aa0df1ddc320 (git)
Affected: cf329aa42b6659204fee865bbce0ea20462552eb , < 0d45954034f8edd6d4052e0190d3d6335c37e4de (git)
Affected: cf329aa42b6659204fee865bbce0ea20462552eb , < c0ec2e47f1e92d69b42b17a4a1e543256778393e (git)
Affected: cf329aa42b6659204fee865bbce0ea20462552eb , < fc45b3f9599b657d4a64bcf423d2a977b3e13a49 (git)
Affected: cf329aa42b6659204fee865bbce0ea20462552eb , < 0c639c6479ec4480372901a5fc566f7588cf5522 (git)
Affected: cf329aa42b6659204fee865bbce0ea20462552eb , < d46e51f1c78b9ab9323610feb14238d06d46d519 (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:32.369Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/udp.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "72f97d3cb791e26492236b2be7fd70d2c6222555",
              "status": "affected",
              "version": "cf329aa42b6659204fee865bbce0ea20462552eb",
              "versionType": "git"
            },
            {
              "lessThan": "df6ad849d59256dcc0e2234844ef9f0daf885f5c",
              "status": "affected",
              "version": "cf329aa42b6659204fee865bbce0ea20462552eb",
              "versionType": "git"
            },
            {
              "lessThan": "4c1022220b1b6fea802175e80444923a3bbf93a5",
              "status": "affected",
              "version": "cf329aa42b6659204fee865bbce0ea20462552eb",
              "versionType": "git"
            },
            {
              "lessThan": "791f32c5eab33ca3a153f8f6f763aa0df1ddc320",
              "status": "affected",
              "version": "cf329aa42b6659204fee865bbce0ea20462552eb",
              "versionType": "git"
            },
            {
              "lessThan": "0d45954034f8edd6d4052e0190d3d6335c37e4de",
              "status": "affected",
              "version": "cf329aa42b6659204fee865bbce0ea20462552eb",
              "versionType": "git"
            },
            {
              "lessThan": "c0ec2e47f1e92d69b42b17a4a1e543256778393e",
              "status": "affected",
              "version": "cf329aa42b6659204fee865bbce0ea20462552eb",
              "versionType": "git"
            },
            {
              "lessThan": "fc45b3f9599b657d4a64bcf423d2a977b3e13a49",
              "status": "affected",
              "version": "cf329aa42b6659204fee865bbce0ea20462552eb",
              "versionType": "git"
            },
            {
              "lessThan": "0c639c6479ec4480372901a5fc566f7588cf5522",
              "status": "affected",
              "version": "cf329aa42b6659204fee865bbce0ea20462552eb",
              "versionType": "git"
            },
            {
              "lessThan": "d46e51f1c78b9ab9323610feb14238d06d46d519",
              "status": "affected",
              "version": "cf329aa42b6659204fee865bbce0ea20462552eb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/udp.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: drop UFO packets in udp_rcv_segment()\n\nWhen sending a packet with virtio_net_hdr to tun device, if the gso_type\nin virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr\nsize, below crash may happen.\n\n  ------------[ cut here ]------------\n  kernel BUG at net/core/skbuff.c:4572!\n  Oops: invalid opcode: 0000 [#1] SMP NOPTI\n  CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n  RIP: 0010:skb_pull_rcsum+0x8e/0xa0\n  Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc \u003c0f\u003e 0b 0f 0b 66 66 2e 0f 1f 84 00 000\n  RSP: 0018:ffffc900001fba38 EFLAGS: 00000297\n  RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948\n  RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062\n  RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001\n  R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000\n  R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900\n  FS:  000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0\n  Call Trace:\n   \u003cTASK\u003e\n   udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445\n   udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475\n   udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626\n   __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690\n   ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205\n   ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233\n   ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579\n   ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636\n   ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670\n   __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067\n   netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210\n   napi_complete_done+0x78/0x180 net/core/dev.c:6580\n   tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909\n   tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984\n   vfs_write+0x300/0x420 fs/read_write.c:593\n   ksys_write+0x60/0xd0 fs/read_write.c:686\n   do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63\n   \u003c/TASK\u003e\n\nTo trigger gso segment in udp_queue_rcv_skb(), we should also set option\nUDP_ENCAP_ESPINUDP to enable udp_sk(sk)-\u003eencap_rcv. When the encap_rcv\nhook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try\nto pull udphdr, but the skb size has been segmented to gso size, which\nleads to this crash.\n\nPrevious commit cf329aa42b66 (\"udp: cope with UDP GRO packet misdirection\")\nintroduces segmentation in UDP receive path only for GRO, which was never\nintended to be used for UFO, so drop UFO packets in udp_rcv_segment()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:57.985Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/72f97d3cb791e26492236b2be7fd70d2c6222555"
        },
        {
          "url": "https://git.kernel.org/stable/c/df6ad849d59256dcc0e2234844ef9f0daf885f5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c1022220b1b6fea802175e80444923a3bbf93a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/791f32c5eab33ca3a153f8f6f763aa0df1ddc320"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d45954034f8edd6d4052e0190d3d6335c37e4de"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0ec2e47f1e92d69b42b17a4a1e543256778393e"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc45b3f9599b657d4a64bcf423d2a977b3e13a49"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c639c6479ec4480372901a5fc566f7588cf5522"
        },
        {
          "url": "https://git.kernel.org/stable/c/d46e51f1c78b9ab9323610feb14238d06d46d519"
        }
      ],
      "title": "net: drop UFO packets in udp_rcv_segment()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38622",
    "datePublished": "2025-08-22T16:00:31.343Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-11-03T17:40:32.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38683 (GCVE-0-2025-38683)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2025-11-03 17:41

Title

hv_netvsc: Fix panic during namespace deletion with VF

Summary

In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix panic during namespace deletion with VF The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid changing the netdev list when default_device_exit_net() is using it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3ca41ab55d23a0aa7…
	https://git.kernel.org/stable/c/3467c4ebb334658c6…
	https://git.kernel.org/stable/c/4eff1e57a8ef98d70…
	https://git.kernel.org/stable/c/2a70cbd1aef8b8be3…
	https://git.kernel.org/stable/c/d036104947176d030…
	https://git.kernel.org/stable/c/5276896e6923ebe8c…
	https://git.kernel.org/stable/c/4293f6c5ccf735b26…
	https://git.kernel.org/stable/c/33caa208dba6fa639…

Impacted products

Vendor

Product

Version

Linux

Affected: 3eb6aa870057da9f1304db660f68b9c2eb7e856d , < 3ca41ab55d23a0aa71661a5a56a8f06c11db90dc (git)
Affected: b7a396f76ada277d049558db648389456458af65 , < 3467c4ebb334658c6fcf3eabb64a6e8b2135e010 (git)
Affected: 4faa6e3e66b3251eb4bf5761d2f3f0f14095aaca , < 4eff1e57a8ef98d70451b94e8437e458b27dd234 (git)
Affected: 62c85b9a0dd7471a362170323e1211ad98ff7b4b , < 2a70cbd1aef8b8be39992ab7b776ce1390091774 (git)
Affected: 4c262801ea60c518b5bebc22a09f5b78b3147da2 , < d036104947176d030bec64792d54e1b4f4c7f318 (git)
Affected: 4c262801ea60c518b5bebc22a09f5b78b3147da2 , < 5276896e6923ebe8c68573779d784aaf7d987cce (git)
Affected: 4c262801ea60c518b5bebc22a09f5b78b3147da2 , < 4293f6c5ccf735b26afeb6825def14d830e0367b (git)
Affected: 4c262801ea60c518b5bebc22a09f5b78b3147da2 , < 33caa208dba6fa639e8a92fd0c8320b652e5550c (git)
Affected: 7abd221a55a61b6b2bf0e80f850bfc0ae75c7e01 (git)
Affected: 31a38a908c98aebc7a1104dab5f1ba199f234b7b (git)
Affected: 04d748d4bd2d86739b159563f257e3dc5492c88d (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:09.549Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/hyperv/hyperv_net.h",
            "drivers/net/hyperv/netvsc_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3ca41ab55d23a0aa71661a5a56a8f06c11db90dc",
              "status": "affected",
              "version": "3eb6aa870057da9f1304db660f68b9c2eb7e856d",
              "versionType": "git"
            },
            {
              "lessThan": "3467c4ebb334658c6fcf3eabb64a6e8b2135e010",
              "status": "affected",
              "version": "b7a396f76ada277d049558db648389456458af65",
              "versionType": "git"
            },
            {
              "lessThan": "4eff1e57a8ef98d70451b94e8437e458b27dd234",
              "status": "affected",
              "version": "4faa6e3e66b3251eb4bf5761d2f3f0f14095aaca",
              "versionType": "git"
            },
            {
              "lessThan": "2a70cbd1aef8b8be39992ab7b776ce1390091774",
              "status": "affected",
              "version": "62c85b9a0dd7471a362170323e1211ad98ff7b4b",
              "versionType": "git"
            },
            {
              "lessThan": "d036104947176d030bec64792d54e1b4f4c7f318",
              "status": "affected",
              "version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
              "versionType": "git"
            },
            {
              "lessThan": "5276896e6923ebe8c68573779d784aaf7d987cce",
              "status": "affected",
              "version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
              "versionType": "git"
            },
            {
              "lessThan": "4293f6c5ccf735b26afeb6825def14d830e0367b",
              "status": "affected",
              "version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
              "versionType": "git"
            },
            {
              "lessThan": "33caa208dba6fa639e8a92fd0c8320b652e5550c",
              "status": "affected",
              "version": "4c262801ea60c518b5bebc22a09f5b78b3147da2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7abd221a55a61b6b2bf0e80f850bfc0ae75c7e01",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "31a38a908c98aebc7a1104dab5f1ba199f234b7b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "04d748d4bd2d86739b159563f257e3dc5492c88d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/hyperv/hyperv_net.h",
            "drivers/net/hyperv/netvsc_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.10.229",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.15.170",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "6.1.115",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "6.6.59",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.323",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.285",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix panic during namespace deletion with VF\n\nThe existing code move the VF NIC to new namespace when NETDEV_REGISTER is\nreceived on netvsc NIC. During deletion of the namespace,\ndefault_device_exit_batch() \u003e\u003e default_device_exit_net() is called. When\nnetvsc NIC is moved back and registered to the default namespace, it\nautomatically brings VF NIC back to the default namespace. This will cause\nthe default_device_exit_net() \u003e\u003e for_each_netdev_safe loop unable to detect\nthe list end, and hit NULL ptr:\n\n[  231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0\n[  231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[  231.450246] #PF: supervisor read access in kernel mode\n[  231.450579] #PF: error_code(0x0000) - not-present page\n[  231.450916] PGD 17b8a8067 P4D 0\n[  231.451163] Oops: Oops: 0000 [#1] SMP NOPTI\n[  231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY\n[  231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024\n[  231.452692] Workqueue: netns cleanup_net\n[  231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0\n[  231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 \u003c48\u003e 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00\n[  231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246\n[  231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb\n[  231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564\n[  231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000\n[  231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340\n[  231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340\n[  231.457161] FS:  0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000\n[  231.457707] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0\n[  231.458434] Call Trace:\n[  231.458600]  \u003cTASK\u003e\n[  231.458777]  ops_undo_list+0x100/0x220\n[  231.459015]  cleanup_net+0x1b8/0x300\n[  231.459285]  process_one_work+0x184/0x340\n\nTo fix it, move the ns change to a workqueue, and take rtnl_lock to avoid\nchanging the netdev list when default_device_exit_net() is using it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:54.951Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3ca41ab55d23a0aa71661a5a56a8f06c11db90dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/3467c4ebb334658c6fcf3eabb64a6e8b2135e010"
        },
        {
          "url": "https://git.kernel.org/stable/c/4eff1e57a8ef98d70451b94e8437e458b27dd234"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a70cbd1aef8b8be39992ab7b776ce1390091774"
        },
        {
          "url": "https://git.kernel.org/stable/c/d036104947176d030bec64792d54e1b4f4c7f318"
        },
        {
          "url": "https://git.kernel.org/stable/c/5276896e6923ebe8c68573779d784aaf7d987cce"
        },
        {
          "url": "https://git.kernel.org/stable/c/4293f6c5ccf735b26afeb6825def14d830e0367b"
        },
        {
          "url": "https://git.kernel.org/stable/c/33caa208dba6fa639e8a92fd0c8320b652e5550c"
        }
      ],
      "title": "hv_netvsc: Fix panic during namespace deletion with VF",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38683",
    "datePublished": "2025-09-04T15:32:38.215Z",
    "dateReserved": "2025-04-16T04:51:24.032Z",
    "dateUpdated": "2025-11-03T17:41:09.549Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38439 (GCVE-0-2025-38439)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT

Summary

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: <IRQ> ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e260f4d49370c85a4…
	https://git.kernel.org/stable/c/16ae306602163fcb7…
	https://git.kernel.org/stable/c/8d672a1a6bfc81fef…
	https://git.kernel.org/stable/c/f9eaf6d036075dc82…
	https://git.kernel.org/stable/c/5909679a82cd74cf0…
	https://git.kernel.org/stable/c/f154e41e1d9d15ab2…
	https://git.kernel.org/stable/c/50dad9909715094e7…
	https://git.kernel.org/stable/c/3cdf199d4755d4779…

Impacted products

Vendor

Product

Version

Linux

Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < e260f4d49370c85a4701d43c6d16b8c39f8b605f (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < 16ae306602163fcb7ae83f2701b542e43c100cee (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < 8d672a1a6bfc81fef9151925c9c0481f4acf4bec (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < f9eaf6d036075dc820520e1194692c0619b7297b (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < 5909679a82cd74cf0343d9e3ddf4b6931aa7e613 (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < 50dad9909715094e7d9ca25e9e0412b875987519 (git)
Affected: f18c2b77b2e4eec2313d519ba125bd6a069513cf , < 3cdf199d4755d477972ee87110b2aebc88b3cfad (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:02.718Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e260f4d49370c85a4701d43c6d16b8c39f8b605f",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "16ae306602163fcb7ae83f2701b542e43c100cee",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "8d672a1a6bfc81fef9151925c9c0481f4acf4bec",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "f9eaf6d036075dc820520e1194692c0619b7297b",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "5909679a82cd74cf0343d9e3ddf4b6931aa7e613",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "50dad9909715094e7d9ca25e9e0412b875987519",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            },
            {
              "lessThan": "3cdf199d4755d477972ee87110b2aebc88b3cfad",
              "status": "affected",
              "version": "f18c2b77b2e4eec2313d519ba125bd6a069513cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Set DMA unmap len correctly for XDP_REDIRECT\n\nWhen transmitting an XDP_REDIRECT packet, call dma_unmap_len_set()\nwith the proper length instead of 0.  This bug triggers this warning\non a system with IOMMU enabled:\n\nWARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170\nRIP: 0010:__iommu_dma_unmap+0x159/0x170\nCode: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45\nb8 4c 89 45 c0 e9 77 ff ff ff \u003c0f\u003e 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00\nRSP: 0018:ff22d31181150c88 EFLAGS: 00010206\nRAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000\nR10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000\nR13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00\nFS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0\nPKRU: 55555554\nCall Trace:\n\u003cIRQ\u003e\n? show_regs+0x6d/0x80\n? __warn+0x89/0x160\n? __iommu_dma_unmap+0x159/0x170\n? report_bug+0x17e/0x1b0\n? handle_bug+0x46/0x90\n? exc_invalid_op+0x18/0x80\n? asm_exc_invalid_op+0x1b/0x20\n? __iommu_dma_unmap+0x159/0x170\n? __iommu_dma_unmap+0xb3/0x170\niommu_dma_unmap_page+0x4f/0x100\ndma_unmap_page_attrs+0x52/0x220\n? srso_alias_return_thunk+0x5/0xfbef5\n? xdp_return_frame+0x2e/0xd0\nbnxt_tx_int_xdp+0xdf/0x440 [bnxt_en]\n__bnxt_poll_work_done+0x81/0x1e0 [bnxt_en]\nbnxt_poll+0xd3/0x1e0 [bnxt_en]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:14.626Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e260f4d49370c85a4701d43c6d16b8c39f8b605f"
        },
        {
          "url": "https://git.kernel.org/stable/c/16ae306602163fcb7ae83f2701b542e43c100cee"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d672a1a6bfc81fef9151925c9c0481f4acf4bec"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9eaf6d036075dc820520e1194692c0619b7297b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5909679a82cd74cf0343d9e3ddf4b6931aa7e613"
        },
        {
          "url": "https://git.kernel.org/stable/c/f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/50dad9909715094e7d9ca25e9e0412b875987519"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cdf199d4755d477972ee87110b2aebc88b3cfad"
        }
      ],
      "title": "bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38439",
    "datePublished": "2025-07-25T15:27:18.640Z",
    "dateReserved": "2025-04-16T04:51:24.016Z",
    "dateUpdated": "2025-11-03T17:38:02.718Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38556 (GCVE-0-2025-38556)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2026-01-19 12:18

Title

HID: core: Harden s32ton() against conversion to 0 bits

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: core: Harden s32ton() against conversion to 0 bits Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report field with size set to zero; we shouldn't reject the report or the device just because of that. Instead, harden the s32ton() routine so that it returns a reasonable result instead of crashing when it is called with the number of bits set to 0 -- the same as what snto32() does.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6cdf6c708717c5c68…
	https://git.kernel.org/stable/c/eeeaba737919bdce9…
	https://git.kernel.org/stable/c/3c86548a20d7bc286…
	https://git.kernel.org/stable/c/810189546cb6c8f36…
	https://git.kernel.org/stable/c/d3b504146c111548a…
	https://git.kernel.org/stable/c/8b4a94b1510f6a46e…
	https://git.kernel.org/stable/c/865ad8469fa24de15…
	https://git.kernel.org/stable/c/a6b87bfc2ab5bccb7…

Impacted products

Vendor

Product

Version

Linux

Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 6cdf6c708717c5c6897d0800a1793e83757c7491 (git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < eeeaba737919bdce9885e2a00ac2912f61a3684d (git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 3c86548a20d7bc2861aa4de044991a327bebad1a (git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 810189546cb6c8f36443ed091d91f1f5d2fc2ec7 (git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < d3b504146c111548ab60b6ef7aad00bfb1db05a2 (git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 8b4a94b1510f6a46ec48494b52ee8f67eb4fc836 (git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 865ad8469fa24de1559f247d9426ab01e5ce3a56 (git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd (git)

Linux

Affected: 2.6.20
Unaffected: 0 , < 2.6.20 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6cdf6c708717c5c6897d0800a1793e83757c7491",
              "status": "affected",
              "version": "dde5845a529ff753364a6d1aea61180946270bfa",
              "versionType": "git"
            },
            {
              "lessThan": "eeeaba737919bdce9885e2a00ac2912f61a3684d",
              "status": "affected",
              "version": "dde5845a529ff753364a6d1aea61180946270bfa",
              "versionType": "git"
            },
            {
              "lessThan": "3c86548a20d7bc2861aa4de044991a327bebad1a",
              "status": "affected",
              "version": "dde5845a529ff753364a6d1aea61180946270bfa",
              "versionType": "git"
            },
            {
              "lessThan": "810189546cb6c8f36443ed091d91f1f5d2fc2ec7",
              "status": "affected",
              "version": "dde5845a529ff753364a6d1aea61180946270bfa",
              "versionType": "git"
            },
            {
              "lessThan": "d3b504146c111548ab60b6ef7aad00bfb1db05a2",
              "status": "affected",
              "version": "dde5845a529ff753364a6d1aea61180946270bfa",
              "versionType": "git"
            },
            {
              "lessThan": "8b4a94b1510f6a46ec48494b52ee8f67eb4fc836",
              "status": "affected",
              "version": "dde5845a529ff753364a6d1aea61180946270bfa",
              "versionType": "git"
            },
            {
              "lessThan": "865ad8469fa24de1559f247d9426ab01e5ce3a56",
              "status": "affected",
              "version": "dde5845a529ff753364a6d1aea61180946270bfa",
              "versionType": "git"
            },
            {
              "lessThan": "a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd",
              "status": "affected",
              "version": "dde5845a529ff753364a6d1aea61180946270bfa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.20"
            },
            {
              "lessThan": "2.6.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Harden s32ton() against conversion to 0 bits\n\nTesting by the syzbot fuzzer showed that the HID core gets a\nshift-out-of-bounds exception when it tries to convert a 32-bit\nquantity to a 0-bit quantity.  Ideally this should never occur, but\nthere are buggy devices and some might have a report field with size\nset to zero; we shouldn\u0027t reject the report or the device just because\nof that.\n\nInstead, harden the s32ton() routine so that it returns a reasonable\nresult instead of crashing when it is called with the number of bits\nset to 0 -- the same as what snto32() does."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:03.142Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6cdf6c708717c5c6897d0800a1793e83757c7491"
        },
        {
          "url": "https://git.kernel.org/stable/c/eeeaba737919bdce9885e2a00ac2912f61a3684d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c86548a20d7bc2861aa4de044991a327bebad1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/810189546cb6c8f36443ed091d91f1f5d2fc2ec7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3b504146c111548ab60b6ef7aad00bfb1db05a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b4a94b1510f6a46ec48494b52ee8f67eb4fc836"
        },
        {
          "url": "https://git.kernel.org/stable/c/865ad8469fa24de1559f247d9426ab01e5ce3a56"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd"
        }
      ],
      "title": "HID: core: Harden s32ton() against conversion to 0 bits",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38556",
    "datePublished": "2025-08-19T17:02:34.929Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2026-01-19T12:18:03.142Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38631 (GCVE-0-2025-38631)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-09-29 05:55

Title

clk: imx95-blk-ctl: Fix synchronous abort

Summary

In the Linux kernel, the following vulnerability has been resolved: clk: imx95-blk-ctl: Fix synchronous abort When enabling runtime PM for clock suppliers that also belong to a power domain, the following crash is thrown: error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Workqueue: events_unbound deferred_probe_work_func pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : clk_mux_get_parent+0x60/0x90 lr : clk_core_reparent_orphans_nolock+0x58/0xd8 Call trace: clk_mux_get_parent+0x60/0x90 clk_core_reparent_orphans_nolock+0x58/0xd8 of_clk_add_hw_provider.part.0+0x90/0x100 of_clk_add_hw_provider+0x1c/0x38 imx95_bc_probe+0x2e0/0x3f0 platform_probe+0x70/0xd8 Enabling runtime PM without explicitly resuming the device caused the power domain cut off after clk_register() is called. As a result, a crash happens when the clock hardware provider is added and attempts to access the BLK_CTL register. Fix this by using devm_pm_runtime_enable() instead of pm_runtime_enable() and getting rid of the pm_runtime_disable() in the cleanup path.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c1dead8bb303f8690…
	https://git.kernel.org/stable/c/9f0ee0baf25b46bb8…
	https://git.kernel.org/stable/c/533dc3cb375cabd8a…
	https://git.kernel.org/stable/c/b08217a257215ed91…

Impacted products

Vendor

Product

Version

Linux

Affected: 5224b189462ff70df328f173b71acfd925092c3c , < c1dead8bb303f86905ea6a09e5acda931165453b (git)
Affected: 5224b189462ff70df328f173b71acfd925092c3c , < 9f0ee0baf25b46bb82655c687718ebb0ae1def7b (git)
Affected: 5224b189462ff70df328f173b71acfd925092c3c , < 533dc3cb375cabd8a2beba293d63ef2acd3d0005 (git)
Affected: 5224b189462ff70df328f173b71acfd925092c3c , < b08217a257215ed9130fce93d35feba66b49bf0a (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/imx/clk-imx95-blk-ctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c1dead8bb303f86905ea6a09e5acda931165453b",
              "status": "affected",
              "version": "5224b189462ff70df328f173b71acfd925092c3c",
              "versionType": "git"
            },
            {
              "lessThan": "9f0ee0baf25b46bb82655c687718ebb0ae1def7b",
              "status": "affected",
              "version": "5224b189462ff70df328f173b71acfd925092c3c",
              "versionType": "git"
            },
            {
              "lessThan": "533dc3cb375cabd8a2beba293d63ef2acd3d0005",
              "status": "affected",
              "version": "5224b189462ff70df328f173b71acfd925092c3c",
              "versionType": "git"
            },
            {
              "lessThan": "b08217a257215ed9130fce93d35feba66b49bf0a",
              "status": "affected",
              "version": "5224b189462ff70df328f173b71acfd925092c3c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/imx/clk-imx95-blk-ctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx95-blk-ctl: Fix synchronous abort\n\nWhen enabling runtime PM for clock suppliers that also belong to a power\ndomain, the following crash is thrown:\nerror: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP\nWorkqueue: events_unbound deferred_probe_work_func\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : clk_mux_get_parent+0x60/0x90\nlr : clk_core_reparent_orphans_nolock+0x58/0xd8\n  Call trace:\n   clk_mux_get_parent+0x60/0x90\n   clk_core_reparent_orphans_nolock+0x58/0xd8\n   of_clk_add_hw_provider.part.0+0x90/0x100\n   of_clk_add_hw_provider+0x1c/0x38\n   imx95_bc_probe+0x2e0/0x3f0\n   platform_probe+0x70/0xd8\n\nEnabling runtime PM without explicitly resuming the device caused\nthe power domain cut off after clk_register() is called. As a result,\na crash happens when the clock hardware provider is added and attempts\nto access the BLK_CTL register.\n\nFix this by using devm_pm_runtime_enable() instead of pm_runtime_enable()\nand getting rid of the pm_runtime_disable() in the cleanup path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:09.669Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c1dead8bb303f86905ea6a09e5acda931165453b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f0ee0baf25b46bb82655c687718ebb0ae1def7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/533dc3cb375cabd8a2beba293d63ef2acd3d0005"
        },
        {
          "url": "https://git.kernel.org/stable/c/b08217a257215ed9130fce93d35feba66b49bf0a"
        }
      ],
      "title": "clk: imx95-blk-ctl: Fix synchronous abort",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38631",
    "datePublished": "2025-08-22T16:00:39.582Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-09-29T05:55:09.669Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-39809 (GCVE-0-2025-39809)

Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-14 18:22

Title

HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length The QuickI2C ACPI _DSD methods return ICRS and ISUB data with a trailing byte, making the actual length is one more byte than the structs defined. It caused stack-out-of-bounds and kernel crash: kernel: BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75 kernel: kernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3 PREEMPT(voluntary) kernel: Workqueue: async async_run_entry_fn kernel: Call Trace: kernel: <TASK> kernel: dump_stack_lvl+0x76/0xa0 kernel: print_report+0xd1/0x660 kernel: ? __pfx__raw_spin_lock_irqsave+0x10/0x10 kernel: ? __kasan_slab_free+0x5d/0x80 kernel: ? kasan_addr_to_slab+0xd/0xb0 kernel: kasan_report+0xe1/0x120 kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: kasan_check_range+0x11c/0x200 kernel: __asan_memcpy+0x3b/0x80 kernel: quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10 [intel_quicki2c] kernel: quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c] [...] kernel: </TASK> kernel: kernel: The buggy address belongs to stack of task kworker/u33:2/75 kernel: and is located at offset 48 in frame: kernel: quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c] kernel: kernel: This frame has 3 objects: kernel: [32, 36) 'hid_desc_addr' kernel: [48, 59) 'i2c_param' kernel: [80, 224) 'i2c_config' ACPI DSD methods return: \_SB.PC00.THC0.ICRS Buffer 000000003fdc947b 001 Len 0C = 0A 00 80 1A 06 00 00 00 00 00 00 00 \_SB.PC00.THC0.ISUB Buffer 00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00 00 00 00 00 00 00 00 Adding reserved padding to quicki2c_subip_acpi_parameter/config.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4adce86d4b13d15de…
	https://git.kernel.org/stable/c/1db9df89a213318a4…

Impacted products

Vendor

Product

Version

Linux

Affected: 5282e45ccbfa91524944a32d40386c54fdd4d145 , < 4adce86d4b13d15dec7810967839b931b1598700 (git)
Affected: 5282e45ccbfa91524944a32d40386c54fdd4d145 , < 1db9df89a213318a48d958385dc1b17b379dc32b (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.16.5 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-39809",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T18:14:35.149925Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T18:22:54.861Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-dev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4adce86d4b13d15dec7810967839b931b1598700",
              "status": "affected",
              "version": "5282e45ccbfa91524944a32d40386c54fdd4d145",
              "versionType": "git"
            },
            {
              "lessThan": "1db9df89a213318a48d958385dc1b17b379dc32b",
              "status": "affected",
              "version": "5282e45ccbfa91524944a32d40386c54fdd4d145",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-dev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.5",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length\n\nThe QuickI2C ACPI _DSD methods return ICRS and ISUB data with a\ntrailing byte, making the actual length is one more byte than the\nstructs defined.\n\nIt caused stack-out-of-bounds and kernel crash:\n\nkernel: BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75\nkernel:\nkernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3 PREEMPT(voluntary)\nkernel: Workqueue: async async_run_entry_fn\nkernel: Call Trace:\nkernel:  \u003cTASK\u003e\nkernel:  dump_stack_lvl+0x76/0xa0\nkernel:  print_report+0xd1/0x660\nkernel:  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\nkernel:  ? __kasan_slab_free+0x5d/0x80\nkernel:  ? kasan_addr_to_slab+0xd/0xb0\nkernel:  kasan_report+0xe1/0x120\nkernel:  ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel:  ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel:  kasan_check_range+0x11c/0x200\nkernel:  __asan_memcpy+0x3b/0x80\nkernel:  quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel:  ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10 [intel_quicki2c]\nkernel:  quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c]\n[...]\nkernel:  \u003c/TASK\u003e\nkernel:\nkernel: The buggy address belongs to stack of task kworker/u33:2/75\nkernel:  and is located at offset 48 in frame:\nkernel:  quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c]\nkernel:\nkernel: This frame has 3 objects:\nkernel:  [32, 36) \u0027hid_desc_addr\u0027\nkernel:  [48, 59) \u0027i2c_param\u0027\nkernel:  [80, 224) \u0027i2c_config\u0027\n\nACPI DSD methods return:\n\n\\_SB.PC00.THC0.ICRS Buffer       000000003fdc947b 001 Len 0C = 0A 00 80 1A 06 00 00 00 00 00 00 00\n\\_SB.PC00.THC0.ISUB Buffer       00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00 00 00 00 00 00 00 00\n\nAdding reserved padding to quicki2c_subip_acpi_parameter/config."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:59:52.360Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4adce86d4b13d15dec7810967839b931b1598700"
        },
        {
          "url": "https://git.kernel.org/stable/c/1db9df89a213318a48d958385dc1b17b379dc32b"
        }
      ],
      "title": "HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39809",
    "datePublished": "2025-09-16T13:00:11.977Z",
    "dateReserved": "2025-04-16T07:20:57.137Z",
    "dateUpdated": "2026-01-14T18:22:54.861Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38648 (GCVE-0-2025-38648)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-09-29 05:55

Title

spi: stm32: Check for cfg availability in stm32_spi_probe

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: stm32: Check for cfg availability in stm32_spi_probe The stm32_spi_probe function now includes a check to ensure that the pointer returned by of_device_get_match_data is not NULL before accessing its members. This resolves a warning where a potential NULL pointer dereference could occur when accessing cfg->has_device_mode. Before accessing the 'has_device_mode' member, we verify that 'cfg' is not NULL. If 'cfg' is NULL, an error message is logged. This change ensures that the driver does not attempt to access configuration data if it is not available, thus preventing a potential system crash due to a NULL pointer dereference.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6031a54f4eac921ef…
	https://git.kernel.org/stable/c/a7645815edf4478f3…
	https://git.kernel.org/stable/c/3a571a8d52272cc26…
	https://git.kernel.org/stable/c/cc063d23ad80ef7d2…
	https://git.kernel.org/stable/c/21f1c800f6620e43f…

Impacted products

Vendor

Product

Version

Linux

Affected: fee681646fc831b154619ac0261afedcc7e671e7 , < 6031a54f4eac921efe6122a561d44df89b37f2d4 (git)
Affected: fee681646fc831b154619ac0261afedcc7e671e7 , < a7645815edf4478f3258bb0db95a08986a77f5c0 (git)
Affected: fee681646fc831b154619ac0261afedcc7e671e7 , < 3a571a8d52272cc26858ab1bc83d0f66e5dee938 (git)
Affected: fee681646fc831b154619ac0261afedcc7e671e7 , < cc063d23ad80ef7d201c41b2716b1bae7c662cf9 (git)
Affected: fee681646fc831b154619ac0261afedcc7e671e7 , < 21f1c800f6620e43f31dfd76709dbac8ebaa5a16 (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-stm32.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6031a54f4eac921efe6122a561d44df89b37f2d4",
              "status": "affected",
              "version": "fee681646fc831b154619ac0261afedcc7e671e7",
              "versionType": "git"
            },
            {
              "lessThan": "a7645815edf4478f3258bb0db95a08986a77f5c0",
              "status": "affected",
              "version": "fee681646fc831b154619ac0261afedcc7e671e7",
              "versionType": "git"
            },
            {
              "lessThan": "3a571a8d52272cc26858ab1bc83d0f66e5dee938",
              "status": "affected",
              "version": "fee681646fc831b154619ac0261afedcc7e671e7",
              "versionType": "git"
            },
            {
              "lessThan": "cc063d23ad80ef7d201c41b2716b1bae7c662cf9",
              "status": "affected",
              "version": "fee681646fc831b154619ac0261afedcc7e671e7",
              "versionType": "git"
            },
            {
              "lessThan": "21f1c800f6620e43f31dfd76709dbac8ebaa5a16",
              "status": "affected",
              "version": "fee681646fc831b154619ac0261afedcc7e671e7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-stm32.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: stm32: Check for cfg availability in stm32_spi_probe\n\nThe stm32_spi_probe function now includes a check to ensure that the\npointer returned by of_device_get_match_data is not NULL before\naccessing its members. This resolves a warning where a potential NULL\npointer dereference could occur when accessing cfg-\u003ehas_device_mode.\n\nBefore accessing the \u0027has_device_mode\u0027 member, we verify that \u0027cfg\u0027 is\nnot NULL. If \u0027cfg\u0027 is NULL, an error message is logged.\n\nThis change ensures that the driver does not attempt to access\nconfiguration data if it is not available, thus preventing a potential\nsystem crash due to a NULL pointer dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:28.653Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6031a54f4eac921efe6122a561d44df89b37f2d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7645815edf4478f3258bb0db95a08986a77f5c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a571a8d52272cc26858ab1bc83d0f66e5dee938"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc063d23ad80ef7d201c41b2716b1bae7c662cf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/21f1c800f6620e43f31dfd76709dbac8ebaa5a16"
        }
      ],
      "title": "spi: stm32: Check for cfg availability in stm32_spi_probe",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38648",
    "datePublished": "2025-08-22T16:00:52.825Z",
    "dateReserved": "2025-04-16T04:51:24.030Z",
    "dateUpdated": "2025-09-29T05:55:28.653Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38626 (GCVE-0-2025-38626)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-09-29 05:55

Title

f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode w/ "mode=lfs" mount option, generic/299 will cause system panic as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.c:2835! Call Trace: <TASK> f2fs_allocate_data_block+0x6f4/0xc50 f2fs_map_blocks+0x970/0x1550 f2fs_iomap_begin+0xb2/0x1e0 iomap_iter+0x1d6/0x430 __iomap_dio_rw+0x208/0x9a0 f2fs_file_write_iter+0x6b3/0xfa0 aio_write+0x15d/0x2e0 io_submit_one+0x55e/0xab0 __x64_sys_io_submit+0xa5/0x230 do_syscall_64+0x84/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0010:new_curseg+0x70f/0x720 The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may trigger foreground gc only if it allocates any physical block, it will be a little bit later when there is multiple threads writing data w/ aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so f2fs_map_blocks() does block allocations aggressively. In order to fix this issue, let's give a chance to trigger foreground gc in prior to block allocation in f2fs_map_blocks().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f289690f50a01c3e0…
	https://git.kernel.org/stable/c/82765ce5c7a56f930…
	https://git.kernel.org/stable/c/264ede8a52f18647e…
	https://git.kernel.org/stable/c/385e64a0744584397…
	https://git.kernel.org/stable/c/1005a3ca28e90c7a6…

Impacted products

Vendor

Product

Version

Linux

Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < f289690f50a01c3e085d87853392d5b7436a4cee (git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 82765ce5c7a56f9309ee45328e763610eaf11253 (git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5 (git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 385e64a0744584397b4b52b27c96703516f39968 (git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 1005a3ca28e90c7a64fa43023f866b960a60f791 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f289690f50a01c3e085d87853392d5b7436a4cee",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            },
            {
              "lessThan": "82765ce5c7a56f9309ee45328e763610eaf11253",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            },
            {
              "lessThan": "264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            },
            {
              "lessThan": "385e64a0744584397b4b52b27c96703516f39968",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            },
            {
              "lessThan": "1005a3ca28e90c7a64fa43023f866b960a60f791",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode\n\nw/ \"mode=lfs\" mount option, generic/299 will cause system panic as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2835!\nCall Trace:\n \u003cTASK\u003e\n f2fs_allocate_data_block+0x6f4/0xc50\n f2fs_map_blocks+0x970/0x1550\n f2fs_iomap_begin+0xb2/0x1e0\n iomap_iter+0x1d6/0x430\n __iomap_dio_rw+0x208/0x9a0\n f2fs_file_write_iter+0x6b3/0xfa0\n aio_write+0x15d/0x2e0\n io_submit_one+0x55e/0xab0\n __x64_sys_io_submit+0xa5/0x230\n do_syscall_64+0x84/0x2f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0010:new_curseg+0x70f/0x720\n\nThe root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may\ntrigger foreground gc only if it allocates any physical block, it will be\na little bit later when there is multiple threads writing data w/\naio/dio/bufio method in parallel, since we always use OPU in lfs mode, so\nf2fs_map_blocks() does block allocations aggressively.\n\nIn order to fix this issue, let\u0027s give a chance to trigger foreground\ngc in prior to block allocation in f2fs_map_blocks()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:03.699Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f289690f50a01c3e085d87853392d5b7436a4cee"
        },
        {
          "url": "https://git.kernel.org/stable/c/82765ce5c7a56f9309ee45328e763610eaf11253"
        },
        {
          "url": "https://git.kernel.org/stable/c/264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/385e64a0744584397b4b52b27c96703516f39968"
        },
        {
          "url": "https://git.kernel.org/stable/c/1005a3ca28e90c7a64fa43023f866b960a60f791"
        }
      ],
      "title": "f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38626",
    "datePublished": "2025-08-22T16:00:34.867Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-09-29T05:55:03.699Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38437 (GCVE-0-2025-38437)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

ksmbd: fix potential use-after-free in oplock/lease break ack

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after-free in oplock/lease break ack If ksmbd_iov_pin_rsp return error, use-after-free can happen by accessing opinfo->state and opinfo_put and ksmbd_fd_put could called twice.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e38ec88a2b42c4946…
	https://git.kernel.org/stable/c/97c355989928a5f60…
	https://git.kernel.org/stable/c/815f1161d6dbc4c54…
	https://git.kernel.org/stable/c/8106adc21a2270c16…
	https://git.kernel.org/stable/c/50f930db22365738d…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < e38ec88a2b42c494601b1213816d75f0b54d9bf0 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 97c355989928a5f60b228ef5266c1be67a46cdf9 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 815f1161d6dbc4c54ccf94b7d3fdeab34b4d7477 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 8106adc21a2270c16abf69cd74ccd7c79c6e7acd (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 50f930db22365738d9387c974416f38a06e8057e (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:00.632Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e38ec88a2b42c494601b1213816d75f0b54d9bf0",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "97c355989928a5f60b228ef5266c1be67a46cdf9",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "815f1161d6dbc4c54ccf94b7d3fdeab34b4d7477",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "8106adc21a2270c16abf69cd74ccd7c79c6e7acd",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "50f930db22365738d9387c974416f38a06e8057e",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potential use-after-free in oplock/lease break ack\n\nIf ksmbd_iov_pin_rsp return error, use-after-free can happen by\naccessing opinfo-\u003estate and opinfo_put and ksmbd_fd_put could\ncalled twice."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:17:00.949Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e38ec88a2b42c494601b1213816d75f0b54d9bf0"
        },
        {
          "url": "https://git.kernel.org/stable/c/97c355989928a5f60b228ef5266c1be67a46cdf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/815f1161d6dbc4c54ccf94b7d3fdeab34b4d7477"
        },
        {
          "url": "https://git.kernel.org/stable/c/8106adc21a2270c16abf69cd74ccd7c79c6e7acd"
        },
        {
          "url": "https://git.kernel.org/stable/c/50f930db22365738d9387c974416f38a06e8057e"
        }
      ],
      "title": "ksmbd: fix potential use-after-free in oplock/lease break ack",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38437",
    "datePublished": "2025-07-25T15:27:16.995Z",
    "dateReserved": "2025-04-16T04:51:24.016Z",
    "dateUpdated": "2025-11-03T17:38:00.632Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39806 (GCVE-0-2025-39806)

Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43

Title

HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] <TASK> [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4263e5851779f7d8e…
	https://git.kernel.org/stable/c/7ab7311c43ae19c66…
	https://git.kernel.org/stable/c/d4e6e2680807671e1…
	https://git.kernel.org/stable/c/3055309821dd3da92…
	https://git.kernel.org/stable/c/c13e95587583d018c…
	https://git.kernel.org/stable/c/0379eb8691b9c4477…

Impacted products

Vendor

Product

Version

Linux

Affected: 7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0 , < 4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d (git)
Affected: 45ec9f17ce46417fc4eccecf388c99e81fb7fcc1 , < 7ab7311c43ae19c66c53ccd8c5052a9072a4e338 (git)
Affected: 1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b , < d4e6e2680807671e1c73cd6a986b33659ce92f2b (git)
Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < 3055309821dd3da92888f88bad10f0324c3c89fe (git)
Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < c13e95587583d018cfbcc277df7e02d41902ac5a (git)
Affected: c8000deb68365b461b324d68c7ea89d730f0bb85 , < 0379eb8691b9c4477da0277ae0832036ca4410b4 (git)
Affected: d189e24a42b8bd0ece3d28801d751bf66dba8e92 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 5.15.191 , ≤ 5.15.* (semver)
Unaffected: 6.1.150 , ≤ 6.1.* (semver)
Unaffected: 6.6.104 , ≤ 6.6.* (semver)
Unaffected: 6.12.45 , ≤ 6.12.* (semver)
Unaffected: 6.16.5 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:43:32.753Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-multitouch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d",
              "status": "affected",
              "version": "7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0",
              "versionType": "git"
            },
            {
              "lessThan": "7ab7311c43ae19c66c53ccd8c5052a9072a4e338",
              "status": "affected",
              "version": "45ec9f17ce46417fc4eccecf388c99e81fb7fcc1",
              "versionType": "git"
            },
            {
              "lessThan": "d4e6e2680807671e1c73cd6a986b33659ce92f2b",
              "status": "affected",
              "version": "1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b",
              "versionType": "git"
            },
            {
              "lessThan": "3055309821dd3da92888f88bad10f0324c3c89fe",
              "status": "affected",
              "version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
              "versionType": "git"
            },
            {
              "lessThan": "c13e95587583d018cfbcc277df7e02d41902ac5a",
              "status": "affected",
              "version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
              "versionType": "git"
            },
            {
              "lessThan": "0379eb8691b9c4477da0277ae0832036ca4410b4",
              "status": "affected",
              "version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d189e24a42b8bd0ece3d28801d751bf66dba8e92",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-multitouch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.191",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.104",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.45",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.191",
                  "versionStartIncluding": "5.15.168",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.150",
                  "versionStartIncluding": "6.1.111",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.104",
                  "versionStartIncluding": "6.6.52",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.45",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.5",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: fix slab out-of-bounds access in mt_report_fixup()\n\nA malicious HID device can trigger a slab out-of-bounds during\nmt_report_fixup() by passing in report descriptor smaller than\n607 bytes. mt_report_fixup() attempts to patch byte offset 607\nof the descriptor with 0x25 by first checking if byte offset\n607 is 0x15 however it lacks bounds checks to verify if the\ndescriptor is big enough before conducting this check. Fix\nthis bug by ensuring the descriptor size is at least 608\nbytes before accessing it.\n\nBelow is the KASAN splat after the out of bounds access happens:\n\n[   13.671954] ==================================================================\n[   13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110\n[   13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10\n[   13.673297]\n[   13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3\n[   13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04\n[   13.673297] Call Trace:\n[   13.673297]  \u003cTASK\u003e\n[   13.673297]  dump_stack_lvl+0x5f/0x80\n[   13.673297]  print_report+0xd1/0x660\n[   13.673297]  kasan_report+0xe5/0x120\n[   13.673297]  __asan_report_load1_noabort+0x18/0x20\n[   13.673297]  mt_report_fixup+0x103/0x110\n[   13.673297]  hid_open_report+0x1ef/0x810\n[   13.673297]  mt_probe+0x422/0x960\n[   13.673297]  hid_device_probe+0x2e2/0x6f0\n[   13.673297]  really_probe+0x1c6/0x6b0\n[   13.673297]  __driver_probe_device+0x24f/0x310\n[   13.673297]  driver_probe_device+0x4e/0x220\n[   13.673297]  __device_attach_driver+0x169/0x320\n[   13.673297]  bus_for_each_drv+0x11d/0x1b0\n[   13.673297]  __device_attach+0x1b8/0x3e0\n[   13.673297]  device_initial_probe+0x12/0x20\n[   13.673297]  bus_probe_device+0x13d/0x180\n[   13.673297]  device_add+0xe3a/0x1670\n[   13.673297]  hid_add_device+0x31d/0xa40\n[...]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:59:48.576Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ab7311c43ae19c66c53ccd8c5052a9072a4e338"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4e6e2680807671e1c73cd6a986b33659ce92f2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3055309821dd3da92888f88bad10f0324c3c89fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/c13e95587583d018cfbcc277df7e02d41902ac5a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0379eb8691b9c4477da0277ae0832036ca4410b4"
        }
      ],
      "title": "HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39806",
    "datePublished": "2025-09-16T13:00:09.524Z",
    "dateReserved": "2025-04-16T07:20:57.136Z",
    "dateUpdated": "2025-11-03T17:43:32.753Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38609 (GCVE-0-2025-38609)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40

Title

PM / devfreq: Check governor before using governor->name

Summary

In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Check governor before using governor->name Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from struct devfreq") removes governor_name and uses governor->name to replace it. But devfreq->governor may be NULL and directly using devfreq->governor->name may cause null pointer exception. Move the check of governor to before using governor->name.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f0479e878d4beb45e…
	https://git.kernel.org/stable/c/631e101728df2a86b…
	https://git.kernel.org/stable/c/81f50619370045120…
	https://git.kernel.org/stable/c/d5632359dbc44862f…
	https://git.kernel.org/stable/c/2731c68f536fddcb7…
	https://git.kernel.org/stable/c/75323a49aa603cf54…
	https://git.kernel.org/stable/c/bab7834c03820eb11…

Impacted products

Vendor

Product

Version

Linux

Affected: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 , < f0479e878d4beb45e73c03e574c59f0a23ccd176 (git)
Affected: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 , < 631e101728df2a86b8fb761b49fad9712c651f8a (git)
Affected: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 , < 81f50619370045120c133bfdda5b320c8c97d41e (git)
Affected: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 , < d5632359dbc44862fc1ed04093c1f57529830261 (git)
Affected: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 , < 2731c68f536fddcb71332db7f8d78c5eb4684c04 (git)
Affected: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 , < 75323a49aa603cf5484a6d74d0d329e86d756e11 (git)
Affected: 96ffcdf239de6f9970178bb7d643e16fd9e68ab9 , < bab7834c03820eb11269bc48f07c3800192460d2 (git)

Linux

Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:22.664Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/devfreq/devfreq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f0479e878d4beb45e73c03e574c59f0a23ccd176",
              "status": "affected",
              "version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
              "versionType": "git"
            },
            {
              "lessThan": "631e101728df2a86b8fb761b49fad9712c651f8a",
              "status": "affected",
              "version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
              "versionType": "git"
            },
            {
              "lessThan": "81f50619370045120c133bfdda5b320c8c97d41e",
              "status": "affected",
              "version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
              "versionType": "git"
            },
            {
              "lessThan": "d5632359dbc44862fc1ed04093c1f57529830261",
              "status": "affected",
              "version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
              "versionType": "git"
            },
            {
              "lessThan": "2731c68f536fddcb71332db7f8d78c5eb4684c04",
              "status": "affected",
              "version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
              "versionType": "git"
            },
            {
              "lessThan": "75323a49aa603cf5484a6d74d0d329e86d756e11",
              "status": "affected",
              "version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
              "versionType": "git"
            },
            {
              "lessThan": "bab7834c03820eb11269bc48f07c3800192460d2",
              "status": "affected",
              "version": "96ffcdf239de6f9970178bb7d643e16fd9e68ab9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/devfreq/devfreq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Check governor before using governor-\u003ename\n\nCommit 96ffcdf239de (\"PM / devfreq: Remove redundant governor_name from\nstruct devfreq\") removes governor_name and uses governor-\u003ename to replace\nit. But devfreq-\u003egovernor may be NULL and directly using\ndevfreq-\u003egovernor-\u003ename may cause null pointer exception. Move the check of\ngovernor to before using governor-\u003ename."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:43.955Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f0479e878d4beb45e73c03e574c59f0a23ccd176"
        },
        {
          "url": "https://git.kernel.org/stable/c/631e101728df2a86b8fb761b49fad9712c651f8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/81f50619370045120c133bfdda5b320c8c97d41e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5632359dbc44862fc1ed04093c1f57529830261"
        },
        {
          "url": "https://git.kernel.org/stable/c/2731c68f536fddcb71332db7f8d78c5eb4684c04"
        },
        {
          "url": "https://git.kernel.org/stable/c/75323a49aa603cf5484a6d74d0d329e86d756e11"
        },
        {
          "url": "https://git.kernel.org/stable/c/bab7834c03820eb11269bc48f07c3800192460d2"
        }
      ],
      "title": "PM / devfreq: Check governor before using governor-\u003ename",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38609",
    "datePublished": "2025-08-19T17:03:52.542Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-11-03T17:40:22.664Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-35867 (GCVE-0-2024-35867)

Vulnerability from cvelistv5 – Published: 2024-05-19 08:34 – Updated: 2026-01-05 10:35

Title

smb: client: fix potential UAF in cifs_stats_proc_show()

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_stats_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/838ec01ea8d3deb5d…
	https://git.kernel.org/stable/c/bb6570085826291dc…
	https://git.kernel.org/stable/c/16b7d785775eb0392…
	https://git.kernel.org/stable/c/c3cf8b74c57924c09…
	https://git.kernel.org/stable/c/1e12f0d5c66f07c93…
	https://git.kernel.org/stable/c/0865ffefea197b437…

Impacted products

Vendor

Product

Version

Linux

Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < 838ec01ea8d3deb5d123e8ed9022e8162dc3f503 (git)
Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < bb6570085826291dc392005f9fec16ea5da3c8ad (git)
Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < 16b7d785775eb03929766819415055e367398f49 (git)
Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < c3cf8b74c57924c0985e49a1fdf02d3395111f39 (git)
Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < 1e12f0d5c66f07c934041621351973a116fa13c7 (git)
Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < 0865ffefea197b437ba78b5dd8d8e256253efd65 (git)
Affected: a67172a013953664b1dad03c648200c70b90506c (git)

Linux

Affected: 3.13
Unaffected: 0 , < 3.13 (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.85 , ≤ 6.1.* (semver)
Unaffected: 6.6.26 , ≤ 6.6.* (semver)
Unaffected: 6.8.5 , ≤ 6.8.* (semver)
Unaffected: 6.9 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:29:58.093Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/05/29/2"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35867",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:41:20.780452Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:32:49.626Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cifs_debug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "838ec01ea8d3deb5d123e8ed9022e8162dc3f503",
              "status": "affected",
              "version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
              "versionType": "git"
            },
            {
              "lessThan": "bb6570085826291dc392005f9fec16ea5da3c8ad",
              "status": "affected",
              "version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
              "versionType": "git"
            },
            {
              "lessThan": "16b7d785775eb03929766819415055e367398f49",
              "status": "affected",
              "version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
              "versionType": "git"
            },
            {
              "lessThan": "c3cf8b74c57924c0985e49a1fdf02d3395111f39",
              "status": "affected",
              "version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
              "versionType": "git"
            },
            {
              "lessThan": "1e12f0d5c66f07c934041621351973a116fa13c7",
              "status": "affected",
              "version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
              "versionType": "git"
            },
            {
              "lessThan": "0865ffefea197b437ba78b5dd8d8e256253efd65",
              "status": "affected",
              "version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a67172a013953664b1dad03c648200c70b90506c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cifs_debug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.85",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.26",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.5",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.48",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:35:34.384Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/838ec01ea8d3deb5d123e8ed9022e8162dc3f503"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb6570085826291dc392005f9fec16ea5da3c8ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65"
        }
      ],
      "title": "smb: client: fix potential UAF in cifs_stats_proc_show()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35867",
    "datePublished": "2024-05-19T08:34:25.911Z",
    "dateReserved": "2024-05-17T13:50:33.107Z",
    "dateUpdated": "2026-01-05T10:35:34.384Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38555 (GCVE-0-2025-38555)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-11-03 17:39

Title

usb: gadget : fix use-after-free in composite_dev_cleanup()

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget : fix use-after-free in composite_dev_cleanup() 1. In func configfs_composite_bind() -> composite_os_desc_req_prepare(): if kmalloc fails, the pointer cdev->os_desc_req will be freed but not set to NULL. Then it will return a failure to the upper-level function. 2. in func configfs_composite_bind() -> composite_dev_cleanup(): it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it will attempt to use it.This will lead to a use-after-free issue. BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0 Read of size 8 at addr 0000004827837a00 by task init/1 CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1 kasan_report+0x188/0x1cc __asan_load8+0xb4/0xbc composite_dev_cleanup+0xf4/0x2c0 configfs_composite_bind+0x210/0x7ac udc_bind_to_driver+0xb4/0x1ec usb_gadget_probe_driver+0xec/0x21c gadget_dev_desc_UDC_store+0x264/0x27c

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dba96dfa5a0f685b9…
	https://git.kernel.org/stable/c/2db29235e900a084a…
	https://git.kernel.org/stable/c/8afb22aa063f706f3…
	https://git.kernel.org/stable/c/e624bf26127645a2f…
	https://git.kernel.org/stable/c/aada327a9f8028c57…
	https://git.kernel.org/stable/c/5f06ee9f9a3665d43…
	https://git.kernel.org/stable/c/bd3c4ef60baf7f65c…
	https://git.kernel.org/stable/c/e1be1f380c82a69f8…
	https://git.kernel.org/stable/c/151c0aa896c47a445…

Impacted products

Vendor

Product

Version

Linux

Affected: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 , < dba96dfa5a0f685b959dd28a52ac8dab0b805204 (git)
Affected: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 , < 2db29235e900a084a656dea7e0939b0abb7bb897 (git)
Affected: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 , < 8afb22aa063f706f3343707cdfb8cda4d021dd33 (git)
Affected: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 , < e624bf26127645a2f7821e73fdf6dc64bad07835 (git)
Affected: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 , < aada327a9f8028c573636fa60c0abc80fb8135c9 (git)
Affected: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 , < 5f06ee9f9a3665d43133f125c17e5258a13f3963 (git)
Affected: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 , < bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba (git)
Affected: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 , < e1be1f380c82a69f80c68c96a7cfe8759fb30355 (git)
Affected: 37a3a533429ef9b3cc9f15a656c19623f0e88df7 , < 151c0aa896c47a4459e07fee7d4843f44c1bb18e (git)

Linux

Affected: 3.16
Unaffected: 0 , < 3.16 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:48.711Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/composite.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dba96dfa5a0f685b959dd28a52ac8dab0b805204",
              "status": "affected",
              "version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
              "versionType": "git"
            },
            {
              "lessThan": "2db29235e900a084a656dea7e0939b0abb7bb897",
              "status": "affected",
              "version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
              "versionType": "git"
            },
            {
              "lessThan": "8afb22aa063f706f3343707cdfb8cda4d021dd33",
              "status": "affected",
              "version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
              "versionType": "git"
            },
            {
              "lessThan": "e624bf26127645a2f7821e73fdf6dc64bad07835",
              "status": "affected",
              "version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
              "versionType": "git"
            },
            {
              "lessThan": "aada327a9f8028c573636fa60c0abc80fb8135c9",
              "status": "affected",
              "version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
              "versionType": "git"
            },
            {
              "lessThan": "5f06ee9f9a3665d43133f125c17e5258a13f3963",
              "status": "affected",
              "version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
              "versionType": "git"
            },
            {
              "lessThan": "bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba",
              "status": "affected",
              "version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
              "versionType": "git"
            },
            {
              "lessThan": "e1be1f380c82a69f80c68c96a7cfe8759fb30355",
              "status": "affected",
              "version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
              "versionType": "git"
            },
            {
              "lessThan": "151c0aa896c47a4459e07fee7d4843f44c1bb18e",
              "status": "affected",
              "version": "37a3a533429ef9b3cc9f15a656c19623f0e88df7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/composite.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget : fix use-after-free in composite_dev_cleanup()\n\n1. In func configfs_composite_bind() -\u003e composite_os_desc_req_prepare():\nif kmalloc fails, the pointer cdev-\u003eos_desc_req will be freed but not\nset to NULL. Then it will return a failure to the upper-level function.\n2. in func configfs_composite_bind() -\u003e composite_dev_cleanup():\nit will checks whether cdev-\u003eos_desc_req is NULL. If it is not NULL, it\nwill attempt to use it.This will lead to a use-after-free issue.\n\nBUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0\nRead of size 8 at addr 0000004827837a00 by task init/1\n\nCPU: 10 PID: 1 Comm: init Tainted: G           O      5.10.97-oh #1\n kasan_report+0x188/0x1cc\n __asan_load8+0xb4/0xbc\n composite_dev_cleanup+0xf4/0x2c0\n configfs_composite_bind+0x210/0x7ac\n udc_bind_to_driver+0xb4/0x1ec\n usb_gadget_probe_driver+0xec/0x21c\n gadget_dev_desc_UDC_store+0x264/0x27c"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:53:42.268Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dba96dfa5a0f685b959dd28a52ac8dab0b805204"
        },
        {
          "url": "https://git.kernel.org/stable/c/2db29235e900a084a656dea7e0939b0abb7bb897"
        },
        {
          "url": "https://git.kernel.org/stable/c/8afb22aa063f706f3343707cdfb8cda4d021dd33"
        },
        {
          "url": "https://git.kernel.org/stable/c/e624bf26127645a2f7821e73fdf6dc64bad07835"
        },
        {
          "url": "https://git.kernel.org/stable/c/aada327a9f8028c573636fa60c0abc80fb8135c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f06ee9f9a3665d43133f125c17e5258a13f3963"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1be1f380c82a69f80c68c96a7cfe8759fb30355"
        },
        {
          "url": "https://git.kernel.org/stable/c/151c0aa896c47a4459e07fee7d4843f44c1bb18e"
        }
      ],
      "title": "usb: gadget : fix use-after-free in composite_dev_cleanup()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38555",
    "datePublished": "2025-08-19T17:02:34.110Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2025-11-03T17:39:48.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38610 (GCVE-0-2025-38610)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40

Title

powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()

Summary

In the Linux kernel, the following vulnerability has been resolved: powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() The get_pd_power_uw() function can crash with a NULL pointer dereference when em_cpu_get() returns NULL. This occurs when a CPU becomes impossible during runtime, causing get_cpu_device() to return NULL, which propagates through em_cpu_get() and leads to a crash when em_span_cpus() dereferences the NULL pointer. Add a NULL check after em_cpu_get() and return 0 if unavailable, matching the existing fallback behavior in __dtpm_cpu_setup(). [ rjw: Drop an excess empty code line ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/27914f2b795e2b58e…
	https://git.kernel.org/stable/c/c6ec27091cf5ac050…
	https://git.kernel.org/stable/c/8374ac7d69a57d737…
	https://git.kernel.org/stable/c/27e0318f0ea69fcfa…
	https://git.kernel.org/stable/c/2fd001a0075ac01dc…
	https://git.kernel.org/stable/c/46dc57406887dd025…

Impacted products

Vendor

Product

Version

Linux

Affected: eb82bace893169b319c563b7f813c58a0a5a9f76 , < 27914f2b795e2b58e9506f281dcdd98fef09d3c2 (git)
Affected: eb82bace893169b319c563b7f813c58a0a5a9f76 , < c6ec27091cf5ac05094c1fe3a6ce914cf711a37c (git)
Affected: eb82bace893169b319c563b7f813c58a0a5a9f76 , < 8374ac7d69a57d737e701a851ffe980a0d27d3ad (git)
Affected: eb82bace893169b319c563b7f813c58a0a5a9f76 , < 27e0318f0ea69fcfa32228847debc384ade14578 (git)
Affected: eb82bace893169b319c563b7f813c58a0a5a9f76 , < 2fd001a0075ac01dc64a28a8e21226b3d989a91d (git)
Affected: eb82bace893169b319c563b7f813c58a0a5a9f76 , < 46dc57406887dd02565cb264224194a6776d882b (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:23.677Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/powercap/dtpm_cpu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "27914f2b795e2b58e9506f281dcdd98fef09d3c2",
              "status": "affected",
              "version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
              "versionType": "git"
            },
            {
              "lessThan": "c6ec27091cf5ac05094c1fe3a6ce914cf711a37c",
              "status": "affected",
              "version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
              "versionType": "git"
            },
            {
              "lessThan": "8374ac7d69a57d737e701a851ffe980a0d27d3ad",
              "status": "affected",
              "version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
              "versionType": "git"
            },
            {
              "lessThan": "27e0318f0ea69fcfa32228847debc384ade14578",
              "status": "affected",
              "version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
              "versionType": "git"
            },
            {
              "lessThan": "2fd001a0075ac01dc64a28a8e21226b3d989a91d",
              "status": "affected",
              "version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
              "versionType": "git"
            },
            {
              "lessThan": "46dc57406887dd02565cb264224194a6776d882b",
              "status": "affected",
              "version": "eb82bace893169b319c563b7f813c58a0a5a9f76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/powercap/dtpm_cpu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()\n\nThe get_pd_power_uw() function can crash with a NULL pointer dereference\nwhen em_cpu_get() returns NULL. This occurs when a CPU becomes impossible\nduring runtime, causing get_cpu_device() to return NULL, which propagates\nthrough em_cpu_get() and leads to a crash when em_span_cpus() dereferences\nthe NULL pointer.\n\nAdd a NULL check after em_cpu_get() and return 0 if unavailable,\nmatching the existing fallback behavior in __dtpm_cpu_setup().\n\n[ rjw: Drop an excess empty code line ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:45.207Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/27914f2b795e2b58e9506f281dcdd98fef09d3c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6ec27091cf5ac05094c1fe3a6ce914cf711a37c"
        },
        {
          "url": "https://git.kernel.org/stable/c/8374ac7d69a57d737e701a851ffe980a0d27d3ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/27e0318f0ea69fcfa32228847debc384ade14578"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fd001a0075ac01dc64a28a8e21226b3d989a91d"
        },
        {
          "url": "https://git.kernel.org/stable/c/46dc57406887dd02565cb264224194a6776d882b"
        }
      ],
      "title": "powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38610",
    "datePublished": "2025-08-19T17:03:53.255Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-11-03T17:40:23.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38547 (GCVE-0-2025-38547)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:34 – Updated: 2025-08-16 11:34

Title

iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps The AXP717 ADC channel maps is missing a sentinel entry at the end. This causes a KASAN warning. Add the missing sentinel entry.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/086a76474121bf235…
	https://git.kernel.org/stable/c/0c0c01c88bb699515…
	https://git.kernel.org/stable/c/3281ddcea6429f7bc…

Impacted products

Vendor

Product

Version

Linux

Affected: 5ba0cb92584ba5e107c97001e09013c1da0772a8 , < 086a76474121bf2351438e311376ec67b410b2ea (git)
Affected: 5ba0cb92584ba5e107c97001e09013c1da0772a8 , < 0c0c01c88bb69951539539d2001e67f0c613001f (git)
Affected: 5ba0cb92584ba5e107c97001e09013c1da0772a8 , < 3281ddcea6429f7bc1fdb39d407752dd1371aba9 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/adc/axp20x_adc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "086a76474121bf2351438e311376ec67b410b2ea",
              "status": "affected",
              "version": "5ba0cb92584ba5e107c97001e09013c1da0772a8",
              "versionType": "git"
            },
            {
              "lessThan": "0c0c01c88bb69951539539d2001e67f0c613001f",
              "status": "affected",
              "version": "5ba0cb92584ba5e107c97001e09013c1da0772a8",
              "versionType": "git"
            },
            {
              "lessThan": "3281ddcea6429f7bc1fdb39d407752dd1371aba9",
              "status": "affected",
              "version": "5ba0cb92584ba5e107c97001e09013c1da0772a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/adc/axp20x_adc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps\n\nThe AXP717 ADC channel maps is missing a sentinel entry at the end. This\ncauses a KASAN warning.\n\nAdd the missing sentinel entry."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T11:34:15.905Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/086a76474121bf2351438e311376ec67b410b2ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c0c01c88bb69951539539d2001e67f0c613001f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3281ddcea6429f7bc1fdb39d407752dd1371aba9"
        }
      ],
      "title": "iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38547",
    "datePublished": "2025-08-16T11:34:15.905Z",
    "dateReserved": "2025-04-16T04:51:24.024Z",
    "dateUpdated": "2025-08-16T11:34:15.905Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38602 (GCVE-0-2025-38602)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40

Title

iwlwifi: Add missing check for alloc_ordered_workqueue

Summary

In the Linux kernel, the following vulnerability has been resolved: iwlwifi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue since it may return NULL pointer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c80832d445653baba…
	https://git.kernel.org/stable/c/b398120fbe0acfef6…
	https://git.kernel.org/stable/c/2e9f85ee3b46453a2…
	https://git.kernel.org/stable/c/6663c52608d8d8727…
	https://git.kernel.org/stable/c/ca980f1911a7144d4…
	https://git.kernel.org/stable/c/7dd6350307af6521b…
	https://git.kernel.org/stable/c/c0e43c3f6c0a79381…
	https://git.kernel.org/stable/c/70a1b527eaea9430b…
	https://git.kernel.org/stable/c/90a0d9f339960448a…

Impacted products

Vendor

Product

Version

Linux

Affected: b481de9ca074528fe8c429604e2777db8b89806a , < c80832d445653baba5ac80cd2c2637c437ac881b (git)
Affected: b481de9ca074528fe8c429604e2777db8b89806a , < b398120fbe0acfef60b16f6a0f69902d385d7728 (git)
Affected: b481de9ca074528fe8c429604e2777db8b89806a , < 2e9f85ee3b46453a2f250a57d3a9f10c70c71202 (git)
Affected: b481de9ca074528fe8c429604e2777db8b89806a , < 6663c52608d8d8727bf1911e6d9218069ba1c85e (git)
Affected: b481de9ca074528fe8c429604e2777db8b89806a , < ca980f1911a7144d451d1c31298ab8507c6bd88f (git)
Affected: b481de9ca074528fe8c429604e2777db8b89806a , < 7dd6350307af6521b6240b295c93b7eec4daebe6 (git)
Affected: b481de9ca074528fe8c429604e2777db8b89806a , < c0e43c3f6c0a79381b468574c241065998412b7c (git)
Affected: b481de9ca074528fe8c429604e2777db8b89806a , < 70a1b527eaea9430b1bd87de59f3b9f6bd225701 (git)
Affected: b481de9ca074528fe8c429604e2777db8b89806a , < 90a0d9f339960448a3acc1437a46730f975efd6a (git)

Linux

Affected: 2.6.24
Unaffected: 0 , < 2.6.24 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:17.635Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/intel/iwlwifi/dvm/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c80832d445653baba5ac80cd2c2637c437ac881b",
              "status": "affected",
              "version": "b481de9ca074528fe8c429604e2777db8b89806a",
              "versionType": "git"
            },
            {
              "lessThan": "b398120fbe0acfef60b16f6a0f69902d385d7728",
              "status": "affected",
              "version": "b481de9ca074528fe8c429604e2777db8b89806a",
              "versionType": "git"
            },
            {
              "lessThan": "2e9f85ee3b46453a2f250a57d3a9f10c70c71202",
              "status": "affected",
              "version": "b481de9ca074528fe8c429604e2777db8b89806a",
              "versionType": "git"
            },
            {
              "lessThan": "6663c52608d8d8727bf1911e6d9218069ba1c85e",
              "status": "affected",
              "version": "b481de9ca074528fe8c429604e2777db8b89806a",
              "versionType": "git"
            },
            {
              "lessThan": "ca980f1911a7144d451d1c31298ab8507c6bd88f",
              "status": "affected",
              "version": "b481de9ca074528fe8c429604e2777db8b89806a",
              "versionType": "git"
            },
            {
              "lessThan": "7dd6350307af6521b6240b295c93b7eec4daebe6",
              "status": "affected",
              "version": "b481de9ca074528fe8c429604e2777db8b89806a",
              "versionType": "git"
            },
            {
              "lessThan": "c0e43c3f6c0a79381b468574c241065998412b7c",
              "status": "affected",
              "version": "b481de9ca074528fe8c429604e2777db8b89806a",
              "versionType": "git"
            },
            {
              "lessThan": "70a1b527eaea9430b1bd87de59f3b9f6bd225701",
              "status": "affected",
              "version": "b481de9ca074528fe8c429604e2777db8b89806a",
              "versionType": "git"
            },
            {
              "lessThan": "90a0d9f339960448a3acc1437a46730f975efd6a",
              "status": "affected",
              "version": "b481de9ca074528fe8c429604e2777db8b89806a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/intel/iwlwifi/dvm/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.24"
            },
            {
              "lessThan": "2.6.24",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: Add missing check for alloc_ordered_workqueue\n\nAdd check for the return value of alloc_ordered_workqueue since it may\nreturn NULL pointer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:37.082Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c80832d445653baba5ac80cd2c2637c437ac881b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b398120fbe0acfef60b16f6a0f69902d385d7728"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e9f85ee3b46453a2f250a57d3a9f10c70c71202"
        },
        {
          "url": "https://git.kernel.org/stable/c/6663c52608d8d8727bf1911e6d9218069ba1c85e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca980f1911a7144d451d1c31298ab8507c6bd88f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7dd6350307af6521b6240b295c93b7eec4daebe6"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0e43c3f6c0a79381b468574c241065998412b7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/70a1b527eaea9430b1bd87de59f3b9f6bd225701"
        },
        {
          "url": "https://git.kernel.org/stable/c/90a0d9f339960448a3acc1437a46730f975efd6a"
        }
      ],
      "title": "iwlwifi: Add missing check for alloc_ordered_workqueue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38602",
    "datePublished": "2025-08-19T17:03:41.604Z",
    "dateReserved": "2025-04-16T04:51:24.028Z",
    "dateUpdated": "2025-11-03T17:40:17.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39812 (GCVE-0-2025-39812)

Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43

Title

sctp: initialize more fields in sctp_v6_from_sk()

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: initialize more fields in sctp_v6_from_sk() syzbot found that sin6_scope_id was not properly initialized, leading to undefined behavior. Clear sin6_scope_id and sin6_flowinfo. BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983 sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390 sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452 sctp_get_port net/sctp/socket.c:8523 [inline] sctp_listen_start net/sctp/socket.c:8567 [inline] sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636 __sys_listen_socket net/socket.c:1912 [inline] __sys_listen net/socket.c:1927 [inline] __do_sys_listen net/socket.c:1932 [inline] __se_sys_listen net/socket.c:1930 [inline] __x64_sys_listen+0x343/0x4c0 net/socket.c:1930 x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable addr.i.i created at: sctp_get_port net/sctp/socket.c:8515 [inline] sctp_listen_start net/sctp/socket.c:8567 [inline] sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636 __sys_listen_socket net/socket.c:1912 [inline] __sys_listen net/socket.c:1927 [inline] __do_sys_listen net/socket.c:1932 [inline] __se_sys_listen net/socket.c:1930 [inline] __x64_sys_listen+0x343/0x4c0 net/socket.c:1930

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/45e4b36593edffb7b…
	https://git.kernel.org/stable/c/9546934c2054bba1b…
	https://git.kernel.org/stable/c/17d6c7747045e9b80…
	https://git.kernel.org/stable/c/65b4693d8bab5370c…
	https://git.kernel.org/stable/c/463aa96fca6209bb2…
	https://git.kernel.org/stable/c/1bbc0c02aea1f1c40…
	https://git.kernel.org/stable/c/f6c2cc99fc2387ba6…
	https://git.kernel.org/stable/c/2e8750469242cad8f…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 45e4b36593edffb7bbee5828ae820bc10a9fa0f3 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9546934c2054bba1bd605c44e936619159a34027 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17d6c7747045e9b802c2f5dfaba260d309d831ae (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 65b4693d8bab5370cfcb44a275b4d8dcb06e56bf (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 463aa96fca6209bb205f49f7deea3817d7ddaa3a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1bbc0c02aea1f1c405bd1271466889c25a1fe01b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f6c2cc99fc2387ba6499facd6108f6543382792d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2e8750469242cad8f01f320131fd5a6f540dbb99 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.298 , ≤ 5.4.* (semver)
Unaffected: 5.10.242 , ≤ 5.10.* (semver)
Unaffected: 5.15.191 , ≤ 5.15.* (semver)
Unaffected: 6.1.150 , ≤ 6.1.* (semver)
Unaffected: 6.6.104 , ≤ 6.6.* (semver)
Unaffected: 6.12.45 , ≤ 6.12.* (semver)
Unaffected: 6.16.5 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:43:36.526Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/ipv6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "45e4b36593edffb7bbee5828ae820bc10a9fa0f3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9546934c2054bba1bd605c44e936619159a34027",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "17d6c7747045e9b802c2f5dfaba260d309d831ae",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "65b4693d8bab5370cfcb44a275b4d8dcb06e56bf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "463aa96fca6209bb205f49f7deea3817d7ddaa3a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1bbc0c02aea1f1c405bd1271466889c25a1fe01b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f6c2cc99fc2387ba6499facd6108f6543382792d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2e8750469242cad8f01f320131fd5a6f540dbb99",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/ipv6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.298",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.242",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.191",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.104",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.45",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.298",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.242",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.191",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.150",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.104",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.45",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.5",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: initialize more fields in sctp_v6_from_sk()\n\nsyzbot found that sin6_scope_id was not properly initialized,\nleading to undefined behavior.\n\nClear sin6_scope_id and sin6_flowinfo.\n\nBUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n  __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n  sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983\n  sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390\n  sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452\n  sctp_get_port net/sctp/socket.c:8523 [inline]\n  sctp_listen_start net/sctp/socket.c:8567 [inline]\n  sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636\n  __sys_listen_socket net/socket.c:1912 [inline]\n  __sys_listen net/socket.c:1927 [inline]\n  __do_sys_listen net/socket.c:1932 [inline]\n  __se_sys_listen net/socket.c:1930 [inline]\n  __x64_sys_listen+0x343/0x4c0 net/socket.c:1930\n  x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable addr.i.i created at:\n  sctp_get_port net/sctp/socket.c:8515 [inline]\n  sctp_listen_start net/sctp/socket.c:8567 [inline]\n  sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636\n  __sys_listen_socket net/socket.c:1912 [inline]\n  __sys_listen net/socket.c:1927 [inline]\n  __do_sys_listen net/socket.c:1932 [inline]\n  __se_sys_listen net/socket.c:1930 [inline]\n  __x64_sys_listen+0x343/0x4c0 net/socket.c:1930"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:59:56.151Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/45e4b36593edffb7bbee5828ae820bc10a9fa0f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/9546934c2054bba1bd605c44e936619159a34027"
        },
        {
          "url": "https://git.kernel.org/stable/c/17d6c7747045e9b802c2f5dfaba260d309d831ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/65b4693d8bab5370cfcb44a275b4d8dcb06e56bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/463aa96fca6209bb205f49f7deea3817d7ddaa3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bbc0c02aea1f1c405bd1271466889c25a1fe01b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6c2cc99fc2387ba6499facd6108f6543382792d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e8750469242cad8f01f320131fd5a6f540dbb99"
        }
      ],
      "title": "sctp: initialize more fields in sctp_v6_from_sk()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39812",
    "datePublished": "2025-09-16T13:00:14.103Z",
    "dateReserved": "2025-04-16T07:20:57.137Z",
    "dateUpdated": "2025-11-03T17:43:36.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38512 (GCVE-0-2025-38512)

Vulnerability from cvelistv5 – Published: 2025-08-16 10:54 – Updated: 2026-01-02 15:30

Title

wifi: prevent A-MSDU attacks in mesh networks

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerability for mesh networks. The initial update to the IEEE 802.11 standard, in response to the FragAttacks, missed this case (CVE-2025-27558). It can be considered a variant of CVE-2020-24588 but for mesh networks. This patch tries to detect if a standard MSDU was turned into an A-MSDU by an adversary. This is done by parsing a received A-MSDU as a standard MSDU, calculating the length of the Mesh Control header, and seeing if the 6 bytes after this header equal the start of an rfc1042 header. If equal, this is a strong indication of an ongoing attack attempt. This defense was tested with mac80211_hwsim against a mesh network that uses an empty Mesh Address Extension field, i.e., when four addresses are used, and when using a 12-byte Mesh Address Extension field, i.e., when six addresses are used. Functionality of normal MSDUs and A-MSDUs was also tested, and confirmed working, when using both an empty and 12-byte Mesh Address Extension field. It was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh networks keep being detected and prevented. Note that the vulnerability being patched, and the defense being implemented, was also discussed in the following paper and in the following IEEE 802.11 presentation: https://papers.mathyvanhoef.com/wisec2025.pdf https://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e2c8a3c0388aef6bf…
	https://git.kernel.org/stable/c/ec6392061de668114…
	https://git.kernel.org/stable/c/e01851f6e9a665a60…
	https://git.kernel.org/stable/c/6e3b09402cc6c3e34…
	https://git.kernel.org/stable/c/737bb912ebbe45711…

Impacted products

Vendor

Product

Version

Linux

Affected: 79720743421753ff72bfa0d79976c534645b81c1 , < e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80 (git)
Affected: 986e43b19ae9176093da35e0a844e65c8bf9ede7 , < ec6392061de6681148b63ee6c8744da833498cdd (git)
Affected: 986e43b19ae9176093da35e0a844e65c8bf9ede7 , < e01851f6e9a665a6011b14714b271d3e6b0b8d32 (git)
Affected: 986e43b19ae9176093da35e0a844e65c8bf9ede7 , < 6e3b09402cc6c3e3474fa548e8adf6897dda05de (git)
Affected: 986e43b19ae9176093da35e0a844e65c8bf9ede7 , < 737bb912ebbe4571195c56eba557c4d7315b26fb (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:14.400Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/wireless/util.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80",
              "status": "affected",
              "version": "79720743421753ff72bfa0d79976c534645b81c1",
              "versionType": "git"
            },
            {
              "lessThan": "ec6392061de6681148b63ee6c8744da833498cdd",
              "status": "affected",
              "version": "986e43b19ae9176093da35e0a844e65c8bf9ede7",
              "versionType": "git"
            },
            {
              "lessThan": "e01851f6e9a665a6011b14714b271d3e6b0b8d32",
              "status": "affected",
              "version": "986e43b19ae9176093da35e0a844e65c8bf9ede7",
              "versionType": "git"
            },
            {
              "lessThan": "6e3b09402cc6c3e3474fa548e8adf6897dda05de",
              "status": "affected",
              "version": "986e43b19ae9176093da35e0a844e65c8bf9ede7",
              "versionType": "git"
            },
            {
              "lessThan": "737bb912ebbe4571195c56eba557c4d7315b26fb",
              "status": "affected",
              "version": "986e43b19ae9176093da35e0a844e65c8bf9ede7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/wireless/util.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "6.1.107",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: prevent A-MSDU attacks in mesh networks\n\nThis patch is a mitigation to prevent the A-MSDU spoofing vulnerability\nfor mesh networks. The initial update to the IEEE 802.11 standard, in\nresponse to the FragAttacks, missed this case (CVE-2025-27558). It can\nbe considered a variant of CVE-2020-24588 but for mesh networks.\n\nThis patch tries to detect if a standard MSDU was turned into an A-MSDU\nby an adversary. This is done by parsing a received A-MSDU as a standard\nMSDU, calculating the length of the Mesh Control header, and seeing if\nthe 6 bytes after this header equal the start of an rfc1042 header. If\nequal, this is a strong indication of an ongoing attack attempt.\n\nThis defense was tested with mac80211_hwsim against a mesh network that\nuses an empty Mesh Address Extension field, i.e., when four addresses\nare used, and when using a 12-byte Mesh Address Extension field, i.e.,\nwhen six addresses are used. Functionality of normal MSDUs and A-MSDUs\nwas also tested, and confirmed working, when using both an empty and\n12-byte Mesh Address Extension field.\n\nIt was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh\nnetworks keep being detected and prevented.\n\nNote that the vulnerability being patched, and the defense being\nimplemented, was also discussed in the following paper and in the\nfollowing IEEE 802.11 presentation:\n\nhttps://papers.mathyvanhoef.com/wisec2025.pdf\nhttps://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:45.811Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec6392061de6681148b63ee6c8744da833498cdd"
        },
        {
          "url": "https://git.kernel.org/stable/c/e01851f6e9a665a6011b14714b271d3e6b0b8d32"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e3b09402cc6c3e3474fa548e8adf6897dda05de"
        },
        {
          "url": "https://git.kernel.org/stable/c/737bb912ebbe4571195c56eba557c4d7315b26fb"
        }
      ],
      "title": "wifi: prevent A-MSDU attacks in mesh networks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38512",
    "datePublished": "2025-08-16T10:54:54.285Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2026-01-02T15:30:45.811Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40027 (GCVE-0-2025-40027)

Vulnerability from cvelistv5 – Published: 2025-10-28 09:32 – Updated: 2025-12-01 06:16

Title

net/9p: fix double req put in p9_fd_cancelled

Summary

In the Linux kernel, the following vulnerability has been resolved: net/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__list_del include/linux/list.h:114 [inline] RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] RIP: 0010:list_del include/linux/list.h:148 [inline] RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 Call Trace: <TASK> p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 This happens because of a race condition between: - The 9p client sending an invalid flush request and later cleaning it up; - The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ... Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem client where the req_list could be deleted simultaneously by both p9_read_work and p9_fd_cancelled functions, but for the case where req->status equals REQ_STATUS_RCVD. Update the check for req->status in p9_fd_cancelled to skip processing not just received requests, but anything that is not SENT, as whatever changed the state from SENT also removed the request from its list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [updated the check from status == RECV || status == ERROR to status != SENT]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a5901a0dfb5964525…
	https://git.kernel.org/stable/c/5c64c0b7b3446f7ed…
	https://git.kernel.org/stable/c/c1db864270eb7fea9…
	https://git.kernel.org/stable/c/0e0097005abc02c9f…
	https://git.kernel.org/stable/c/284e67a93b8c48952…
	https://git.kernel.org/stable/c/716dceb19a9f8ff6c…
	https://git.kernel.org/stable/c/448db01a48e1cdbbc…
	https://git.kernel.org/stable/c/94797b84cb9985022…
	https://git.kernel.org/stable/c/674b56aa57f937985…

Impacted products

Vendor

Product

Version

Linux

Affected: afd8d65411551839b7ab14a539d00075b2793451 , < a5901a0dfb5964525990106706ae8b98db098226 (git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 5c64c0b7b3446f7ed088a13bc8d7487d66534cbb (git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < c1db864270eb7fea94a9ef201da0c9dc1cbab7b8 (git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 0e0097005abc02c9f262370674f855625f4f3fb4 (git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 284e67a93b8c48952b6fc82129a8d3eb9dc73b06 (git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6 (git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 448db01a48e1cdbbc31c995716a5dac1e52ba036 (git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 94797b84cb9985022eb9cb3275c9497fbc883bb6 (git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 (git)

Linux

Affected: 3.15
Unaffected: 0 , < 3.15 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.156 , ≤ 6.1.* (semver)
Unaffected: 6.6.111 , ≤ 6.6.* (semver)
Unaffected: 6.12.52 , ≤ 6.12.* (semver)
Unaffected: 6.16.12 , ≤ 6.16.* (semver)
Unaffected: 6.17.2 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/9p/trans_fd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a5901a0dfb5964525990106706ae8b98db098226",
              "status": "affected",
              "version": "afd8d65411551839b7ab14a539d00075b2793451",
              "versionType": "git"
            },
            {
              "lessThan": "5c64c0b7b3446f7ed088a13bc8d7487d66534cbb",
              "status": "affected",
              "version": "afd8d65411551839b7ab14a539d00075b2793451",
              "versionType": "git"
            },
            {
              "lessThan": "c1db864270eb7fea94a9ef201da0c9dc1cbab7b8",
              "status": "affected",
              "version": "afd8d65411551839b7ab14a539d00075b2793451",
              "versionType": "git"
            },
            {
              "lessThan": "0e0097005abc02c9f262370674f855625f4f3fb4",
              "status": "affected",
              "version": "afd8d65411551839b7ab14a539d00075b2793451",
              "versionType": "git"
            },
            {
              "lessThan": "284e67a93b8c48952b6fc82129a8d3eb9dc73b06",
              "status": "affected",
              "version": "afd8d65411551839b7ab14a539d00075b2793451",
              "versionType": "git"
            },
            {
              "lessThan": "716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6",
              "status": "affected",
              "version": "afd8d65411551839b7ab14a539d00075b2793451",
              "versionType": "git"
            },
            {
              "lessThan": "448db01a48e1cdbbc31c995716a5dac1e52ba036",
              "status": "affected",
              "version": "afd8d65411551839b7ab14a539d00075b2793451",
              "versionType": "git"
            },
            {
              "lessThan": "94797b84cb9985022eb9cb3275c9497fbc883bb6",
              "status": "affected",
              "version": "afd8d65411551839b7ab14a539d00075b2793451",
              "versionType": "git"
            },
            {
              "lessThan": "674b56aa57f9379854cb6798c3bbcef7e7b51ab7",
              "status": "affected",
              "version": "afd8d65411551839b7ab14a539d00075b2793451",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/9p/trans_fd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.15"
            },
            {
              "lessThan": "3.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.111",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.52",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.156",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.111",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.52",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.12",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.2",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix double req put in p9_fd_cancelled\n\nSyzkaller reports a KASAN issue as below:\n\ngeneral protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]\nCPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:__list_del include/linux/list.h:114 [inline]\nRIP: 0010:__list_del_entry include/linux/list.h:137 [inline]\nRIP: 0010:list_del include/linux/list.h:148 [inline]\nRIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734\n\nCall Trace:\n \u003cTASK\u003e\n p9_client_flush+0x351/0x440 net/9p/client.c:614\n p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734\n p9_client_version net/9p/client.c:920 [inline]\n p9_client_create+0xb51/0x1240 net/9p/client.c:1027\n v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408\n v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126\n legacy_get_tree+0x108/0x220 fs/fs_context.c:632\n vfs_get_tree+0x8e/0x300 fs/super.c:1573\n do_new_mount fs/namespace.c:3056 [inline]\n path_mount+0x6a6/0x1e90 fs/namespace.c:3386\n do_mount fs/namespace.c:3399 [inline]\n __do_sys_mount fs/namespace.c:3607 [inline]\n __se_sys_mount fs/namespace.c:3584 [inline]\n __x64_sys_mount+0x283/0x300 fs/namespace.c:3584\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nThis happens because of a race condition between:\n\n- The 9p client sending an invalid flush request and later cleaning it up;\n- The 9p client in p9_read_work() canceled all pending requests.\n\n      Thread 1                              Thread 2\n    ...\n    p9_client_create()\n    ...\n    p9_fd_create()\n    ...\n    p9_conn_create()\n    ...\n    // start Thread 2\n    INIT_WORK(\u0026m-\u003erq, p9_read_work);\n                                        p9_read_work()\n    ...\n    p9_client_rpc()\n    ...\n                                        ...\n                                        p9_conn_cancel()\n                                        ...\n                                        spin_lock(\u0026m-\u003ereq_lock);\n    ...\n    p9_fd_cancelled()\n    ...\n                                        ...\n                                        spin_unlock(\u0026m-\u003ereq_lock);\n                                        // status rewrite\n                                        p9_client_cb(m-\u003eclient, req, REQ_STATUS_ERROR)\n                                        // first remove\n                                        list_del(\u0026req-\u003ereq_list);\n                                        ...\n\n    spin_lock(\u0026m-\u003ereq_lock)\n    ...\n    // second remove\n    list_del(\u0026req-\u003ereq_list);\n    spin_unlock(\u0026m-\u003ereq_lock)\n  ...\n\nCommit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in\np9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem\nclient where the req_list could be deleted simultaneously by both\np9_read_work and p9_fd_cancelled functions, but for the case where req-\u003estatus\nequals REQ_STATUS_RCVD.\n\nUpdate the check for req-\u003estatus in p9_fd_cancelled to skip processing not\njust received requests, but anything that is not SENT, as whatever\nchanged the state from SENT also removed the request from its list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\n[updated the check from status == RECV || status == ERROR to status != SENT]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:16:29.428Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a5901a0dfb5964525990106706ae8b98db098226"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c64c0b7b3446f7ed088a13bc8d7487d66534cbb"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1db864270eb7fea94a9ef201da0c9dc1cbab7b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e0097005abc02c9f262370674f855625f4f3fb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/284e67a93b8c48952b6fc82129a8d3eb9dc73b06"
        },
        {
          "url": "https://git.kernel.org/stable/c/716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/448db01a48e1cdbbc31c995716a5dac1e52ba036"
        },
        {
          "url": "https://git.kernel.org/stable/c/94797b84cb9985022eb9cb3275c9497fbc883bb6"
        },
        {
          "url": "https://git.kernel.org/stable/c/674b56aa57f9379854cb6798c3bbcef7e7b51ab7"
        }
      ],
      "title": "net/9p: fix double req put in p9_fd_cancelled",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40027",
    "datePublished": "2025-10-28T09:32:34.162Z",
    "dateReserved": "2025-04-16T07:20:57.152Z",
    "dateUpdated": "2025-12-01T06:16:29.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-50095 (GCVE-0-2024-50095)

Vulnerability from cvelistv5 – Published: 2024-11-05 17:04 – Updated: 2026-01-05 10:55

Title

RDMA/mad: Improve handling of timed out WRs of mad agent

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mad: Improve handling of timed out WRs of mad agent Current timeout handler of mad agent acquires/releases mad_agent_priv lock for every timed out WRs. This causes heavy locking contention when higher no. of WRs are to be handled inside timeout handler. This leads to softlockup with below trace in some use cases where rdma-cm path is used to establish connection between peer nodes Trace: ----- BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767] CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE ------- --- 5.14.0-427.13.1.el9_4.x86_64 #1 Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019 Workqueue: ib_mad1 timeout_sends [ib_core] RIP: 0010:__do_softirq+0x78/0x2ac RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246 RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000 R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __irq_exit_rcu+0xa1/0xc0 ? watchdog_timer_fn+0x1b2/0x210 ? __pfx_watchdog_timer_fn+0x10/0x10 ? __hrtimer_run_queues+0x127/0x2c0 ? hrtimer_interrupt+0xfc/0x210 ? __sysvec_apic_timer_interrupt+0x5c/0x110 ? sysvec_apic_timer_interrupt+0x37/0x90 ? asm_sysvec_apic_timer_interrupt+0x16/0x20 ? __do_softirq+0x78/0x2ac ? __do_softirq+0x60/0x2ac __irq_exit_rcu+0xa1/0xc0 sysvec_call_function_single+0x72/0x90 </IRQ> <TASK> asm_sysvec_call_function_single+0x16/0x20 RIP: 0010:_raw_spin_unlock_irq+0x14/0x30 RSP: 0018:ffffb253604cbd88 EFLAGS: 00000247 RAX: 000000000001960d RBX: 0000000000000002 RCX: ffff8cad2a064800 RDX: 000000008020001b RSI: 0000000000000001 RDI: ffff8cad5d39f66c RBP: ffff8cad5d39f600 R08: 0000000000000001 R09: 0000000000000000 R10: ffff8caa443e0c00 R11: ffffb253604cbcd8 R12: ffff8cacb8682538 R13: 0000000000000005 R14: ffffb253604cbd90 R15: ffff8cad5d39f66c cm_process_send_error+0x122/0x1d0 [ib_cm] timeout_sends+0x1dd/0x270 [ib_core] process_one_work+0x1e2/0x3b0 ? __pfx_worker_thread+0x10/0x10 worker_thread+0x50/0x3a0 ? __pfx_worker_thread+0x10/0x10 kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK> Simplified timeout handler by creating local list of timed out WRs and invoke send handler post creating the list. The new method acquires/ releases lock once to fetch the list and hence helps to reduce locking contetiong when processing higher no. of WRs

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/713adaf0ecfc49405…
	https://git.kernel.org/stable/c/7022a517bf1ca37ef…
	https://git.kernel.org/stable/c/e80eadb3604a92d2d…
	https://git.kernel.org/stable/c/a195a42dd25ca4f12…
	https://git.kernel.org/stable/c/3e799fa463508abe7…
	https://git.kernel.org/stable/c/2a777679b8ccd09a9…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 713adaf0ecfc49405f6e5d9e409d984f628de818 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7022a517bf1ca37ef5a474365bcc5eafd345a13a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e80eadb3604a92d2d086e956b8b2692b699d4d0a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a195a42dd25ca4f12489687065d00be64939409f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3e799fa463508abe7a738ce5d0f62a8dfd05262a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2a777679b8ccd09a9a65ea0716ef10365179caac (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.10.227 , ≤ 5.10.* (semver)
Unaffected: 5.15.168 , ≤ 5.15.* (semver)
Unaffected: 6.1.113 , ≤ 6.1.* (semver)
Unaffected: 6.6.57 , ≤ 6.6.* (semver)
Unaffected: 6.11.4 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-50095",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:22:52.541400Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:27:19.395Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:25:24.738Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/mad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "713adaf0ecfc49405f6e5d9e409d984f628de818",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7022a517bf1ca37ef5a474365bcc5eafd345a13a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e80eadb3604a92d2d086e956b8b2692b699d4d0a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a195a42dd25ca4f12489687065d00be64939409f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3e799fa463508abe7a738ce5d0f62a8dfd05262a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2a777679b8ccd09a9a65ea0716ef10365179caac",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/mad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.227",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.227",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.168",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.113",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.57",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mad: Improve handling of timed out WRs of mad agent\n\nCurrent timeout handler of mad agent acquires/releases mad_agent_priv\nlock for every timed out WRs. This causes heavy locking contention\nwhen higher no. of WRs are to be handled inside timeout handler.\n\nThis leads to softlockup with below trace in some use cases where\nrdma-cm path is used to establish connection between peer nodes\n\nTrace:\n-----\n BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767]\n CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE\n     -------  ---  5.14.0-427.13.1.el9_4.x86_64 #1\n Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019\n Workqueue: ib_mad1 timeout_sends [ib_core]\n RIP: 0010:__do_softirq+0x78/0x2ac\n RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246\n RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f\n RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b\n RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000\n R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040\n FS:  0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n  \u003cIRQ\u003e\n  ? show_trace_log_lvl+0x1c4/0x2df\n  ? show_trace_log_lvl+0x1c4/0x2df\n  ? __irq_exit_rcu+0xa1/0xc0\n  ? watchdog_timer_fn+0x1b2/0x210\n  ? __pfx_watchdog_timer_fn+0x10/0x10\n  ? __hrtimer_run_queues+0x127/0x2c0\n  ? hrtimer_interrupt+0xfc/0x210\n  ? __sysvec_apic_timer_interrupt+0x5c/0x110\n  ? sysvec_apic_timer_interrupt+0x37/0x90\n  ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n  ? __do_softirq+0x78/0x2ac\n  ? __do_softirq+0x60/0x2ac\n  __irq_exit_rcu+0xa1/0xc0\n  sysvec_call_function_single+0x72/0x90\n  \u003c/IRQ\u003e\n  \u003cTASK\u003e\n  asm_sysvec_call_function_single+0x16/0x20\n RIP: 0010:_raw_spin_unlock_irq+0x14/0x30\n RSP: 0018:ffffb253604cbd88 EFLAGS: 00000247\n RAX: 000000000001960d RBX: 0000000000000002 RCX: ffff8cad2a064800\n RDX: 000000008020001b RSI: 0000000000000001 RDI: ffff8cad5d39f66c\n RBP: ffff8cad5d39f600 R08: 0000000000000001 R09: 0000000000000000\n R10: ffff8caa443e0c00 R11: ffffb253604cbcd8 R12: ffff8cacb8682538\n R13: 0000000000000005 R14: ffffb253604cbd90 R15: ffff8cad5d39f66c\n  cm_process_send_error+0x122/0x1d0 [ib_cm]\n  timeout_sends+0x1dd/0x270 [ib_core]\n  process_one_work+0x1e2/0x3b0\n  ? __pfx_worker_thread+0x10/0x10\n  worker_thread+0x50/0x3a0\n  ? __pfx_worker_thread+0x10/0x10\n  kthread+0xdd/0x100\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x29/0x50\n  \u003c/TASK\u003e\n\nSimplified timeout handler by creating local list of timed out WRs\nand invoke send handler post creating the list. The new method acquires/\nreleases lock once to fetch the list and hence helps to reduce locking\ncontetiong when processing higher no. of WRs"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:55:08.198Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/713adaf0ecfc49405f6e5d9e409d984f628de818"
        },
        {
          "url": "https://git.kernel.org/stable/c/7022a517bf1ca37ef5a474365bcc5eafd345a13a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e80eadb3604a92d2d086e956b8b2692b699d4d0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a195a42dd25ca4f12489687065d00be64939409f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e799fa463508abe7a738ce5d0f62a8dfd05262a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a777679b8ccd09a9a65ea0716ef10365179caac"
        }
      ],
      "title": "RDMA/mad: Improve handling of timed out WRs of mad agent",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50095",
    "datePublished": "2024-11-05T17:04:58.042Z",
    "dateReserved": "2024-10-21T19:36:19.944Z",
    "dateUpdated": "2026-01-05T10:55:08.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38666 (GCVE-0-2025-38666)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:02 – Updated: 2025-11-03 17:40

Title

net: appletalk: Fix use-after-free in AARP proxy probe

Summary

In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b35694ffabb2af308…
	https://git.kernel.org/stable/c/82d19a70ced28b17a…
	https://git.kernel.org/stable/c/186942d19c0222617…
	https://git.kernel.org/stable/c/2a6209e4649d45fd8…
	https://git.kernel.org/stable/c/e4f1564c5b699eb89…
	https://git.kernel.org/stable/c/5f02ea0f63dd38c41…
	https://git.kernel.org/stable/c/f90b6bb203f3f38bf…
	https://git.kernel.org/stable/c/6c4a92d07b0850342…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b35694ffabb2af308a1f725d70f60fd8a47d1f3e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82d19a70ced28b17a38ebf1b6978c6c7db894979 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 186942d19c0222617ef61f50e1dba91e269a5963 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2a6209e4649d45fd85d4193abc481911858ffc6f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e4f1564c5b699eb89b3040688fd6b4e57922f1f6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5f02ea0f63dd38c41539ea290fcc1693c73aa8e5 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f90b6bb203f3f38bf2b3d976113d51571df9a482 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6c4a92d07b0850342d3becf2e608f805e972467c (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.101 , ≤ 6.6.* (semver)
Unaffected: 6.12.41 , ≤ 6.12.* (semver)
Unaffected: 6.15.9 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:53.180Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/appletalk/aarp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b35694ffabb2af308a1f725d70f60fd8a47d1f3e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "82d19a70ced28b17a38ebf1b6978c6c7db894979",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "186942d19c0222617ef61f50e1dba91e269a5963",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2a6209e4649d45fd85d4193abc481911858ffc6f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e4f1564c5b699eb89b3040688fd6b4e57922f1f6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5f02ea0f63dd38c41539ea290fcc1693c73aa8e5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f90b6bb203f3f38bf2b3d976113d51571df9a482",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6c4a92d07b0850342d3becf2e608f805e972467c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/appletalk/aarp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.101",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.101",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.41",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.9",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: appletalk: Fix use-after-free in AARP proxy probe\n\nThe AARP proxy\u2010probe routine (aarp_proxy_probe_network) sends a probe,\nreleases the aarp_lock, sleeps, then re-acquires the lock.  During that\nwindow an expire timer thread (__aarp_expire_timer) can remove and\nkfree() the same entry, leading to a use-after-free.\n\nrace condition:\n\n         cpu 0                          |            cpu 1\n    atalk_sendmsg()                     |   atif_proxy_probe_device()\n    aarp_send_ddp()                     |   aarp_proxy_probe_network()\n    mod_timer()                         |   lock(aarp_lock) // LOCK!!\n    timeout around 200ms                |   alloc(aarp_entry)\n    and then call                       |   proxies[hash] = aarp_entry\n    aarp_expire_timeout()               |   aarp_send_probe()\n                                        |   unlock(aarp_lock) // UNLOCK!!\n    lock(aarp_lock) // LOCK!!           |   msleep(100);\n    __aarp_expire_timer(\u0026proxies[ct])   |\n    free(aarp_entry)                    |\n    unlock(aarp_lock) // UNLOCK!!       |\n                                        |   lock(aarp_lock) // LOCK!!\n                                        |   UAF aarp_entry !!\n\n==================================================================\nBUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493\nRead of size 4 at addr ffff8880123aa360 by task repro/13278\n\nCPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc1/0x630 mm/kasan/report.c:521\n kasan_report+0xca/0x100 mm/kasan/report.c:634\n aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493\n atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]\n atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857\n atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818\n sock_do_ioctl+0xdc/0x260 net/socket.c:1190\n sock_ioctl+0x239/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nAllocated:\n aarp_alloc net/appletalk/aarp.c:382 [inline]\n aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468\n atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]\n atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857\n atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818\n\nFreed:\n kfree+0x148/0x4d0 mm/slub.c:4841\n __aarp_expire net/appletalk/aarp.c:90 [inline]\n __aarp_expire_timer net/appletalk/aarp.c:261 [inline]\n aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317\n\nThe buggy address belongs to the object at ffff8880123aa300\n which belongs to the cache kmalloc-192 of size 192\nThe buggy address is located 96 bytes inside of\n freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)\n\nMemory state around the buggy address:\n ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                                       ^\n ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n=================================================================="
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:44:33.349Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b35694ffabb2af308a1f725d70f60fd8a47d1f3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/82d19a70ced28b17a38ebf1b6978c6c7db894979"
        },
        {
          "url": "https://git.kernel.org/stable/c/186942d19c0222617ef61f50e1dba91e269a5963"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a6209e4649d45fd85d4193abc481911858ffc6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4f1564c5b699eb89b3040688fd6b4e57922f1f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f02ea0f63dd38c41539ea290fcc1693c73aa8e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f90b6bb203f3f38bf2b3d976113d51571df9a482"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c4a92d07b0850342d3becf2e608f805e972467c"
        }
      ],
      "title": "net: appletalk: Fix use-after-free in AARP proxy probe",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38666",
    "datePublished": "2025-08-22T16:02:58.144Z",
    "dateReserved": "2025-04-16T04:51:24.031Z",
    "dateUpdated": "2025-11-03T17:40:53.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21715 (GCVE-0-2025-21715)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:36

Title

net: davicom: fix UAF in dm9000_drv_remove

Summary

In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. Using dm after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. This is similar to the issue fixed in commit ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove"). This bug is detected by our static analysis tool.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/db79e982c5f9e39ab…
	https://git.kernel.org/stable/c/a53cb72043443ac78…
	https://git.kernel.org/stable/c/7d7d201eb3b766abe…
	https://git.kernel.org/stable/c/c94ab07edc2843e2f…
	https://git.kernel.org/stable/c/c411f9a5fdc9158e8…
	https://git.kernel.org/stable/c/5a54367a7c2378c65…
	https://git.kernel.org/stable/c/2013c95df6752d9c8…
	https://git.kernel.org/stable/c/19e65c45a1507a1a2…

Impacted products

Vendor

Product

Version

Linux

Affected: d28e783c20033b90a64d4e1307bafb56085d8184 , < db79e982c5f9e39ab710cbce55b05f2f5e6f1ca9 (git)
Affected: 4fd0654b8f2129b68203974ddee15f804ec011c2 , < a53cb72043443ac787ec0b5fa17bb3f8ff3d462b (git)
Affected: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b , < 7d7d201eb3b766abe590ac0dda7a508b7db3e357 (git)
Affected: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b , < c94ab07edc2843e2f3d46dbd82e5c681503aaadf (git)
Affected: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b , < c411f9a5fdc9158e8f7c57eac961d3df3eb4d8ca (git)
Affected: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b , < 5a54367a7c2378c65aaa4d3cfd952f26adef7aa7 (git)
Affected: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b , < 2013c95df6752d9c88221d0f0f37b6f197969390 (git)
Affected: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b , < 19e65c45a1507a1a2926649d2db3583ed9d55fd9 (git)
Affected: d182994b2b6e23778b146a230efac8f1d77a3445 (git)
Affected: 427b3fc3d5244fef9c1f910a9c699f2690642f83 (git)
Affected: 9c49181c201d434186ca6b1a7b52e29f4169f6f8 (git)
Affected: 9808f032c4d971cbf2b01411a0a2a8ee0040efe3 (git)
Affected: a1f308089257616cdb91b4334c5eaa81ae17e387 (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21715",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:14.582749Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:28.224Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:09.373Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/davicom/dm9000.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "db79e982c5f9e39ab710cbce55b05f2f5e6f1ca9",
              "status": "affected",
              "version": "d28e783c20033b90a64d4e1307bafb56085d8184",
              "versionType": "git"
            },
            {
              "lessThan": "a53cb72043443ac787ec0b5fa17bb3f8ff3d462b",
              "status": "affected",
              "version": "4fd0654b8f2129b68203974ddee15f804ec011c2",
              "versionType": "git"
            },
            {
              "lessThan": "7d7d201eb3b766abe590ac0dda7a508b7db3e357",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "c94ab07edc2843e2f3d46dbd82e5c681503aaadf",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "c411f9a5fdc9158e8f7c57eac961d3df3eb4d8ca",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "5a54367a7c2378c65aaa4d3cfd952f26adef7aa7",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "2013c95df6752d9c88221d0f0f37b6f197969390",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "19e65c45a1507a1a2926649d2db3583ed9d55fd9",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d182994b2b6e23778b146a230efac8f1d77a3445",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "427b3fc3d5244fef9c1f910a9c699f2690642f83",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9c49181c201d434186ca6b1a7b52e29f4169f6f8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9808f032c4d971cbf2b01411a0a2a8ee0040efe3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a1f308089257616cdb91b4334c5eaa81ae17e387",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/davicom/dm9000.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.106",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.262",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.262",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.226",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.11.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: davicom: fix UAF in dm9000_drv_remove\n\ndm is netdev private data and it cannot be\nused after free_netdev() call. Using dm after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.\n\nThis is similar to the issue fixed in commit\nad297cd2db89 (\"net: qcom/emac: fix UAF in emac_remove\").\n\nThis bug is detected by our static analysis tool."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:26.157Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/db79e982c5f9e39ab710cbce55b05f2f5e6f1ca9"
        },
        {
          "url": "https://git.kernel.org/stable/c/a53cb72043443ac787ec0b5fa17bb3f8ff3d462b"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d7d201eb3b766abe590ac0dda7a508b7db3e357"
        },
        {
          "url": "https://git.kernel.org/stable/c/c94ab07edc2843e2f3d46dbd82e5c681503aaadf"
        },
        {
          "url": "https://git.kernel.org/stable/c/c411f9a5fdc9158e8f7c57eac961d3df3eb4d8ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a54367a7c2378c65aaa4d3cfd952f26adef7aa7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2013c95df6752d9c88221d0f0f37b6f197969390"
        },
        {
          "url": "https://git.kernel.org/stable/c/19e65c45a1507a1a2926649d2db3583ed9d55fd9"
        }
      ],
      "title": "net: davicom: fix UAF in dm9000_drv_remove",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21715",
    "datePublished": "2025-02-27T02:07:26.174Z",
    "dateReserved": "2024-12-29T08:45:45.752Z",
    "dateUpdated": "2025-11-03T19:36:09.373Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38573 (GCVE-0-2025-38573)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-09-29 05:54

Title

spi: cs42l43: Property entry should be a null-terminated array

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: cs42l43: Property entry should be a null-terminated array The software node does not specify a count of property entries, so the array must be null-terminated. When unterminated, this can lead to a fault in the downstream cs35l56 amplifier driver, because the node parse walks off the end of the array into unknown memory.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/674328102baad76c7…
	https://git.kernel.org/stable/c/9f0035ae38d2571f5…
	https://git.kernel.org/stable/c/139b5df757a0aa436…
	https://git.kernel.org/stable/c/ffcfd071eec7973e5…

Impacted products

Vendor

Product

Version

Linux

Affected: 0ca645ab5b1528666f6662a0e620140355b5aea3 , < 674328102baad76c7a06628efc01974ece5ae27f (git)
Affected: 0ca645ab5b1528666f6662a0e620140355b5aea3 , < 9f0035ae38d2571f5ddedc829d74492013caa625 (git)
Affected: 0ca645ab5b1528666f6662a0e620140355b5aea3 , < 139b5df757a0aa436f763b0038e0b73808d2f4b6 (git)
Affected: 0ca645ab5b1528666f6662a0e620140355b5aea3 , < ffcfd071eec7973e58c4ffff7da4cb0e9ca7b667 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-cs42l43.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "674328102baad76c7a06628efc01974ece5ae27f",
              "status": "affected",
              "version": "0ca645ab5b1528666f6662a0e620140355b5aea3",
              "versionType": "git"
            },
            {
              "lessThan": "9f0035ae38d2571f5ddedc829d74492013caa625",
              "status": "affected",
              "version": "0ca645ab5b1528666f6662a0e620140355b5aea3",
              "versionType": "git"
            },
            {
              "lessThan": "139b5df757a0aa436f763b0038e0b73808d2f4b6",
              "status": "affected",
              "version": "0ca645ab5b1528666f6662a0e620140355b5aea3",
              "versionType": "git"
            },
            {
              "lessThan": "ffcfd071eec7973e58c4ffff7da4cb0e9ca7b667",
              "status": "affected",
              "version": "0ca645ab5b1528666f6662a0e620140355b5aea3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-cs42l43.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cs42l43: Property entry should be a null-terminated array\n\nThe software node does not specify a count of property entries, so the\narray must be null-terminated.\n\nWhen unterminated, this can lead to a fault in the downstream cs35l56\namplifier driver, because the node parse walks off the end of the\narray into unknown memory."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:04.540Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/674328102baad76c7a06628efc01974ece5ae27f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f0035ae38d2571f5ddedc829d74492013caa625"
        },
        {
          "url": "https://git.kernel.org/stable/c/139b5df757a0aa436f763b0038e0b73808d2f4b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ffcfd071eec7973e58c4ffff7da4cb0e9ca7b667"
        }
      ],
      "title": "spi: cs42l43: Property entry should be a null-terminated array",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38573",
    "datePublished": "2025-08-19T17:02:53.008Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2025-09-29T05:54:04.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-39734 (GCVE-0-2025-39734)

Vulnerability from cvelistv5 – Published: 2025-09-07 15:16 – Updated: 2025-11-03 17:42

Title

Revert "fs/ntfs3: Replace inode_trylock with inode_lock"

Summary

In the Linux kernel, the following vulnerability has been resolved: Revert "fs/ntfs3: Replace inode_trylock with inode_lock" This reverts commit 69505fe98f198ee813898cbcaf6770949636430b. Initially, conditional lock acquisition was removed to fix an xfstest bug that was observed during internal testing. The deadlock reported by syzbot is resolved by reintroducing conditional acquisition. The xfstest bug no longer occurs on kernel version 6.16-rc1 during internal testing. I assume that changes in other modules may have contributed to this.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bec8109f957a6e193…
	https://git.kernel.org/stable/c/1903a6c1f2818154f…
	https://git.kernel.org/stable/c/a936be9b5f51c4d23…
	https://git.kernel.org/stable/c/b356ee013a79e7e31…
	https://git.kernel.org/stable/c/7ce6f83ca9d52c924…
	https://git.kernel.org/stable/c/bd20733746263acaa…
	https://git.kernel.org/stable/c/a49f0abd8959048af…

Impacted products

Vendor

Product

Version

Linux

Affected: e3e3b3eb54feaf6400800812c8d0f95a7213923d , < bec8109f957a6e193e52d1728799994c8005ca83 (git)
Affected: 7a498fc945080bccc25fdc36f1d663798441158b , < 1903a6c1f2818154f6bc87bceaaecafa92b6ac5c (git)
Affected: 53173e3865acb06f3e86c703696510c12fecc612 , < a936be9b5f51c4d23f66fb673e9068c6b08104a4 (git)
Affected: 69505fe98f198ee813898cbcaf6770949636430b , < b356ee013a79e7e3147bfe065de376706c5d2ee9 (git)
Affected: 69505fe98f198ee813898cbcaf6770949636430b , < 7ce6f83ca9d52c9245b7a017466fc4baa1241b0b (git)
Affected: 69505fe98f198ee813898cbcaf6770949636430b , < bd20733746263acaaf2a21881665db27ee4303d5 (git)
Affected: 69505fe98f198ee813898cbcaf6770949636430b , < a49f0abd8959048af18c6c690b065eb0d65b2d21 (git)
Affected: d5ad80aabd5a76a5de52b7663b1f3223dd01ea38 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:50.659Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bec8109f957a6e193e52d1728799994c8005ca83",
              "status": "affected",
              "version": "e3e3b3eb54feaf6400800812c8d0f95a7213923d",
              "versionType": "git"
            },
            {
              "lessThan": "1903a6c1f2818154f6bc87bceaaecafa92b6ac5c",
              "status": "affected",
              "version": "7a498fc945080bccc25fdc36f1d663798441158b",
              "versionType": "git"
            },
            {
              "lessThan": "a936be9b5f51c4d23f66fb673e9068c6b08104a4",
              "status": "affected",
              "version": "53173e3865acb06f3e86c703696510c12fecc612",
              "versionType": "git"
            },
            {
              "lessThan": "b356ee013a79e7e3147bfe065de376706c5d2ee9",
              "status": "affected",
              "version": "69505fe98f198ee813898cbcaf6770949636430b",
              "versionType": "git"
            },
            {
              "lessThan": "7ce6f83ca9d52c9245b7a017466fc4baa1241b0b",
              "status": "affected",
              "version": "69505fe98f198ee813898cbcaf6770949636430b",
              "versionType": "git"
            },
            {
              "lessThan": "bd20733746263acaaf2a21881665db27ee4303d5",
              "status": "affected",
              "version": "69505fe98f198ee813898cbcaf6770949636430b",
              "versionType": "git"
            },
            {
              "lessThan": "a49f0abd8959048af18c6c690b065eb0d65b2d21",
              "status": "affected",
              "version": "69505fe98f198ee813898cbcaf6770949636430b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d5ad80aabd5a76a5de52b7663b1f3223dd01ea38",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.15.165",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "6.1.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "6.6.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"fs/ntfs3: Replace inode_trylock with inode_lock\"\n\nThis reverts commit 69505fe98f198ee813898cbcaf6770949636430b.\n\nInitially, conditional lock acquisition was removed to fix an xfstest bug\nthat was observed during internal testing. The deadlock reported by syzbot\nis resolved by reintroducing conditional acquisition. The xfstest bug no\nlonger occurs on kernel version 6.16-rc1 during internal testing. I\nassume that changes in other modules may have contributed to this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:58:20.676Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bec8109f957a6e193e52d1728799994c8005ca83"
        },
        {
          "url": "https://git.kernel.org/stable/c/1903a6c1f2818154f6bc87bceaaecafa92b6ac5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a936be9b5f51c4d23f66fb673e9068c6b08104a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/b356ee013a79e7e3147bfe065de376706c5d2ee9"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ce6f83ca9d52c9245b7a017466fc4baa1241b0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd20733746263acaaf2a21881665db27ee4303d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/a49f0abd8959048af18c6c690b065eb0d65b2d21"
        }
      ],
      "title": "Revert \"fs/ntfs3: Replace inode_trylock with inode_lock\"",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39734",
    "datePublished": "2025-09-07T15:16:22.015Z",
    "dateReserved": "2025-04-16T07:20:57.119Z",
    "dateUpdated": "2025-11-03T17:42:50.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39808 (GCVE-0-2025-39808)

Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43

Title

HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() in ntrig_report_version(), hdev parameter passed from hid_probe(). sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null if hdev->dev.parent->parent is null, usb_dev has invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned when usb_rcvctrlpipe() use usb_dev,it trigger page fault error for address(0xffffffffffffff58) add null check logic to ntrig_report_version() before calling hid_to_usb_dev()

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/22ddb5eca4af5e69d…
	https://git.kernel.org/stable/c/019c34ca11372de89…
	https://git.kernel.org/stable/c/4338b0f6544c3ff04…
	https://git.kernel.org/stable/c/6070123d5344d0950…
	https://git.kernel.org/stable/c/e422370e6ab284788…
	https://git.kernel.org/stable/c/98520a9a3d69a530d…
	https://git.kernel.org/stable/c/183def8e4d786e501…
	https://git.kernel.org/stable/c/185c926283da67a72…

Impacted products

Vendor

Product

Version

Linux

Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 22ddb5eca4af5e69dffe2b54551d2487424448f1 (git)
Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 019c34ca11372de891c06644846eb41fca7c890c (git)
Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 4338b0f6544c3ff042bfbaf40bc9afe531fb08c7 (git)
Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 6070123d5344d0950f10ef6a5fdc3f076abb7ad2 (git)
Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < e422370e6ab28478872b914cee5d49a9bdfae0c6 (git)
Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 98520a9a3d69a530dd1ee280cbe0abc232a35bff (git)
Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 183def8e4d786e50165e5d992df6a3083e45e16c (git)
Affected: 0277873c05158c5efc97c23d52e6aec6250bde0f , < 185c926283da67a72df20a63a5046b3b4631b7d9 (git)

Linux

Affected: 2.6.37
Unaffected: 0 , < 2.6.37 (semver)
Unaffected: 5.4.298 , ≤ 5.4.* (semver)
Unaffected: 5.10.242 , ≤ 5.10.* (semver)
Unaffected: 5.15.191 , ≤ 5.15.* (semver)
Unaffected: 6.1.150 , ≤ 6.1.* (semver)
Unaffected: 6.6.104 , ≤ 6.6.* (semver)
Unaffected: 6.12.45 , ≤ 6.12.* (semver)
Unaffected: 6.16.5 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:43:34.626Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-ntrig.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "22ddb5eca4af5e69dffe2b54551d2487424448f1",
              "status": "affected",
              "version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
              "versionType": "git"
            },
            {
              "lessThan": "019c34ca11372de891c06644846eb41fca7c890c",
              "status": "affected",
              "version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
              "versionType": "git"
            },
            {
              "lessThan": "4338b0f6544c3ff042bfbaf40bc9afe531fb08c7",
              "status": "affected",
              "version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
              "versionType": "git"
            },
            {
              "lessThan": "6070123d5344d0950f10ef6a5fdc3f076abb7ad2",
              "status": "affected",
              "version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
              "versionType": "git"
            },
            {
              "lessThan": "e422370e6ab28478872b914cee5d49a9bdfae0c6",
              "status": "affected",
              "version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
              "versionType": "git"
            },
            {
              "lessThan": "98520a9a3d69a530dd1ee280cbe0abc232a35bff",
              "status": "affected",
              "version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
              "versionType": "git"
            },
            {
              "lessThan": "183def8e4d786e50165e5d992df6a3083e45e16c",
              "status": "affected",
              "version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
              "versionType": "git"
            },
            {
              "lessThan": "185c926283da67a72df20a63a5046b3b4631b7d9",
              "status": "affected",
              "version": "0277873c05158c5efc97c23d52e6aec6250bde0f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-ntrig.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.37"
            },
            {
              "lessThan": "2.6.37",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.298",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.242",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.191",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.104",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.45",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.298",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.242",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.191",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.150",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.104",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.45",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.5",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()\n\nin ntrig_report_version(), hdev parameter passed from hid_probe().\nsending descriptor to /dev/uhid can make hdev-\u003edev.parent-\u003eparent to null\nif hdev-\u003edev.parent-\u003eparent is null, usb_dev has\ninvalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned\nwhen usb_rcvctrlpipe() use usb_dev,it trigger\npage fault error for address(0xffffffffffffff58)\n\nadd null check logic to ntrig_report_version()\nbefore calling hid_to_usb_dev()"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T10:50:46.005Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/22ddb5eca4af5e69dffe2b54551d2487424448f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/019c34ca11372de891c06644846eb41fca7c890c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4338b0f6544c3ff042bfbaf40bc9afe531fb08c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/6070123d5344d0950f10ef6a5fdc3f076abb7ad2"
        },
        {
          "url": "https://git.kernel.org/stable/c/e422370e6ab28478872b914cee5d49a9bdfae0c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/98520a9a3d69a530dd1ee280cbe0abc232a35bff"
        },
        {
          "url": "https://git.kernel.org/stable/c/183def8e4d786e50165e5d992df6a3083e45e16c"
        },
        {
          "url": "https://git.kernel.org/stable/c/185c926283da67a72df20a63a5046b3b4631b7d9"
        }
      ],
      "title": "HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39808",
    "datePublished": "2025-09-16T13:00:11.242Z",
    "dateReserved": "2025-04-16T07:20:57.137Z",
    "dateUpdated": "2025-11-03T17:43:34.626Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-53074 (GCVE-0-2023-53074)

Vulnerability from cvelistv5 – Published: 2025-05-02 15:55 – Updated: 2025-09-16 08:02

Title

drm/amdgpu: fix ttm_bo calltrace warning in psp_hw_fini

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ttm_bo calltrace warning in psp_hw_fini The call trace occurs when the amdgpu is removed after the mode1 reset. During mode1 reset, from suspend to resume, there is no need to reinitialize the ta firmware buffer which caused the bo pin_count increase redundantly. [ 489.885525] Call Trace: [ 489.885525] <TASK> [ 489.885526] amdttm_bo_put+0x34/0x50 [amdttm] [ 489.885529] amdgpu_bo_free_kernel+0xe8/0x130 [amdgpu] [ 489.885620] psp_free_shared_bufs+0xb7/0x150 [amdgpu] [ 489.885720] psp_hw_fini+0xce/0x170 [amdgpu] [ 489.885815] amdgpu_device_fini_hw+0x2ff/0x413 [amdgpu] [ 489.885960] ? blocking_notifier_chain_unregister+0x56/0xb0 [ 489.885962] amdgpu_driver_unload_kms+0x51/0x60 [amdgpu] [ 489.886049] amdgpu_pci_remove+0x5a/0x140 [amdgpu] [ 489.886132] ? __pm_runtime_resume+0x60/0x90 [ 489.886134] pci_device_remove+0x3e/0xb0 [ 489.886135] __device_release_driver+0x1ab/0x2a0 [ 489.886137] driver_detach+0xf3/0x140 [ 489.886138] bus_remove_driver+0x6c/0xf0 [ 489.886140] driver_unregister+0x31/0x60 [ 489.886141] pci_unregister_driver+0x40/0x90 [ 489.886142] amdgpu_exit+0x15/0x451 [amdgpu]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7be9a2f8c5179520a…
	https://git.kernel.org/stable/c/55a7c647ebf6e376c…
	https://git.kernel.org/stable/c/23f4a2d29ba57bf88…

Impacted products

Vendor

Product

Version

Linux

Affected: 0e5ca0d1ac07ef8b3a52d3b0404482207cb4da5a , < 7be9a2f8c5179520a7d5570e648e0c97d09e4fae (git)
Affected: 0e5ca0d1ac07ef8b3a52d3b0404482207cb4da5a , < 55a7c647ebf6e376c45d8322568dd6eb71937139 (git)
Affected: 0e5ca0d1ac07ef8b3a52d3b0404482207cb4da5a , < 23f4a2d29ba57bf88095f817de5809d427fcbe7e (git)

Linux

Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 6.1.21 , ≤ 6.1.* (semver)
Unaffected: 6.2.8 , ≤ 6.2.* (semver)
Unaffected: 6.3 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7be9a2f8c5179520a7d5570e648e0c97d09e4fae",
              "status": "affected",
              "version": "0e5ca0d1ac07ef8b3a52d3b0404482207cb4da5a",
              "versionType": "git"
            },
            {
              "lessThan": "55a7c647ebf6e376c45d8322568dd6eb71937139",
              "status": "affected",
              "version": "0e5ca0d1ac07ef8b3a52d3b0404482207cb4da5a",
              "versionType": "git"
            },
            {
              "lessThan": "23f4a2d29ba57bf88095f817de5809d427fcbe7e",
              "status": "affected",
              "version": "0e5ca0d1ac07ef8b3a52d3b0404482207cb4da5a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.21",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.8",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix ttm_bo calltrace warning in psp_hw_fini\n\nThe call trace occurs when the amdgpu is removed after\nthe mode1 reset. During mode1 reset, from suspend to resume,\nthere is no need to reinitialize the ta firmware buffer\nwhich caused the bo pin_count increase redundantly.\n\n[  489.885525] Call Trace:\n[  489.885525]  \u003cTASK\u003e\n[  489.885526]  amdttm_bo_put+0x34/0x50 [amdttm]\n[  489.885529]  amdgpu_bo_free_kernel+0xe8/0x130 [amdgpu]\n[  489.885620]  psp_free_shared_bufs+0xb7/0x150 [amdgpu]\n[  489.885720]  psp_hw_fini+0xce/0x170 [amdgpu]\n[  489.885815]  amdgpu_device_fini_hw+0x2ff/0x413 [amdgpu]\n[  489.885960]  ? blocking_notifier_chain_unregister+0x56/0xb0\n[  489.885962]  amdgpu_driver_unload_kms+0x51/0x60 [amdgpu]\n[  489.886049]  amdgpu_pci_remove+0x5a/0x140 [amdgpu]\n[  489.886132]  ? __pm_runtime_resume+0x60/0x90\n[  489.886134]  pci_device_remove+0x3e/0xb0\n[  489.886135]  __device_release_driver+0x1ab/0x2a0\n[  489.886137]  driver_detach+0xf3/0x140\n[  489.886138]  bus_remove_driver+0x6c/0xf0\n[  489.886140]  driver_unregister+0x31/0x60\n[  489.886141]  pci_unregister_driver+0x40/0x90\n[  489.886142]  amdgpu_exit+0x15/0x451 [amdgpu]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-16T08:02:16.529Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7be9a2f8c5179520a7d5570e648e0c97d09e4fae"
        },
        {
          "url": "https://git.kernel.org/stable/c/55a7c647ebf6e376c45d8322568dd6eb71937139"
        },
        {
          "url": "https://git.kernel.org/stable/c/23f4a2d29ba57bf88095f817de5809d427fcbe7e"
        }
      ],
      "title": "drm/amdgpu: fix ttm_bo calltrace warning in psp_hw_fini",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53074",
    "datePublished": "2025-05-02T15:55:25.302Z",
    "dateReserved": "2025-05-02T15:51:43.549Z",
    "dateUpdated": "2025-09-16T08:02:16.529Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38470 (GCVE-0-2025-38470)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-11-03 17:38

Title

net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime

Summary

In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put administratively up or down, respectively. There are a couple of problems with the above scheme. The first problem is a memory leak that can happen if the "rx-vlan-filter" feature is disabled while the device is running: # ip link add bond1 up type bond mode 0 # ethtool -K bond1 rx-vlan-filter off # ip link del dev bond1 When the device is put administratively down the "rx-vlan-filter" feature is disabled, so the 8021q module will not remove VLAN 0 and the memory will be leaked [1]. Another problem that can happen is that the kernel can automatically delete VLAN 0 when the device is put administratively down despite not adding it when the device was put administratively up since during that time the "rx-vlan-filter" feature was disabled. null-ptr-unref or bug_on[2] will be triggered by unregister_vlan_dev() for refcount imbalance if toggling filtering during runtime: $ ip link add bond0 type bond mode 0 $ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q $ ethtool -K bond0 rx-vlan-filter off $ ifconfig bond0 up $ ethtool -K bond0 rx-vlan-filter on $ ifconfig bond0 down $ ip link del vlan0 Root cause is as below: step1: add vlan0 for real_dev, such as bond, team. register_vlan_dev vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1 step2: disable vlan filter feature and enable real_dev step3: change filter from 0 to 1 vlan_device_event vlan_filter_push_vids ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0 step4: real_dev down vlan_device_event vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0 vlan_info_rcu_free //free vlan0 step5: delete vlan0 unregister_vlan_dev BUG_ON(!vlan_info); //vlan_info is null Fix both problems by noting in the VLAN info whether VLAN 0 was automatically added upon NETDEV_UP and based on that decide whether it should be deleted upon NETDEV_DOWN, regardless of the state of the "rx-vlan-filter" feature. [1] unreferenced object 0xffff8880068e3100 (size 256): comm "ip", pid 384, jiffies 4296130254 hex dump (first 32 bytes): 00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 81ce31fa): __kmalloc_cache_noprof+0x2b5/0x340 vlan_vid_add+0x434/0x940 vlan_device_event.cold+0x75/0xa8 notifier_call_chain+0xca/0x150 __dev_notify_flags+0xe3/0x250 rtnl_configure_link+0x193/0x260 rtnl_newlink_create+0x383/0x8e0 __rtnl_newlink+0x22c/0xa40 rtnl_newlink+0x627/0xb00 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x11f/0x350 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 [2] kernel BUG at net/8021q/vlan.c:99! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1)) RSP: 0018:ffff88810badf310 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8 RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80 R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000 R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0 Call Trace: <TASK ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ba48d3993af23753e…
	https://git.kernel.org/stable/c/35142b3816832889e…
	https://git.kernel.org/stable/c/047b61a24d7c866c5…
	https://git.kernel.org/stable/c/d43ef15bf4856c8c4…
	https://git.kernel.org/stable/c/bb515c41306454937…
	https://git.kernel.org/stable/c/8984bcbd1edf5bee5…
	https://git.kernel.org/stable/c/93715aa2d80e6c5ce…
	https://git.kernel.org/stable/c/579d4f9ca9a9a6051…

Impacted products

Vendor

Product

Version

Linux

Affected: ad1afb00393915a51c21b1ae8704562bf036855f , < ba48d3993af23753e1f1f01c8d592de9c7785f24 (git)
Affected: ad1afb00393915a51c21b1ae8704562bf036855f , < 35142b3816832889e50164d993018ea5810955ae (git)
Affected: ad1afb00393915a51c21b1ae8704562bf036855f , < 047b61a24d7c866c502aeeea482892969a68f216 (git)
Affected: ad1afb00393915a51c21b1ae8704562bf036855f , < d43ef15bf4856c8c4c6c3572922331a5f06deb77 (git)
Affected: ad1afb00393915a51c21b1ae8704562bf036855f , < bb515c41306454937464da055609b5fb0a27821b (git)
Affected: ad1afb00393915a51c21b1ae8704562bf036855f , < 8984bcbd1edf5bee5be06ad771d157333b790c33 (git)
Affected: ad1afb00393915a51c21b1ae8704562bf036855f , < 93715aa2d80e6c5cea1bb486321fc4585076928b (git)
Affected: ad1afb00393915a51c21b1ae8704562bf036855f , < 579d4f9ca9a9a605184a9b162355f6ba131f678d (git)

Linux

Affected: 2.6.36
Unaffected: 0 , < 2.6.36 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:35.299Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/8021q/vlan.c",
            "net/8021q/vlan.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ba48d3993af23753e1f1f01c8d592de9c7785f24",
              "status": "affected",
              "version": "ad1afb00393915a51c21b1ae8704562bf036855f",
              "versionType": "git"
            },
            {
              "lessThan": "35142b3816832889e50164d993018ea5810955ae",
              "status": "affected",
              "version": "ad1afb00393915a51c21b1ae8704562bf036855f",
              "versionType": "git"
            },
            {
              "lessThan": "047b61a24d7c866c502aeeea482892969a68f216",
              "status": "affected",
              "version": "ad1afb00393915a51c21b1ae8704562bf036855f",
              "versionType": "git"
            },
            {
              "lessThan": "d43ef15bf4856c8c4c6c3572922331a5f06deb77",
              "status": "affected",
              "version": "ad1afb00393915a51c21b1ae8704562bf036855f",
              "versionType": "git"
            },
            {
              "lessThan": "bb515c41306454937464da055609b5fb0a27821b",
              "status": "affected",
              "version": "ad1afb00393915a51c21b1ae8704562bf036855f",
              "versionType": "git"
            },
            {
              "lessThan": "8984bcbd1edf5bee5be06ad771d157333b790c33",
              "status": "affected",
              "version": "ad1afb00393915a51c21b1ae8704562bf036855f",
              "versionType": "git"
            },
            {
              "lessThan": "93715aa2d80e6c5cea1bb486321fc4585076928b",
              "status": "affected",
              "version": "ad1afb00393915a51c21b1ae8704562bf036855f",
              "versionType": "git"
            },
            {
              "lessThan": "579d4f9ca9a9a605184a9b162355f6ba131f678d",
              "status": "affected",
              "version": "ad1afb00393915a51c21b1ae8704562bf036855f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/8021q/vlan.c",
            "net/8021q/vlan.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.36"
            },
            {
              "lessThan": "2.6.36",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime\n\nAssuming the \"rx-vlan-filter\" feature is enabled on a net device, the\n8021q module will automatically add or remove VLAN 0 when the net device\nis put administratively up or down, respectively. There are a couple of\nproblems with the above scheme.\n\nThe first problem is a memory leak that can happen if the \"rx-vlan-filter\"\nfeature is disabled while the device is running:\n\n # ip link add bond1 up type bond mode 0\n # ethtool -K bond1 rx-vlan-filter off\n # ip link del dev bond1\n\nWhen the device is put administratively down the \"rx-vlan-filter\"\nfeature is disabled, so the 8021q module will not remove VLAN 0 and the\nmemory will be leaked [1].\n\nAnother problem that can happen is that the kernel can automatically\ndelete VLAN 0 when the device is put administratively down despite not\nadding it when the device was put administratively up since during that\ntime the \"rx-vlan-filter\" feature was disabled. null-ptr-unref or\nbug_on[2] will be triggered by unregister_vlan_dev() for refcount\nimbalance if toggling filtering during runtime:\n\n$ ip link add bond0 type bond mode 0\n$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q\n$ ethtool -K bond0 rx-vlan-filter off\n$ ifconfig bond0 up\n$ ethtool -K bond0 rx-vlan-filter on\n$ ifconfig bond0 down\n$ ip link del vlan0\n\nRoot cause is as below:\nstep1: add vlan0 for real_dev, such as bond, team.\nregister_vlan_dev\n    vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1\nstep2: disable vlan filter feature and enable real_dev\nstep3: change filter from 0 to 1\nvlan_device_event\n    vlan_filter_push_vids\n        ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0\nstep4: real_dev down\nvlan_device_event\n    vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0\n        vlan_info_rcu_free //free vlan0\nstep5: delete vlan0\nunregister_vlan_dev\n    BUG_ON(!vlan_info); //vlan_info is null\n\nFix both problems by noting in the VLAN info whether VLAN 0 was\nautomatically added upon NETDEV_UP and based on that decide whether it\nshould be deleted upon NETDEV_DOWN, regardless of the state of the\n\"rx-vlan-filter\" feature.\n\n[1]\nunreferenced object 0xffff8880068e3100 (size 256):\n  comm \"ip\", pid 384, jiffies 4296130254\n  hex dump (first 32 bytes):\n    00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00  . 0.............\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 81ce31fa):\n    __kmalloc_cache_noprof+0x2b5/0x340\n    vlan_vid_add+0x434/0x940\n    vlan_device_event.cold+0x75/0xa8\n    notifier_call_chain+0xca/0x150\n    __dev_notify_flags+0xe3/0x250\n    rtnl_configure_link+0x193/0x260\n    rtnl_newlink_create+0x383/0x8e0\n    __rtnl_newlink+0x22c/0xa40\n    rtnl_newlink+0x627/0xb00\n    rtnetlink_rcv_msg+0x6fb/0xb70\n    netlink_rcv_skb+0x11f/0x350\n    netlink_unicast+0x426/0x710\n    netlink_sendmsg+0x75a/0xc20\n    __sock_sendmsg+0xc1/0x150\n    ____sys_sendmsg+0x5aa/0x7b0\n    ___sys_sendmsg+0xfc/0x180\n\n[2]\nkernel BUG at net/8021q/vlan.c:99!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))\nRSP: 0018:ffff88810badf310 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8\nRBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80\nR10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000\nR13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e\nFS:  00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:09.081Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ba48d3993af23753e1f1f01c8d592de9c7785f24"
        },
        {
          "url": "https://git.kernel.org/stable/c/35142b3816832889e50164d993018ea5810955ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/047b61a24d7c866c502aeeea482892969a68f216"
        },
        {
          "url": "https://git.kernel.org/stable/c/d43ef15bf4856c8c4c6c3572922331a5f06deb77"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb515c41306454937464da055609b5fb0a27821b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8984bcbd1edf5bee5be06ad771d157333b790c33"
        },
        {
          "url": "https://git.kernel.org/stable/c/93715aa2d80e6c5cea1bb486321fc4585076928b"
        },
        {
          "url": "https://git.kernel.org/stable/c/579d4f9ca9a9a605184a9b162355f6ba131f678d"
        }
      ],
      "title": "net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38470",
    "datePublished": "2025-07-28T11:21:32.002Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:35.299Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38615 (GCVE-0-2025-38615)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-09-29 05:54

Title

fs/ntfs3: cancle set bad inode after removing name fails

Summary

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: cancle set bad inode after removing name fails The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link. When renaming, the file0's inode is marked as a bad inode because the file name cannot be deleted. The underlying bug is that make_bad_inode() is called on a live inode. In some cases it's "icache lookup finds a normal inode, d_splice_alias() is called to attach it to dentry, while another thread decides to call make_bad_inode() on it - that would evict it from icache, but we'd already found it there earlier". In some it's outright "we have an inode attached to dentry - that's how we got it in the first place; let's call make_bad_inode() on it just for shits and giggles".

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b35a50d639ca52594…
	https://git.kernel.org/stable/c/3ed2cc6a6e93fbeb8…
	https://git.kernel.org/stable/c/358d4f821c03add42…
	https://git.kernel.org/stable/c/a285395020780adac…
	https://git.kernel.org/stable/c/d99208b91933fd2a5…

Impacted products

Vendor

Product

Version

Linux

Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < b35a50d639ca5259466ef5fea85529bb4fb17d5b (git)
Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 3ed2cc6a6e93fbeb8c0cafce1e7fb1f64a331dcc (git)
Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < 358d4f821c03add421a4c49290538a705852ccf1 (git)
Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < a285395020780adac1ffbc844069c3d700bf007a (git)
Affected: 78ab59fee07f22464f32eafebab2bd97ba94ff2d , < d99208b91933fd2a58ed9ed321af07dacd06ddc3 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/frecord.c",
            "fs/ntfs3/namei.c",
            "fs/ntfs3/ntfs_fs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b35a50d639ca5259466ef5fea85529bb4fb17d5b",
              "status": "affected",
              "version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
              "versionType": "git"
            },
            {
              "lessThan": "3ed2cc6a6e93fbeb8c0cafce1e7fb1f64a331dcc",
              "status": "affected",
              "version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
              "versionType": "git"
            },
            {
              "lessThan": "358d4f821c03add421a4c49290538a705852ccf1",
              "status": "affected",
              "version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
              "versionType": "git"
            },
            {
              "lessThan": "a285395020780adac1ffbc844069c3d700bf007a",
              "status": "affected",
              "version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
              "versionType": "git"
            },
            {
              "lessThan": "d99208b91933fd2a58ed9ed321af07dacd06ddc3",
              "status": "affected",
              "version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/frecord.c",
            "fs/ntfs3/namei.c",
            "fs/ntfs3/ntfs_fs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: cancle set bad inode after removing name fails\n\nThe reproducer uses a file0 on a ntfs3 file system with a corrupted i_link.\nWhen renaming, the file0\u0027s inode is marked as a bad inode because the file\nname cannot be deleted.\n\nThe underlying bug is that make_bad_inode() is called on a live inode.\nIn some cases it\u0027s \"icache lookup finds a normal inode, d_splice_alias()\nis called to attach it to dentry, while another thread decides to call\nmake_bad_inode() on it - that would evict it from icache, but we\u0027d already\nfound it there earlier\".\nIn some it\u0027s outright \"we have an inode attached to dentry - that\u0027s how we\ngot it in the first place; let\u0027s call make_bad_inode() on it just for shits\nand giggles\"."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:50.014Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b35a50d639ca5259466ef5fea85529bb4fb17d5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ed2cc6a6e93fbeb8c0cafce1e7fb1f64a331dcc"
        },
        {
          "url": "https://git.kernel.org/stable/c/358d4f821c03add421a4c49290538a705852ccf1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a285395020780adac1ffbc844069c3d700bf007a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d99208b91933fd2a58ed9ed321af07dacd06ddc3"
        }
      ],
      "title": "fs/ntfs3: cancle set bad inode after removing name fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38615",
    "datePublished": "2025-08-19T17:03:57.164Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-09-29T05:54:50.014Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38724 (GCVE-0-2025-38724)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:33 – Updated: 2025-11-03 17:41

Title

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all. In the case where the unconfirmed client is expiring, just fail and return the result from get_client_locked().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3f252a73e81aa0166…
	https://git.kernel.org/stable/c/d35ac850410966010…
	https://git.kernel.org/stable/c/f3aac6cf390d8b80e…
	https://git.kernel.org/stable/c/22f45cedf281e6171…
	https://git.kernel.org/stable/c/d71abd1ae4e041370…
	https://git.kernel.org/stable/c/74ad36ed60df561a3…
	https://git.kernel.org/stable/c/36e83eda90e0e4ac5…
	https://git.kernel.org/stable/c/571a5e46c71490285…
	https://git.kernel.org/stable/c/908e4ead7f757504d…

Impacted products

Vendor

Product

Version

Linux

Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 3f252a73e81aa01660cb426735eab932e6182e8d (git)
Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < d35ac850410966010e92f401f4e21868a9ea4d8b (git)
Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < f3aac6cf390d8b80e1d82975faf4ac61175519c0 (git)
Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 22f45cedf281e6171817c8a3432c44d788c550e1 (git)
Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < d71abd1ae4e0413707cd42b10c24a11d1aa71772 (git)
Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 74ad36ed60df561a303a19ecef400c7096b20306 (git)
Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 36e83eda90e0e4ac52f259f775b40b2841f8a0a3 (git)
Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1 (git)
Affected: d20c11d86d8f821a64eac7d6c8f296f06d935f4f , < 908e4ead7f757504d8b345452730636e298cbf68 (git)

Linux

Affected: 3.17
Unaffected: 0 , < 3.17 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:53.468Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3f252a73e81aa01660cb426735eab932e6182e8d",
              "status": "affected",
              "version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
              "versionType": "git"
            },
            {
              "lessThan": "d35ac850410966010e92f401f4e21868a9ea4d8b",
              "status": "affected",
              "version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
              "versionType": "git"
            },
            {
              "lessThan": "f3aac6cf390d8b80e1d82975faf4ac61175519c0",
              "status": "affected",
              "version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
              "versionType": "git"
            },
            {
              "lessThan": "22f45cedf281e6171817c8a3432c44d788c550e1",
              "status": "affected",
              "version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
              "versionType": "git"
            },
            {
              "lessThan": "d71abd1ae4e0413707cd42b10c24a11d1aa71772",
              "status": "affected",
              "version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
              "versionType": "git"
            },
            {
              "lessThan": "74ad36ed60df561a303a19ecef400c7096b20306",
              "status": "affected",
              "version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
              "versionType": "git"
            },
            {
              "lessThan": "36e83eda90e0e4ac52f259f775b40b2841f8a0a3",
              "status": "affected",
              "version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
              "versionType": "git"
            },
            {
              "lessThan": "571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1",
              "status": "affected",
              "version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
              "versionType": "git"
            },
            {
              "lessThan": "908e4ead7f757504d8b345452730636e298cbf68",
              "status": "affected",
              "version": "d20c11d86d8f821a64eac7d6c8f296f06d935f4f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()\n\nLei Lu recently reported that nfsd4_setclientid_confirm() did not check\nthe return value from get_client_locked(). a SETCLIENTID_CONFIRM could\nrace with a confirmed client expiring and fail to get a reference. That\ncould later lead to a UAF.\n\nFix this by getting a reference early in the case where there is an\nextant confirmed client. If that fails then treat it as if there were no\nconfirmed client found at all.\n\nIn the case where the unconfirmed client is expiring, just fail and\nreturn the result from get_client_locked()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:56:49.927Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3f252a73e81aa01660cb426735eab932e6182e8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d35ac850410966010e92f401f4e21868a9ea4d8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3aac6cf390d8b80e1d82975faf4ac61175519c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/22f45cedf281e6171817c8a3432c44d788c550e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/d71abd1ae4e0413707cd42b10c24a11d1aa71772"
        },
        {
          "url": "https://git.kernel.org/stable/c/74ad36ed60df561a303a19ecef400c7096b20306"
        },
        {
          "url": "https://git.kernel.org/stable/c/36e83eda90e0e4ac52f259f775b40b2841f8a0a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/908e4ead7f757504d8b345452730636e298cbf68"
        }
      ],
      "title": "nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38724",
    "datePublished": "2025-09-04T15:33:22.370Z",
    "dateReserved": "2025-04-16T04:51:24.033Z",
    "dateUpdated": "2025-11-03T17:41:53.468Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38562 (GCVE-0-2025-38562)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-11-03 17:39

Title

ksmbd: fix null pointer dereference error in generate_encryptionkey

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference error in generate_encryptionkey If client send two session setups with krb5 authenticate to ksmbd, null pointer dereference error in generate_encryptionkey could happen. sess->Preauth_HashValue is set to NULL if session is valid. So this patch skip generate encryption key if session is valid.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/96a82e19434a25225…
	https://git.kernel.org/stable/c/d79c8bebaa622ee22…
	https://git.kernel.org/stable/c/2a30ed6428ce83afe…
	https://git.kernel.org/stable/c/015ef163d65496ae3…
	https://git.kernel.org/stable/c/9c2dbbc959e1fcc6f…
	https://git.kernel.org/stable/c/9b493ab6f35178afd…
	https://www.zerodayinitiative.com/advisories/ZDI-…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 96a82e19434a2522525baab59c33332658bc7653 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < d79c8bebaa622ee223128be7c66d8aaeeb634a57 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 2a30ed6428ce83afedca1a6c5c5c4247bcf12d0e (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 015ef163d65496ae3ba6192c96140a22743f0353 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 9c2dbbc959e1fcc6f603a1a843e9cf743ba383bb (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 9b493ab6f35178afd8d619800df9071992f715de (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:51.533Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "96a82e19434a2522525baab59c33332658bc7653",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "d79c8bebaa622ee223128be7c66d8aaeeb634a57",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "2a30ed6428ce83afedca1a6c5c5c4247bcf12d0e",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "015ef163d65496ae3ba6192c96140a22743f0353",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "9c2dbbc959e1fcc6f603a1a843e9cf743ba383bb",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "9b493ab6f35178afd8d619800df9071992f715de",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix null pointer dereference error in generate_encryptionkey\n\nIf client send two session setups with krb5 authenticate to ksmbd,\nnull pointer dereference error in generate_encryptionkey could happen.\nsess-\u003ePreauth_HashValue is set to NULL if session is valid.\nSo this patch skip generate encryption key if session is valid."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-10T15:32:40.706Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/96a82e19434a2522525baab59c33332658bc7653"
        },
        {
          "url": "https://git.kernel.org/stable/c/d79c8bebaa622ee223128be7c66d8aaeeb634a57"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a30ed6428ce83afedca1a6c5c5c4247bcf12d0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/015ef163d65496ae3ba6192c96140a22743f0353"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c2dbbc959e1fcc6f603a1a843e9cf743ba383bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b493ab6f35178afd8d619800df9071992f715de"
        },
        {
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-917/"
        }
      ],
      "title": "ksmbd: fix null pointer dereference error in generate_encryptionkey",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38562",
    "datePublished": "2025-08-19T17:02:39.450Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2025-11-03T17:39:51.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38443 (GCVE-0-2025-38443)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

nbd: fix uaf in nbd_genl_connect() error path

Summary

In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recv_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] recv_work+0x694/0xa80 drivers/block/nbd.c:1022 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> nbd_genl_connect() does not properly stop the device on certain error paths after nbd_start_device() has been called. This causes the error path to put nbd->config while recv_work continue to use the config after putting it, leading to use-after-free in recv_work. This patch moves nbd_start_device() after the backend file creation.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cb121c47f364b5177…
	https://git.kernel.org/stable/c/91fa560c73a812686…
	https://git.kernel.org/stable/c/d46186eb7bbd9a11c…
	https://git.kernel.org/stable/c/8586552df591e0a36…
	https://git.kernel.org/stable/c/002aca89753f666d8…
	https://git.kernel.org/stable/c/aa9552438ebf015fc…

Impacted products

Vendor

Product

Version

Linux

Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < cb121c47f364b51776c4db904a6a5a90ab0a7ec5 (git)
Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < 91fa560c73a8126868848ed6cd70607cbf8d87e2 (git)
Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < d46186eb7bbd9a11c145120f2d77effa8d4d44c2 (git)
Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < 8586552df591e0a367eff44af0c586213eeecc3f (git)
Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < 002aca89753f666d878ca0eb8584c372684ac4ba (git)
Affected: 6497ef8df568afbf5f3e38825a4590ff41611a54 , < aa9552438ebf015fc5f9f890dbfe39f0c53cf37e (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:04.726Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb121c47f364b51776c4db904a6a5a90ab0a7ec5",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            },
            {
              "lessThan": "91fa560c73a8126868848ed6cd70607cbf8d87e2",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            },
            {
              "lessThan": "d46186eb7bbd9a11c145120f2d77effa8d4d44c2",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            },
            {
              "lessThan": "8586552df591e0a367eff44af0c586213eeecc3f",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            },
            {
              "lessThan": "002aca89753f666d878ca0eb8584c372684ac4ba",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            },
            {
              "lessThan": "aa9552438ebf015fc5f9f890dbfe39f0c53cf37e",
              "status": "affected",
              "version": "6497ef8df568afbf5f3e38825a4590ff41611a54",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_genl_connect() error path\n\nThere is a use-after-free issue in nbd:\n\nblock nbd6: Receive control failed (result -104)\nblock nbd6: shutting down sockets\n==================================================================\nBUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022\nWrite of size 4 at addr ffff8880295de478 by task kworker/u33:0/67\n\nCPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: nbd6-recv recv_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline]\n recv_work+0x694/0xa80 drivers/block/nbd.c:1022\n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nnbd_genl_connect() does not properly stop the device on certain\nerror paths after nbd_start_device() has been called. This causes\nthe error path to put nbd-\u003econfig while recv_work continue to use\nthe config after putting it, leading to use-after-free in recv_work.\n\nThis patch moves nbd_start_device() after the backend file creation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:25.589Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb121c47f364b51776c4db904a6a5a90ab0a7ec5"
        },
        {
          "url": "https://git.kernel.org/stable/c/91fa560c73a8126868848ed6cd70607cbf8d87e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/d46186eb7bbd9a11c145120f2d77effa8d4d44c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/8586552df591e0a367eff44af0c586213eeecc3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/002aca89753f666d878ca0eb8584c372684ac4ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa9552438ebf015fc5f9f890dbfe39f0c53cf37e"
        }
      ],
      "title": "nbd: fix uaf in nbd_genl_connect() error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38443",
    "datePublished": "2025-07-25T15:27:26.671Z",
    "dateReserved": "2025-04-16T04:51:24.017Z",
    "dateUpdated": "2025-11-03T17:38:04.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49026 (GCVE-0-2022-49026)

Vulnerability from cvelistv5 – Published: 2024-10-21 20:06 – Updated: 2025-05-04 08:28

Title

e100: Fix possible use after free in e100_xmit_prepare

Summary

In the Linux kernel, the following vulnerability has been resolved: e100: Fix possible use after free in e100_xmit_prepare In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will resend the skb. But the skb is already freed, which will cause UAF bug when the upper layer resends the skb. Remove the harmful free.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b775f37d943966f6f…
	https://git.kernel.org/stable/c/9fc27d22cdb9b1fcd…
	https://git.kernel.org/stable/c/b46f6144ab89d3d75…
	https://git.kernel.org/stable/c/45605c75c52c7ae7b…

Impacted products

Vendor

Product

Version

Linux

Affected: 5e5d49422dfb035ca9e280cd61d434095c151272 , < b775f37d943966f6f77dca402f5a9dedce502c25 (git)
Affected: 5e5d49422dfb035ca9e280cd61d434095c151272 , < 9fc27d22cdb9b1fcd754599d216a8992fed280cd (git)
Affected: 5e5d49422dfb035ca9e280cd61d434095c151272 , < b46f6144ab89d3d757ead940759c505091626a7d (git)
Affected: 5e5d49422dfb035ca9e280cd61d434095c151272 , < 45605c75c52c7ae7bfe902214343aabcfe5ba0ff (git)

Linux

Affected: 4.3
Unaffected: 0 , < 4.3 (semver)
Unaffected: 5.10.158 , ≤ 5.10.* (semver)
Unaffected: 5.15.82 , ≤ 5.15.* (semver)
Unaffected: 6.0.12 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-49026",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:11:54.975076Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:18:36.450Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/e100.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b775f37d943966f6f77dca402f5a9dedce502c25",
              "status": "affected",
              "version": "5e5d49422dfb035ca9e280cd61d434095c151272",
              "versionType": "git"
            },
            {
              "lessThan": "9fc27d22cdb9b1fcd754599d216a8992fed280cd",
              "status": "affected",
              "version": "5e5d49422dfb035ca9e280cd61d434095c151272",
              "versionType": "git"
            },
            {
              "lessThan": "b46f6144ab89d3d757ead940759c505091626a7d",
              "status": "affected",
              "version": "5e5d49422dfb035ca9e280cd61d434095c151272",
              "versionType": "git"
            },
            {
              "lessThan": "45605c75c52c7ae7bfe902214343aabcfe5ba0ff",
              "status": "affected",
              "version": "5e5d49422dfb035ca9e280cd61d434095c151272",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/e100.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.82",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.158",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.82",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.12",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ne100: Fix possible use after free in e100_xmit_prepare\n\nIn e100_xmit_prepare(), if we can\u0027t map the skb, then return -ENOMEM, so\ne100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will\nresend the skb. But the skb is already freed, which will cause UAF bug\nwhen the upper layer resends the skb.\n\nRemove the harmful free."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:28:20.354Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b775f37d943966f6f77dca402f5a9dedce502c25"
        },
        {
          "url": "https://git.kernel.org/stable/c/9fc27d22cdb9b1fcd754599d216a8992fed280cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/b46f6144ab89d3d757ead940759c505091626a7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/45605c75c52c7ae7bfe902214343aabcfe5ba0ff"
        }
      ],
      "title": "e100: Fix possible use after free in e100_xmit_prepare",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49026",
    "datePublished": "2024-10-21T20:06:31.876Z",
    "dateReserved": "2024-08-22T01:27:53.651Z",
    "dateUpdated": "2025-05-04T08:28:20.354Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38530 (GCVE-0-2025-38530)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-11-03 17:39

Title

comedi: pcl812: Fix bit shift out of bounds

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: pcl812: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/374d9b3eb4b084079…
	https://git.kernel.org/stable/c/0489c30d080f07cc7…
	https://git.kernel.org/stable/c/29ef03e5b84431171…
	https://git.kernel.org/stable/c/5bfa301e1e59a9b1a…
	https://git.kernel.org/stable/c/7e470d8efd10725b1…
	https://git.kernel.org/stable/c/a27e27eee313fe1c4…
	https://git.kernel.org/stable/c/16c173abee315953f…
	https://git.kernel.org/stable/c/b14b076ce593f7258…

Impacted products

Vendor

Product

Version

Linux

Affected: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 , < 374d9b3eb4b08407997ef1fce96119d31e0c0bc4 (git)
Affected: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 , < 0489c30d080f07cc7f09d04de723d8c2ccdb61ef (git)
Affected: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 , < 29ef03e5b84431171d6b77b822985b54bc44b793 (git)
Affected: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 , < 5bfa301e1e59a9b1a7b62a800b54852337c97416 (git)
Affected: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 , < 7e470d8efd10725b189ca8951973a8425932398a (git)
Affected: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 , < a27e27eee313fe1c450b6af1e80e64412546cab4 (git)
Affected: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 , < 16c173abee315953fd17a279352fec4a1faee862 (git)
Affected: fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 , < b14b076ce593f72585412fc7fd3747e03a5e3632 (git)

Linux

Affected: 2.6.30
Unaffected: 0 , < 2.6.30 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:28.671Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/pcl812.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "374d9b3eb4b08407997ef1fce96119d31e0c0bc4",
              "status": "affected",
              "version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
              "versionType": "git"
            },
            {
              "lessThan": "0489c30d080f07cc7f09d04de723d8c2ccdb61ef",
              "status": "affected",
              "version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
              "versionType": "git"
            },
            {
              "lessThan": "29ef03e5b84431171d6b77b822985b54bc44b793",
              "status": "affected",
              "version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
              "versionType": "git"
            },
            {
              "lessThan": "5bfa301e1e59a9b1a7b62a800b54852337c97416",
              "status": "affected",
              "version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
              "versionType": "git"
            },
            {
              "lessThan": "7e470d8efd10725b189ca8951973a8425932398a",
              "status": "affected",
              "version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
              "versionType": "git"
            },
            {
              "lessThan": "a27e27eee313fe1c450b6af1e80e64412546cab4",
              "status": "affected",
              "version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
              "versionType": "git"
            },
            {
              "lessThan": "16c173abee315953fd17a279352fec4a1faee862",
              "status": "affected",
              "version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
              "versionType": "git"
            },
            {
              "lessThan": "b14b076ce593f72585412fc7fd3747e03a5e3632",
              "status": "affected",
              "version": "fcdb427bc7cf5e9e5d7280cf09c08dec49b49432",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/pcl812.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl812: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\tif ((1 \u003c\u003c it-\u003eoptions[1]) \u0026 board-\u003eirq_bits) {\n\nHowever, `it-\u003eoptions[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds.  Fix the test by\nrequiring `it-\u003eoptions[1]` to be within bounds before proceeding with\nthe original test.  Valid `it-\u003eoptions[1]` values that select the IRQ\nwill be in the range [1,15]. The value 0 explicitly disables the use of\ninterrupts."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:37.414Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/374d9b3eb4b08407997ef1fce96119d31e0c0bc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0489c30d080f07cc7f09d04de723d8c2ccdb61ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/29ef03e5b84431171d6b77b822985b54bc44b793"
        },
        {
          "url": "https://git.kernel.org/stable/c/5bfa301e1e59a9b1a7b62a800b54852337c97416"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e470d8efd10725b189ca8951973a8425932398a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a27e27eee313fe1c450b6af1e80e64412546cab4"
        },
        {
          "url": "https://git.kernel.org/stable/c/16c173abee315953fd17a279352fec4a1faee862"
        },
        {
          "url": "https://git.kernel.org/stable/c/b14b076ce593f72585412fc7fd3747e03a5e3632"
        }
      ],
      "title": "comedi: pcl812: Fix bit shift out of bounds",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38530",
    "datePublished": "2025-08-16T11:12:23.368Z",
    "dateReserved": "2025-04-16T04:51:24.023Z",
    "dateUpdated": "2025-11-03T17:39:28.671Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-36331 (GCVE-0-2024-36331)

Vulnerability from cvelistv5 – Published: 2025-09-06 17:29 – Updated: 2025-11-03 17:31

Summary

Improper initialization of CPU cache memory could allow a privileged attacker with hypervisor access to overwrite SEV-SNP guest memory resulting in loss of data integrity.

Severity ?

3.2 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

CWE

CWE-665 - Improper Initialization

Assigner

AMD

References

URL

Tags

	https://www.amd.com/en/resources/product-security…
	https://www.amd.com/en/resources/product-security…

Impacted products

Vendor

Product

Version

AMD

AMD EPYC™ 9004 Series Processors

Unaffected: GenoaPI_1.0.0.F

	AMD	EPYC™ Embedded 9004 Series Processors	Unaffected: EmbGenoaPI-1.0.0.A
	AMD	AMD EPYC™ Embedded 9004 Series Processors	Unaffected: EmbGenoaPI-1.0.0.A

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36331",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-08T14:50:05.457904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-08T14:50:13.442Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:10.979Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 9004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "GenoaPI_1.0.0.F"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "EPYC\u2122 Embedded 9004  Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbGenoaPI-1.0.0.A"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 9004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbGenoaPI-1.0.0.A"
            }
          ]
        }
      ],
      "datePublic": "2025-09-06T17:09:00.562Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper initialization of CPU cache memory could allow a privileged attacker with hypervisor access to overwrite SEV-SNP guest memory resulting in loss of data integrity.\u003cbr\u003e"
            }
          ],
          "value": "Improper initialization of CPU cache memory could allow a privileged attacker with hypervisor access to overwrite SEV-SNP guest memory resulting in loss of data integrity."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.2,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-665",
              "description": "CWE-665  Improper Initialization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-06T17:29:38.215Z",
        "orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
        "shortName": "AMD"
      },
      "references": [
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-5007.html"
        },
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3014.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "AMD PSIRT Automation 1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
    "assignerShortName": "AMD",
    "cveId": "CVE-2024-36331",
    "datePublished": "2025-09-06T17:29:38.215Z",
    "dateReserved": "2024-05-23T19:44:44.387Z",
    "dateUpdated": "2025-11-03T17:31:10.979Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40109 (GCVE-0-2025-40109)

Vulnerability from cvelistv5 – Published: 2025-11-09 04:35 – Updated: 2025-12-01 06:18

Title

crypto: rng - Ensure set_ent is always present

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/15d6f42da1bb52762…
	https://git.kernel.org/stable/c/bd903c25b652c3318…
	https://git.kernel.org/stable/c/17acbcd44fe8dc17d…
	https://git.kernel.org/stable/c/ab172f4f42626549b…
	https://git.kernel.org/stable/c/c5c703b50e91dd474…
	https://git.kernel.org/stable/c/e247a7d138e514a40…
	https://git.kernel.org/stable/c/915cb75983bc5e8b8…
	https://git.kernel.org/stable/c/c0d36727bf39bb16e…

Impacted products

Vendor

Product

Version

Linux

Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < 15d6f42da1bb527629d8e1067b1302d58dec9166 (git)
Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < bd903c25b652c331831226cdf56c8179d18e43f4 (git)
Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < 17acbcd44fe8dc17dc1072375e76df2d52da6ac8 (git)
Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < ab172f4f42626549b02bada05f09e3f2b0cc26ec (git)
Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < c5c703b50e91dd4748769f4c5ab50d9ad60be370 (git)
Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < e247a7d138e514a40edda7c4d72c8bd49bb2cad3 (git)
Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < 915cb75983bc5e8b80f8a2f25a4af463f7b18c14 (git)
Affected: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 , < c0d36727bf39bb16ef0a67ed608e279535ebf0da (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.156 , ≤ 6.1.* (semver)
Unaffected: 6.6.111 , ≤ 6.6.* (semver)
Unaffected: 6.12.52 , ≤ 6.12.* (semver)
Unaffected: 6.16.12 , ≤ 6.16.* (semver)
Unaffected: 6.17.2 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "crypto/rng.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "15d6f42da1bb527629d8e1067b1302d58dec9166",
              "status": "affected",
              "version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
              "versionType": "git"
            },
            {
              "lessThan": "bd903c25b652c331831226cdf56c8179d18e43f4",
              "status": "affected",
              "version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
              "versionType": "git"
            },
            {
              "lessThan": "17acbcd44fe8dc17dc1072375e76df2d52da6ac8",
              "status": "affected",
              "version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
              "versionType": "git"
            },
            {
              "lessThan": "ab172f4f42626549b02bada05f09e3f2b0cc26ec",
              "status": "affected",
              "version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
              "versionType": "git"
            },
            {
              "lessThan": "c5c703b50e91dd4748769f4c5ab50d9ad60be370",
              "status": "affected",
              "version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
              "versionType": "git"
            },
            {
              "lessThan": "e247a7d138e514a40edda7c4d72c8bd49bb2cad3",
              "status": "affected",
              "version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
              "versionType": "git"
            },
            {
              "lessThan": "915cb75983bc5e8b80f8a2f25a4af463f7b18c14",
              "status": "affected",
              "version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
              "versionType": "git"
            },
            {
              "lessThan": "c0d36727bf39bb16ef0a67ed608e279535ebf0da",
              "status": "affected",
              "version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "crypto/rng.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.111",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.52",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.156",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.111",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.52",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.12",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.2",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: rng - Ensure set_ent is always present\n\nEnsure that set_ent is always set since only drbg provides it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:18:12.220Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/15d6f42da1bb527629d8e1067b1302d58dec9166"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd903c25b652c331831226cdf56c8179d18e43f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/17acbcd44fe8dc17dc1072375e76df2d52da6ac8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab172f4f42626549b02bada05f09e3f2b0cc26ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5c703b50e91dd4748769f4c5ab50d9ad60be370"
        },
        {
          "url": "https://git.kernel.org/stable/c/e247a7d138e514a40edda7c4d72c8bd49bb2cad3"
        },
        {
          "url": "https://git.kernel.org/stable/c/915cb75983bc5e8b80f8a2f25a4af463f7b18c14"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0d36727bf39bb16ef0a67ed608e279535ebf0da"
        }
      ],
      "title": "crypto: rng - Ensure set_ent is always present",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40109",
    "datePublished": "2025-11-09T04:35:59.979Z",
    "dateReserved": "2025-04-16T07:20:57.167Z",
    "dateUpdated": "2025-12-01T06:18:12.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38546 (GCVE-0-2025-38546)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:22 – Updated: 2025-11-03 17:39

Title

atm: clip: Fix memory leak of struct clip_vcc.

Summary

In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clip_vcc. ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to vcc->user_back. The code assumes that vcc_destroy_socket() passes NULL skb to vcc->push() when the socket is close()d, and then clip_push() frees clip_vcc. However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in atm_init_atmarp(), resulting in memory leak. Let's serialise two ioctl() by lock_sock() and check vcc->push() in atm_init_atmarp() to prevent memleak.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2fb37ab3226606cbf…
	https://git.kernel.org/stable/c/9e4dbeee56f614e3f…
	https://git.kernel.org/stable/c/1c075e88d5859a2c6…
	https://git.kernel.org/stable/c/0c17ff462d98c997d…
	https://git.kernel.org/stable/c/1fb9fb5a4b5cec2d5…
	https://git.kernel.org/stable/c/9f771816f14da6d61…
	https://git.kernel.org/stable/c/cb2e4a2f8f268d8fb…
	https://git.kernel.org/stable/c/62dba28275a9a3104…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2fb37ab3226606cbfc9b2b6f9e301b0b735734c5 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9e4dbeee56f614e3f1e166e5d0655a999ea185ef (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1c075e88d5859a2c6b43b27e0e46fb281cef8039 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0c17ff462d98c997d707ee5cf4e4a9b1b52b9d90 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1fb9fb5a4b5cec2d56e26525ef8c519de858fa60 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9f771816f14da6d6157a8c30069091abf6b566fb (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cb2e4a2f8f268d8fba6662f663a2e57846f14a8d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 62dba28275a9a3104d4e33595c7b3328d4032d8d (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:40.981Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/atm/clip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2fb37ab3226606cbfc9b2b6f9e301b0b735734c5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9e4dbeee56f614e3f1e166e5d0655a999ea185ef",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1c075e88d5859a2c6b43b27e0e46fb281cef8039",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0c17ff462d98c997d707ee5cf4e4a9b1b52b9d90",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1fb9fb5a4b5cec2d56e26525ef8c519de858fa60",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9f771816f14da6d6157a8c30069091abf6b566fb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cb2e4a2f8f268d8fba6662f663a2e57846f14a8d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "62dba28275a9a3104d4e33595c7b3328d4032d8d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/atm/clip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix memory leak of struct clip_vcc.\n\nioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to\nvcc-\u003euser_back.\n\nThe code assumes that vcc_destroy_socket() passes NULL skb\nto vcc-\u003epush() when the socket is close()d, and then clip_push()\nfrees clip_vcc.\n\nHowever, ioctl(ATMARPD_CTRL) sets NULL to vcc-\u003epush() in\natm_init_atmarp(), resulting in memory leak.\n\nLet\u0027s serialise two ioctl() by lock_sock() and check vcc-\u003epush()\nin atm_init_atmarp() to prevent memleak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T11:22:20.477Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2fb37ab3226606cbfc9b2b6f9e301b0b735734c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e4dbeee56f614e3f1e166e5d0655a999ea185ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c075e88d5859a2c6b43b27e0e46fb281cef8039"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c17ff462d98c997d707ee5cf4e4a9b1b52b9d90"
        },
        {
          "url": "https://git.kernel.org/stable/c/1fb9fb5a4b5cec2d56e26525ef8c519de858fa60"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f771816f14da6d6157a8c30069091abf6b566fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb2e4a2f8f268d8fba6662f663a2e57846f14a8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/62dba28275a9a3104d4e33595c7b3328d4032d8d"
        }
      ],
      "title": "atm: clip: Fix memory leak of struct clip_vcc.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38546",
    "datePublished": "2025-08-16T11:22:20.477Z",
    "dateReserved": "2025-04-16T04:51:24.024Z",
    "dateUpdated": "2025-11-03T17:39:40.981Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38503 (GCVE-0-2025-38503)

Vulnerability from cvelistv5 – Published: 2025-08-16 10:54 – Updated: 2026-01-02 15:30

Title

btrfs: fix assertion when building free space tree

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion when building free space tree When building the free space tree with the block group tree feature enabled, we can hit an assertion failure like this: BTRFS info (device loop0 state M): rebuilding free space tree assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1102! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 sp : ffff8000a4ce7600 x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8 x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001 x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160 x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0 x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00 x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0 x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e Call trace: populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P) btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337 btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074 btrfs_remount_rw fs/btrfs/super.c:1319 [inline] btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543 reconfigure_super+0x1d4/0x6f0 fs/super.c:1083 do_remount fs/namespace.c:3365 [inline] path_mount+0xb34/0xde0 fs/namespace.c:4200 do_mount fs/namespace.c:4221 [inline] __do_sys_mount fs/namespace.c:4432 [inline] __se_sys_mount fs/namespace.c:4409 [inline] __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: f0047182 91178042 528089c3 9771d47b (d4210000) ---[ end trace 0000000000000000 ]--- This happens because we are processing an empty block group, which has no extents allocated from it, there are no items for this block group, including the block group item since block group items are stored in a dedicated tree when using the block group tree feature. It also means this is the block group with the highest start offset, so there are no higher keys in the extent root, hence btrfs_search_slot_for_read() returns 1 (no higher key found). Fix this by asserting 'ret' is 0 only if the block group tree feature is not enabled, in which case we should find a block group item for the block group since it's stored in the extent root and block group item keys are greater than extent item keys (the value for BTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and BTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively). In case 'ret' is 1, we just need to add a record to the free space tree which spans the whole block group, and we can achieve this by making 'ret == 0' as the while loop's condition.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7c77df23324f60bcf…
	https://git.kernel.org/stable/c/f4428b2d4c6873265…
	https://git.kernel.org/stable/c/0bcc14f36c7ad3712…
	https://git.kernel.org/stable/c/6bbe6530b1db7b436…
	https://git.kernel.org/stable/c/1961d20f6fa890326…

Impacted products

Vendor

Product

Version

Linux

Affected: 1c56ab991903dce60e905a08f431c0e6f79b9b9e , < 7c77df23324f60bcff0ea44392e2c82e9486640c (git)
Affected: 1c56ab991903dce60e905a08f431c0e6f79b9b9e , < f4428b2d4c68732653e93f748f538bdee639ff80 (git)
Affected: 1c56ab991903dce60e905a08f431c0e6f79b9b9e , < 0bcc14f36c7ad37121cf5c0ae18cdde5bfad9c4e (git)
Affected: 1c56ab991903dce60e905a08f431c0e6f79b9b9e , < 6bbe6530b1db7b4365ce9e86144c18c5d73b2c5b (git)
Affected: 1c56ab991903dce60e905a08f431c0e6f79b9b9e , < 1961d20f6fa8903266ed9bd77c691924c22c8f02 (git)
Affected: dc74beca1672adf3874e6cb6c26917139e2faf01 (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:12.475Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/free-space-tree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7c77df23324f60bcff0ea44392e2c82e9486640c",
              "status": "affected",
              "version": "1c56ab991903dce60e905a08f431c0e6f79b9b9e",
              "versionType": "git"
            },
            {
              "lessThan": "f4428b2d4c68732653e93f748f538bdee639ff80",
              "status": "affected",
              "version": "1c56ab991903dce60e905a08f431c0e6f79b9b9e",
              "versionType": "git"
            },
            {
              "lessThan": "0bcc14f36c7ad37121cf5c0ae18cdde5bfad9c4e",
              "status": "affected",
              "version": "1c56ab991903dce60e905a08f431c0e6f79b9b9e",
              "versionType": "git"
            },
            {
              "lessThan": "6bbe6530b1db7b4365ce9e86144c18c5d73b2c5b",
              "status": "affected",
              "version": "1c56ab991903dce60e905a08f431c0e6f79b9b9e",
              "versionType": "git"
            },
            {
              "lessThan": "1961d20f6fa8903266ed9bd77c691924c22c8f02",
              "status": "affected",
              "version": "1c56ab991903dce60e905a08f431c0e6f79b9b9e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dc74beca1672adf3874e6cb6c26917139e2faf01",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/free-space-tree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion when building free space tree\n\nWhen building the free space tree with the block group tree feature\nenabled, we can hit an assertion failure like this:\n\n  BTRFS info (device loop0 state M): rebuilding free space tree\n  assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/free-space-tree.c:1102!\n  Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n  pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102\n  lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102\n  sp : ffff8000a4ce7600\n  x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8\n  x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001\n  x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160\n  x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff\n  x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0\n  x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff\n  x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00\n  x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001\n  x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0\n  x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e\n  Call trace:\n   populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P)\n   btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337\n   btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074\n   btrfs_remount_rw fs/btrfs/super.c:1319 [inline]\n   btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543\n   reconfigure_super+0x1d4/0x6f0 fs/super.c:1083\n   do_remount fs/namespace.c:3365 [inline]\n   path_mount+0xb34/0xde0 fs/namespace.c:4200\n   do_mount fs/namespace.c:4221 [inline]\n   __do_sys_mount fs/namespace.c:4432 [inline]\n   __se_sys_mount fs/namespace.c:4409 [inline]\n   __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409\n   __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n   invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n   el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n   do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n   el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n   el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n   el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n  Code: f0047182 91178042 528089c3 9771d47b (d4210000)\n  ---[ end trace 0000000000000000 ]---\n\nThis happens because we are processing an empty block group, which has\nno extents allocated from it, there are no items for this block group,\nincluding the block group item since block group items are stored in a\ndedicated tree when using the block group tree feature. It also means\nthis is the block group with the highest start offset, so there are no\nhigher keys in the extent root, hence btrfs_search_slot_for_read()\nreturns 1 (no higher key found).\n\nFix this by asserting \u0027ret\u0027 is 0 only if the block group tree feature\nis not enabled, in which case we should find a block group item for\nthe block group since it\u0027s stored in the extent root and block group\nitem keys are greater than extent item keys (the value for\nBTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and\nBTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively).\nIn case \u0027ret\u0027 is 1, we just need to add a record to the free space\ntree which spans the whole block group, and we can achieve this by\nmaking \u0027ret == 0\u0027 as the while loop\u0027s condition."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:44.208Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7c77df23324f60bcff0ea44392e2c82e9486640c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4428b2d4c68732653e93f748f538bdee639ff80"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bcc14f36c7ad37121cf5c0ae18cdde5bfad9c4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bbe6530b1db7b4365ce9e86144c18c5d73b2c5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1961d20f6fa8903266ed9bd77c691924c22c8f02"
        }
      ],
      "title": "btrfs: fix assertion when building free space tree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38503",
    "datePublished": "2025-08-16T10:54:41.004Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2026-01-02T15:30:44.208Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38507 (GCVE-0-2025-38507)

Vulnerability from cvelistv5 – Published: 2025-08-16 10:54 – Updated: 2025-08-19 05:47

Title

HID: nintendo: avoid bluetooth suspend/resume stalls

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: nintendo: avoid bluetooth suspend/resume stalls Ensure we don't stall or panic the kernel when using bluetooth-connected controllers. This was reported as an issue on android devices using kernel 6.6 due to the resume hook which had been added for usb joycons. First, set a new state value to JOYCON_CTLR_STATE_SUSPENDED in a newly-added nintendo_hid_suspend. This makes sure we will not stall out the kernel waiting for input reports during led classdev suspend. The stalls could happen if connectivity is unreliable or lost to the controller prior to suspend. Second, since we lose connectivity during suspend, do not try joycon_init() for bluetooth controllers in the nintendo_hid_resume path. Tested via multiple suspend/resume flows when using the controller both in USB and bluetooth modes.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7b4a026313529a487…
	https://git.kernel.org/stable/c/72cb7eef06a5cde42…
	https://git.kernel.org/stable/c/4a0381080397e7779…

Impacted products

Vendor

Product

Version

Linux

Affected: 2af16c1f846bd60240745bbd3afa13d5f040c61a , < 7b4a026313529a487821ef6ab494a61f12c1db08 (git)
Affected: 2af16c1f846bd60240745bbd3afa13d5f040c61a , < 72cb7eef06a5cde42b324dea85fa11fd5bb6a08a (git)
Affected: 2af16c1f846bd60240745bbd3afa13d5f040c61a , < 4a0381080397e77792a5168069f174d3e56175ff (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-nintendo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7b4a026313529a487821ef6ab494a61f12c1db08",
              "status": "affected",
              "version": "2af16c1f846bd60240745bbd3afa13d5f040c61a",
              "versionType": "git"
            },
            {
              "lessThan": "72cb7eef06a5cde42b324dea85fa11fd5bb6a08a",
              "status": "affected",
              "version": "2af16c1f846bd60240745bbd3afa13d5f040c61a",
              "versionType": "git"
            },
            {
              "lessThan": "4a0381080397e77792a5168069f174d3e56175ff",
              "status": "affected",
              "version": "2af16c1f846bd60240745bbd3afa13d5f040c61a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-nintendo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nintendo: avoid bluetooth suspend/resume stalls\n\nEnsure we don\u0027t stall or panic the kernel when using bluetooth-connected\ncontrollers. This was reported as an issue on android devices using\nkernel 6.6 due to the resume hook which had been added for usb joycons.\n\nFirst, set a new state value to JOYCON_CTLR_STATE_SUSPENDED in a\nnewly-added nintendo_hid_suspend. This makes sure we will not stall out\nthe kernel waiting for input reports during led classdev suspend. The\nstalls could happen if connectivity is unreliable or lost to the\ncontroller prior to suspend.\n\nSecond, since we lose connectivity during suspend, do not try\njoycon_init() for bluetooth controllers in the nintendo_hid_resume path.\n\nTested via multiple suspend/resume flows when using the controller both\nin USB and bluetooth modes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-19T05:47:18.176Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7b4a026313529a487821ef6ab494a61f12c1db08"
        },
        {
          "url": "https://git.kernel.org/stable/c/72cb7eef06a5cde42b324dea85fa11fd5bb6a08a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a0381080397e77792a5168069f174d3e56175ff"
        }
      ],
      "title": "HID: nintendo: avoid bluetooth suspend/resume stalls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38507",
    "datePublished": "2025-08-16T10:54:44.663Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2025-08-19T05:47:18.176Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-39697 (GCVE-0-2025-39697)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-11-03 17:42

Title

NFS: Fix a race when updating an existing write

Summary

In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a race when updating an existing write After nfs_lock_and_join_requests() tests for whether the request is still attached to the mapping, nothing prevents a call to nfs_inode_remove_request() from succeeding until we actually lock the page group. The reason is that whoever called nfs_inode_remove_request() doesn't necessarily have a lock on the page group head. So in order to avoid races, let's take the page group lock earlier in nfs_lock_and_join_requests(), and hold it across the removal of the request in nfs_inode_remove_request().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0ff42a32784e0f2cb…
	https://git.kernel.org/stable/c/f230d40147cc37eb3…
	https://git.kernel.org/stable/c/c32e3c71aaa1c1ba0…
	https://git.kernel.org/stable/c/181feb41f0b268e62…
	https://git.kernel.org/stable/c/92278ae36935a54e6…
	https://git.kernel.org/stable/c/202a3432d21ac0606…
	https://git.kernel.org/stable/c/76d2e3890fb169168…

Impacted products

Vendor

Product

Version

Linux

Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < 0ff42a32784e0f2cb46a46da8e9f473538c13e1b (git)
Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < f230d40147cc37eb3aef4d50e2e2c06ea73d9a77 (git)
Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < c32e3c71aaa1c1ba05da88605e2ddd493c58794f (git)
Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < 181feb41f0b268e6288bf9a7b984624d7fe2031d (git)
Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < 92278ae36935a54e65fef9f8ea8efe7e80481ace (git)
Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < 202a3432d21ac060629a760fff3b0a39859da3ea (git)
Affected: bd37d6fce184836bd5e7cd90ce40116a4fadaf2a , < 76d2e3890fb169168c73f2e4f8375c7cc24a765e (git)

Linux

Affected: 4.14
Unaffected: 0 , < 4.14 (semver)
Unaffected: 5.10.242 , ≤ 5.10.* (semver)
Unaffected: 5.15.191 , ≤ 5.15.* (semver)
Unaffected: 6.1.150 , ≤ 6.1.* (semver)
Unaffected: 6.6.104 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:28.746Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/pagelist.c",
            "fs/nfs/write.c",
            "include/linux/nfs_page.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0ff42a32784e0f2cb46a46da8e9f473538c13e1b",
              "status": "affected",
              "version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
              "versionType": "git"
            },
            {
              "lessThan": "f230d40147cc37eb3aef4d50e2e2c06ea73d9a77",
              "status": "affected",
              "version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
              "versionType": "git"
            },
            {
              "lessThan": "c32e3c71aaa1c1ba05da88605e2ddd493c58794f",
              "status": "affected",
              "version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
              "versionType": "git"
            },
            {
              "lessThan": "181feb41f0b268e6288bf9a7b984624d7fe2031d",
              "status": "affected",
              "version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
              "versionType": "git"
            },
            {
              "lessThan": "92278ae36935a54e65fef9f8ea8efe7e80481ace",
              "status": "affected",
              "version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
              "versionType": "git"
            },
            {
              "lessThan": "202a3432d21ac060629a760fff3b0a39859da3ea",
              "status": "affected",
              "version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
              "versionType": "git"
            },
            {
              "lessThan": "76d2e3890fb169168c73f2e4f8375c7cc24a765e",
              "status": "affected",
              "version": "bd37d6fce184836bd5e7cd90ce40116a4fadaf2a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/pagelist.c",
            "fs/nfs/write.c",
            "include/linux/nfs_page.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.242",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.191",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.104",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.242",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.191",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.150",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.104",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a race when updating an existing write\n\nAfter nfs_lock_and_join_requests() tests for whether the request is\nstill attached to the mapping, nothing prevents a call to\nnfs_inode_remove_request() from succeeding until we actually lock the\npage group.\nThe reason is that whoever called nfs_inode_remove_request() doesn\u0027t\nnecessarily have a lock on the page group head.\n\nSo in order to avoid races, let\u0027s take the page group lock earlier in\nnfs_lock_and_join_requests(), and hold it across the removal of the\nrequest in nfs_inode_remove_request()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:57:37.628Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0ff42a32784e0f2cb46a46da8e9f473538c13e1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f230d40147cc37eb3aef4d50e2e2c06ea73d9a77"
        },
        {
          "url": "https://git.kernel.org/stable/c/c32e3c71aaa1c1ba05da88605e2ddd493c58794f"
        },
        {
          "url": "https://git.kernel.org/stable/c/181feb41f0b268e6288bf9a7b984624d7fe2031d"
        },
        {
          "url": "https://git.kernel.org/stable/c/92278ae36935a54e65fef9f8ea8efe7e80481ace"
        },
        {
          "url": "https://git.kernel.org/stable/c/202a3432d21ac060629a760fff3b0a39859da3ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/76d2e3890fb169168c73f2e4f8375c7cc24a765e"
        }
      ],
      "title": "NFS: Fix a race when updating an existing write",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39697",
    "datePublished": "2025-09-05T17:21:03.178Z",
    "dateReserved": "2025-04-16T07:20:57.115Z",
    "dateUpdated": "2025-11-03T17:42:28.746Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38525 (GCVE-0-2025-38525)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-08-16 11:12

Title

rxrpc: Fix irq-disabled in local_bh_enable()

Summary

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix irq-disabled in local_bh_enable() The rxrpc_assess_MTU_size() function calls down into the IP layer to find out the MTU size for a route. When accepting an incoming call, this is called from rxrpc_new_incoming_call() which holds interrupts disabled across the code that calls down to it. Unfortunately, the IP layer uses local_bh_enable() which, config dependent, throws a warning if IRQs are enabled: WARNING: CPU: 1 PID: 5544 at kernel/softirq.c:387 __local_bh_enable_ip+0x43/0xd0 ... RIP: 0010:__local_bh_enable_ip+0x43/0xd0 ... Call Trace: <TASK> rt_cache_route+0x7e/0xa0 rt_set_nexthop.isra.0+0x3b3/0x3f0 __mkroute_output+0x43a/0x460 ip_route_output_key_hash+0xf7/0x140 ip_route_output_flow+0x1b/0x90 rxrpc_assess_MTU_size.isra.0+0x2a0/0x590 rxrpc_new_incoming_peer+0x46/0x120 rxrpc_alloc_incoming_call+0x1b1/0x400 rxrpc_new_incoming_call+0x1da/0x5e0 rxrpc_input_packet+0x827/0x900 rxrpc_io_thread+0x403/0xb60 kthread+0x2f7/0x310 ret_from_fork+0x2a/0x230 ret_from_fork_asm+0x1a/0x30 ... hardirqs last enabled at (23): _raw_spin_unlock_irq+0x24/0x50 hardirqs last disabled at (24): _raw_read_lock_irq+0x17/0x70 softirqs last enabled at (0): copy_process+0xc61/0x2730 softirqs last disabled at (25): rt_add_uncached_list+0x3c/0x90 Fix this by moving the call to rxrpc_assess_MTU_size() out of rxrpc_init_peer() and further up the stack where it can be done without interrupts disabled. It shouldn't be a problem for rxrpc_new_incoming_call() to do it after the locks are dropped as pmtud is going to be performed by the I/O thread - and we're in the I/O thread at this point.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2029f21f10dedb88c…
	https://git.kernel.org/stable/c/e4d2878369d590bf8…

Impacted products

Vendor

Product

Version

Linux

Affected: a2ea9a9072607c2fd6442bd1ffb4dbdbf882aed7 , < 2029f21f10dedb88c0f86abffcf8d6c21dcf6040 (git)
Affected: a2ea9a9072607c2fd6442bd1ffb4dbdbf882aed7 , < e4d2878369d590bf8455e3678a644e503172eafa (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rxrpc/ar-internal.h",
            "net/rxrpc/call_accept.c",
            "net/rxrpc/peer_object.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2029f21f10dedb88c0f86abffcf8d6c21dcf6040",
              "status": "affected",
              "version": "a2ea9a9072607c2fd6442bd1ffb4dbdbf882aed7",
              "versionType": "git"
            },
            {
              "lessThan": "e4d2878369d590bf8455e3678a644e503172eafa",
              "status": "affected",
              "version": "a2ea9a9072607c2fd6442bd1ffb4dbdbf882aed7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rxrpc/ar-internal.h",
            "net/rxrpc/call_accept.c",
            "net/rxrpc/peer_object.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix irq-disabled in local_bh_enable()\n\nThe rxrpc_assess_MTU_size() function calls down into the IP layer to find\nout the MTU size for a route.  When accepting an incoming call, this is\ncalled from rxrpc_new_incoming_call() which holds interrupts disabled\nacross the code that calls down to it.  Unfortunately, the IP layer uses\nlocal_bh_enable() which, config dependent, throws a warning if IRQs are\nenabled:\n\nWARNING: CPU: 1 PID: 5544 at kernel/softirq.c:387 __local_bh_enable_ip+0x43/0xd0\n...\nRIP: 0010:__local_bh_enable_ip+0x43/0xd0\n...\nCall Trace:\n \u003cTASK\u003e\n rt_cache_route+0x7e/0xa0\n rt_set_nexthop.isra.0+0x3b3/0x3f0\n __mkroute_output+0x43a/0x460\n ip_route_output_key_hash+0xf7/0x140\n ip_route_output_flow+0x1b/0x90\n rxrpc_assess_MTU_size.isra.0+0x2a0/0x590\n rxrpc_new_incoming_peer+0x46/0x120\n rxrpc_alloc_incoming_call+0x1b1/0x400\n rxrpc_new_incoming_call+0x1da/0x5e0\n rxrpc_input_packet+0x827/0x900\n rxrpc_io_thread+0x403/0xb60\n kthread+0x2f7/0x310\n ret_from_fork+0x2a/0x230\n ret_from_fork_asm+0x1a/0x30\n...\nhardirqs last  enabled at (23): _raw_spin_unlock_irq+0x24/0x50\nhardirqs last disabled at (24): _raw_read_lock_irq+0x17/0x70\nsoftirqs last  enabled at (0): copy_process+0xc61/0x2730\nsoftirqs last disabled at (25): rt_add_uncached_list+0x3c/0x90\n\nFix this by moving the call to rxrpc_assess_MTU_size() out of\nrxrpc_init_peer() and further up the stack where it can be done without\ninterrupts disabled.\n\nIt shouldn\u0027t be a problem for rxrpc_new_incoming_call() to do it after the\nlocks are dropped as pmtud is going to be performed by the I/O thread - and\nwe\u0027re in the I/O thread at this point."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T11:12:19.191Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2029f21f10dedb88c0f86abffcf8d6c21dcf6040"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4d2878369d590bf8455e3678a644e503172eafa"
        }
      ],
      "title": "rxrpc: Fix irq-disabled in local_bh_enable()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38525",
    "datePublished": "2025-08-16T11:12:19.191Z",
    "dateReserved": "2025-04-16T04:51:24.023Z",
    "dateUpdated": "2025-08-16T11:12:19.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38653 (GCVE-0-2025-38653)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-11-03 17:40

Title

proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al

Summary

In the Linux kernel, the following vulnerability has been resolved: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same manner.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c35b0feb80b48720d…
	https://git.kernel.org/stable/c/33c778ea0bd0fa62f…
	https://git.kernel.org/stable/c/fc1072d934f687e12…
	https://git.kernel.org/stable/c/d136502e04d8853a9…
	https://git.kernel.org/stable/c/1fccbfbae1dd36198…
	https://git.kernel.org/stable/c/ff7ec8dc1b646296f…

Impacted products

Vendor

Product

Version

Linux

Affected: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 , < c35b0feb80b48720dfbbf4e33759c7be3faaebb6 (git)
Affected: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 , < 33c778ea0bd0fa62ff590497e72562ff90f82b13 (git)
Affected: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 , < fc1072d934f687e1221d685cf1a49a5068318f34 (git)
Affected: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 , < d136502e04d8853a9aecb335d07bbefd7a1519a8 (git)
Affected: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 , < 1fccbfbae1dd36198dc47feac696563244ad81d3 (git)
Affected: 3f61631d47f115b83c935d0039f95cb68b0c8ab7 , < ff7ec8dc1b646296f8d94c39339e8d3833d16c05 (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:46.576Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/proc/generic.c",
            "fs/proc/inode.c",
            "fs/proc/internal.h",
            "include/linux/proc_fs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c35b0feb80b48720dfbbf4e33759c7be3faaebb6",
              "status": "affected",
              "version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
              "versionType": "git"
            },
            {
              "lessThan": "33c778ea0bd0fa62ff590497e72562ff90f82b13",
              "status": "affected",
              "version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
              "versionType": "git"
            },
            {
              "lessThan": "fc1072d934f687e1221d685cf1a49a5068318f34",
              "status": "affected",
              "version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
              "versionType": "git"
            },
            {
              "lessThan": "d136502e04d8853a9aecb335d07bbefd7a1519a8",
              "status": "affected",
              "version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
              "versionType": "git"
            },
            {
              "lessThan": "1fccbfbae1dd36198dc47feac696563244ad81d3",
              "status": "affected",
              "version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
              "versionType": "git"
            },
            {
              "lessThan": "ff7ec8dc1b646296f8d94c39339e8d3833d16c05",
              "status": "affected",
              "version": "3f61631d47f115b83c935d0039f95cb68b0c8ab7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/proc/generic.c",
            "fs/proc/inode.c",
            "fs/proc/internal.h",
            "include/linux/proc_fs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al\n\nCheck pde-\u003eproc_ops-\u003eproc_lseek directly may cause UAF in rmmod scenario. \nIt\u0027s a gap in proc_reg_open() after commit 654b33ada4ab(\"proc: fix UAF in\nproc_get_inode()\").  Followed by AI Viro\u0027s suggestion, fix it in same\nmanner."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:34.510Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c35b0feb80b48720dfbbf4e33759c7be3faaebb6"
        },
        {
          "url": "https://git.kernel.org/stable/c/33c778ea0bd0fa62ff590497e72562ff90f82b13"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc1072d934f687e1221d685cf1a49a5068318f34"
        },
        {
          "url": "https://git.kernel.org/stable/c/d136502e04d8853a9aecb335d07bbefd7a1519a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1fccbfbae1dd36198dc47feac696563244ad81d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff7ec8dc1b646296f8d94c39339e8d3833d16c05"
        }
      ],
      "title": "proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38653",
    "datePublished": "2025-08-22T16:00:57.413Z",
    "dateReserved": "2025-04-16T04:51:24.030Z",
    "dateUpdated": "2025-11-03T17:40:46.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38624 (GCVE-0-2025-38624)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2026-01-02 15:31

Title

PCI: pnv_php: Clean up allocated IRQs on unplug

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Clean up allocated IRQs on unplug When the root of a nested PCIe bridge configuration is unplugged, the pnv_php driver leaked the allocated IRQ resources for the child bridges' hotplug event notifications, resulting in a panic. Fix this by walking all child buses and deallocating all its IRQ resources before calling pci_hp_remove_devices(). Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so that it is only destroyed in pnv_php_free_slot(), instead of pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will now be called by workers triggered by hot unplug interrupts, so the workqueue needs to stay allocated. The abridged kernel panic that occurs without this patch is as follows: WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2 Call Trace: msi_device_data_release+0x34/0x9c (unreliable) release_nodes+0x64/0x13c devres_release_all+0xc0/0x140 device_del+0x2d4/0x46c pci_destroy_dev+0x5c/0x194 pci_hp_remove_devices+0x90/0x128 pci_hp_remove_devices+0x44/0x128 pnv_php_disable_slot+0x54/0xd4 power_write_file+0xf8/0x18c pci_slot_attr_store+0x40/0x5c sysfs_kf_write+0x64/0x78 kernfs_fop_write_iter+0x1b0/0x290 vfs_write+0x3bc/0x50c ksys_write+0x84/0x140 system_call_exception+0x124/0x230 system_call_vectored_common+0x15c/0x2ec [bhelgaas: tidy comments]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8c1ad4af160691e15…
	https://git.kernel.org/stable/c/912e200240b6f9758…
	https://git.kernel.org/stable/c/398170b7fd0e0db2f…
	https://git.kernel.org/stable/c/32173edf3fe2d447e…
	https://git.kernel.org/stable/c/28aa3cfce12487614…
	https://git.kernel.org/stable/c/1773c19fa55e944cd…
	https://git.kernel.org/stable/c/bbd302c4b79df1019…
	https://git.kernel.org/stable/c/4668619092554e1b9…

Impacted products

Vendor

Product

Version

Linux

Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 8c1ad4af160691e157d688ad9619ced2df556aac (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 912e200240b6f9758f0b126e64a61c9227f4ad37 (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 398170b7fd0e0db2f8096df5206c75e5ff41415a (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 32173edf3fe2d447e14e5e3b299387c6f9602a88 (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 28aa3cfce12487614219e7667ec84424e1f43227 (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 1773c19fa55e944cdd2634e2d9e552f87f2d38d5 (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < bbd302c4b79df10197ffa7270ca3aa572eeca33c (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 4668619092554e1b95c9a5ac2941ca47ba6d548a (git)

Linux

Affected: 4.9
Unaffected: 0 , < 4.9 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:34.331Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/hotplug/pnv_php.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8c1ad4af160691e157d688ad9619ced2df556aac",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "912e200240b6f9758f0b126e64a61c9227f4ad37",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "398170b7fd0e0db2f8096df5206c75e5ff41415a",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "32173edf3fe2d447e14e5e3b299387c6f9602a88",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "28aa3cfce12487614219e7667ec84424e1f43227",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "1773c19fa55e944cdd2634e2d9e552f87f2d38d5",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "bbd302c4b79df10197ffa7270ca3aa572eeca33c",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "4668619092554e1b95c9a5ac2941ca47ba6d548a",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/hotplug/pnv_php.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pnv_php: Clean up allocated IRQs on unplug\n\nWhen the root of a nested PCIe bridge configuration is unplugged, the\npnv_php driver leaked the allocated IRQ resources for the child bridges\u0027\nhotplug event notifications, resulting in a panic.\n\nFix this by walking all child buses and deallocating all its IRQ resources\nbefore calling pci_hp_remove_devices().\n\nAlso modify the lifetime of the workqueue at struct pnv_php_slot::wq so\nthat it is only destroyed in pnv_php_free_slot(), instead of\npnv_php_disable_irq(). This is required since pnv_php_disable_irq() will\nnow be called by workers triggered by hot unplug interrupts, so the\nworkqueue needs to stay allocated.\n\nThe abridged kernel panic that occurs without this patch is as follows:\n\n  WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c\n  CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2\n  Call Trace:\n   msi_device_data_release+0x34/0x9c (unreliable)\n   release_nodes+0x64/0x13c\n   devres_release_all+0xc0/0x140\n   device_del+0x2d4/0x46c\n   pci_destroy_dev+0x5c/0x194\n   pci_hp_remove_devices+0x90/0x128\n   pci_hp_remove_devices+0x44/0x128\n   pnv_php_disable_slot+0x54/0xd4\n   power_write_file+0xf8/0x18c\n   pci_slot_attr_store+0x40/0x5c\n   sysfs_kf_write+0x64/0x78\n   kernfs_fop_write_iter+0x1b0/0x290\n   vfs_write+0x3bc/0x50c\n   ksys_write+0x84/0x140\n   system_call_exception+0x124/0x230\n   system_call_vectored_common+0x15c/0x2ec\n\n[bhelgaas: tidy comments]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:31:00.428Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8c1ad4af160691e157d688ad9619ced2df556aac"
        },
        {
          "url": "https://git.kernel.org/stable/c/912e200240b6f9758f0b126e64a61c9227f4ad37"
        },
        {
          "url": "https://git.kernel.org/stable/c/398170b7fd0e0db2f8096df5206c75e5ff41415a"
        },
        {
          "url": "https://git.kernel.org/stable/c/32173edf3fe2d447e14e5e3b299387c6f9602a88"
        },
        {
          "url": "https://git.kernel.org/stable/c/28aa3cfce12487614219e7667ec84424e1f43227"
        },
        {
          "url": "https://git.kernel.org/stable/c/1773c19fa55e944cdd2634e2d9e552f87f2d38d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbd302c4b79df10197ffa7270ca3aa572eeca33c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4668619092554e1b95c9a5ac2941ca47ba6d548a"
        }
      ],
      "title": "PCI: pnv_php: Clean up allocated IRQs on unplug",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38624",
    "datePublished": "2025-08-22T16:00:32.924Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2026-01-02T15:31:00.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38480 (GCVE-0-2025-38480)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-11-03 17:38

Title

comedi: Fix use of uninitialized data in insn_rw_emulate_bits()

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4c2981bf30401adfc…
	https://git.kernel.org/stable/c/16256d7efcf7acc9f…
	https://git.kernel.org/stable/c/c53570e62b5b28bdb…
	https://git.kernel.org/stable/c/3050d197d6bc9ef12…
	https://git.kernel.org/stable/c/10f9024a8c824a418…
	https://git.kernel.org/stable/c/2af1e7d389c261921…
	https://git.kernel.org/stable/c/3ab55ffaaf75d0c7b…
	https://git.kernel.org/stable/c/e9cb26291d009243a…

Impacted products

Vendor

Product

Version

Linux

Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 4c2981bf30401adfcdbfece4ab6f411f7c5875a1 (git)
Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 16256d7efcf7acc9f39abe21522c4c6b77f67c00 (git)
Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < c53570e62b5b28bdb56bb563190227f8307817a5 (git)
Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 3050d197d6bc9ef128944a70210f42d2430b3000 (git)
Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 10f9024a8c824a41827fff1fefefb314c98e2c88 (git)
Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 2af1e7d389c2619219171d23f5b96dbcbb7f9656 (git)
Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870 (git)
Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < e9cb26291d009243a4478a7ffb37b3a9175bfce9 (git)

Linux

Affected: 2.6.29
Unaffected: 0 , < 2.6.29 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:48.508Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4c2981bf30401adfcdbfece4ab6f411f7c5875a1",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "16256d7efcf7acc9f39abe21522c4c6b77f67c00",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "c53570e62b5b28bdb56bb563190227f8307817a5",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "3050d197d6bc9ef128944a70210f42d2430b3000",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "10f9024a8c824a41827fff1fefefb314c98e2c88",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "2af1e7d389c2619219171d23f5b96dbcbb7f9656",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "e9cb26291d009243a4478a7ffb37b3a9175bfce9",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized data in insn_rw_emulate_bits()\n\nFor Comedi `INSN_READ` and `INSN_WRITE` instructions on \"digital\"\nsubdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and\n`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have\n`insn_read` and `insn_write` handler functions, but to have an\n`insn_bits` handler function for handling Comedi `INSN_BITS`\ninstructions.  In that case, the subdevice\u0027s `insn_read` and/or\n`insn_write` function handler pointers are set to point to the\n`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`.\n\nFor `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the\nsupplied `data[0]` value is a valid copy from user memory.  It will at\nleast exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in\n\"comedi_fops.c\" ensure at lease `MIN_SAMPLES` (16) elements are\nallocated.  However, if `insn-\u003en` is 0 (which is allowable for\n`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain\nuninitialized data, and certainly contains invalid data, possibly from a\ndifferent instruction in the array of instructions handled by\n`do_insnlist_ioctl()`.  This will result in an incorrect value being\nwritten to the digital output channel (or to the digital input/output\nchannel if configured as an output), and may be reflected in the\ninternal saved state of the channel.\n\nFix it by returning 0 early if `insn-\u003en` is 0, before reaching the code\nthat accesses `data[0]`.  Previously, the function always returned 1 on\nsuccess, but it is supposed to be the number of data samples actually\nread or written up to `insn-\u003en`, which is 0 in this case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:19.703Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4c2981bf30401adfcdbfece4ab6f411f7c5875a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/16256d7efcf7acc9f39abe21522c4c6b77f67c00"
        },
        {
          "url": "https://git.kernel.org/stable/c/c53570e62b5b28bdb56bb563190227f8307817a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/3050d197d6bc9ef128944a70210f42d2430b3000"
        },
        {
          "url": "https://git.kernel.org/stable/c/10f9024a8c824a41827fff1fefefb314c98e2c88"
        },
        {
          "url": "https://git.kernel.org/stable/c/2af1e7d389c2619219171d23f5b96dbcbb7f9656"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9cb26291d009243a4478a7ffb37b3a9175bfce9"
        }
      ],
      "title": "comedi: Fix use of uninitialized data in insn_rw_emulate_bits()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38480",
    "datePublished": "2025-07-28T11:21:45.142Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:48.508Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38662 (GCVE-0-2025-38662)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:02 – Updated: 2025-08-22 16:02

Title

ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv Given mt8365_dai_set_priv allocate priv_size space to copy priv_data which means we should pass mt8365_i2s_priv[i] or "struct mtk_afe_i2s_priv" instead of afe_priv which has the size of "struct mt8365_afe_private". Otherwise the KASAN complains about. [ 59.389765] BUG: KASAN: global-out-of-bounds in mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm] ... [ 59.394789] Call trace: [ 59.395167] dump_backtrace+0xa0/0x128 [ 59.395733] show_stack+0x20/0x38 [ 59.396238] dump_stack_lvl+0xe8/0x148 [ 59.396806] print_report+0x37c/0x5e0 [ 59.397358] kasan_report+0xac/0xf8 [ 59.397885] kasan_check_range+0xe8/0x190 [ 59.398485] asan_memcpy+0x3c/0x98 [ 59.399022] mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm] [ 59.399928] mt8365_dai_i2s_register+0x1e8/0x2b0 [snd_soc_mt8365_pcm] [ 59.400893] mt8365_afe_pcm_dev_probe+0x4d0/0xdf0 [snd_soc_mt8365_pcm] [ 59.401873] platform_probe+0xcc/0x228 [ 59.402442] really_probe+0x340/0x9e8 [ 59.402992] driver_probe_device+0x16c/0x3f8 [ 59.403638] driver_probe_device+0x64/0x1d8 [ 59.404256] driver_attach+0x1dc/0x4c8 [ 59.404840] bus_for_each_dev+0x100/0x190 [ 59.405442] driver_attach+0x44/0x68 [ 59.405980] bus_add_driver+0x23c/0x500 [ 59.406550] driver_register+0xf8/0x3d0 [ 59.407122] platform_driver_register+0x68/0x98 [ 59.407810] mt8365_afe_pcm_driver_init+0x2c/0xff8 [snd_soc_mt8365_pcm]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1dc0ed16cfbc3c28a…
	https://git.kernel.org/stable/c/6e621dd99c57db916…
	https://git.kernel.org/stable/c/6bea85979d05470e6…

Impacted products

Vendor

Product

Version

Linux

Affected: 402bbb13a195caa83b3279ebecdabfb11ddee084 , < 1dc0ed16cfbc3c28a07a89904071cfa802fdcee1 (git)
Affected: 402bbb13a195caa83b3279ebecdabfb11ddee084 , < 6e621dd99c57db916842865debaa65f20bbd6d8e (git)
Affected: 402bbb13a195caa83b3279ebecdabfb11ddee084 , < 6bea85979d05470e6416a2bb504a9bcd9178304c (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.41 , ≤ 6.12.* (semver)
Unaffected: 6.15.9 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/mediatek/mt8365/mt8365-dai-i2s.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1dc0ed16cfbc3c28a07a89904071cfa802fdcee1",
              "status": "affected",
              "version": "402bbb13a195caa83b3279ebecdabfb11ddee084",
              "versionType": "git"
            },
            {
              "lessThan": "6e621dd99c57db916842865debaa65f20bbd6d8e",
              "status": "affected",
              "version": "402bbb13a195caa83b3279ebecdabfb11ddee084",
              "versionType": "git"
            },
            {
              "lessThan": "6bea85979d05470e6416a2bb504a9bcd9178304c",
              "status": "affected",
              "version": "402bbb13a195caa83b3279ebecdabfb11ddee084",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/mediatek/mt8365/mt8365-dai-i2s.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.41",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.9",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv\n\nGiven mt8365_dai_set_priv allocate priv_size space to copy priv_data which\nmeans we should pass mt8365_i2s_priv[i] or \"struct mtk_afe_i2s_priv\"\ninstead of afe_priv which has the size of \"struct mt8365_afe_private\".\n\nOtherwise the KASAN complains about.\n\n[   59.389765] BUG: KASAN: global-out-of-bounds in mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm]\n...\n[   59.394789] Call trace:\n[   59.395167]  dump_backtrace+0xa0/0x128\n[   59.395733]  show_stack+0x20/0x38\n[   59.396238]  dump_stack_lvl+0xe8/0x148\n[   59.396806]  print_report+0x37c/0x5e0\n[   59.397358]  kasan_report+0xac/0xf8\n[   59.397885]  kasan_check_range+0xe8/0x190\n[   59.398485]  asan_memcpy+0x3c/0x98\n[   59.399022]  mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm]\n[   59.399928]  mt8365_dai_i2s_register+0x1e8/0x2b0 [snd_soc_mt8365_pcm]\n[   59.400893]  mt8365_afe_pcm_dev_probe+0x4d0/0xdf0 [snd_soc_mt8365_pcm]\n[   59.401873]  platform_probe+0xcc/0x228\n[   59.402442]  really_probe+0x340/0x9e8\n[   59.402992]  driver_probe_device+0x16c/0x3f8\n[   59.403638]  driver_probe_device+0x64/0x1d8\n[   59.404256]  driver_attach+0x1dc/0x4c8\n[   59.404840]  bus_for_each_dev+0x100/0x190\n[   59.405442]  driver_attach+0x44/0x68\n[   59.405980]  bus_add_driver+0x23c/0x500\n[   59.406550]  driver_register+0xf8/0x3d0\n[   59.407122]  platform_driver_register+0x68/0x98\n[   59.407810]  mt8365_afe_pcm_driver_init+0x2c/0xff8 [snd_soc_mt8365_pcm]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-22T16:02:55.078Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1dc0ed16cfbc3c28a07a89904071cfa802fdcee1"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e621dd99c57db916842865debaa65f20bbd6d8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bea85979d05470e6416a2bb504a9bcd9178304c"
        }
      ],
      "title": "ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38662",
    "datePublished": "2025-08-22T16:02:55.078Z",
    "dateReserved": "2025-04-16T04:51:24.031Z",
    "dateUpdated": "2025-08-22T16:02:55.078Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38582 (GCVE-0-2025-38582)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-09-29 05:54

Title

RDMA/hns: Fix double destruction of rsv_qp

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix double destruction of rsv_qp rsv_qp may be double destroyed in error flow, first in free_mr_init(), and then in hns_roce_exit(). Fix it by moving the free_mr_init() call into hns_roce_v2_init(). list_del corruption, ffff589732eb9b50->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240 ... Call trace: __list_del_entry_valid+0x148/0x240 hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2] hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2] hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2] free_mr_exit+0x6c/0x120 [hns_roce_hw_v2] hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2] hns_roce_exit+0x118/0x350 [hns_roce_hw_v2] __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2] hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2] hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2] hclge_notify_roce_client+0x6c/0x160 [hclge] hclge_reset_rebuild+0x150/0x5c0 [hclge] hclge_reset+0x10c/0x140 [hclge] hclge_reset_subtask+0x80/0x104 [hclge] hclge_reset_service_task+0x168/0x3ac [hclge] hclge_service_task+0x50/0x100 [hclge] process_one_work+0x250/0x9a0 worker_thread+0x324/0x990 kthread+0x190/0x210 ret_from_fork+0x10/0x18

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dab173bae3303f074…
	https://git.kernel.org/stable/c/fc8b0f5b16bab2e03…
	https://git.kernel.org/stable/c/10b083dbba22be19b…
	https://git.kernel.org/stable/c/c6957b95ecc5b63c5…

Impacted products

Vendor

Product

Version

Linux

Affected: fd8489294dd2beefb70f12ec4f6132aeec61a4d0 , < dab173bae3303f074f063750a8dead2550d8c782 (git)
Affected: fd8489294dd2beefb70f12ec4f6132aeec61a4d0 , < fc8b0f5b16bab2e032b4cfcd6218d5df3b80b2ea (git)
Affected: fd8489294dd2beefb70f12ec4f6132aeec61a4d0 , < 10b083dbba22be19baa848432b6f25aa68ab2db5 (git)
Affected: fd8489294dd2beefb70f12ec4f6132aeec61a4d0 , < c6957b95ecc5b63c5a4bb4ecc28af326cf8f6dc8 (git)
Affected: 2ccf1c75d39949d8ea043d04a2e92d7100ea723d (git)
Affected: d2d9c5127122745da6e887f451dd248cfeffca33 (git)
Affected: dac2723d8bfa9cf5333f477741e6e5fa1ed34645 (git)
Affected: 60595923371c2ebe7faf82536c47eb0c967e3425 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hns/hns_roce_hw_v2.c",
            "drivers/infiniband/hw/hns/hns_roce_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dab173bae3303f074f063750a8dead2550d8c782",
              "status": "affected",
              "version": "fd8489294dd2beefb70f12ec4f6132aeec61a4d0",
              "versionType": "git"
            },
            {
              "lessThan": "fc8b0f5b16bab2e032b4cfcd6218d5df3b80b2ea",
              "status": "affected",
              "version": "fd8489294dd2beefb70f12ec4f6132aeec61a4d0",
              "versionType": "git"
            },
            {
              "lessThan": "10b083dbba22be19baa848432b6f25aa68ab2db5",
              "status": "affected",
              "version": "fd8489294dd2beefb70f12ec4f6132aeec61a4d0",
              "versionType": "git"
            },
            {
              "lessThan": "c6957b95ecc5b63c5a4bb4ecc28af326cf8f6dc8",
              "status": "affected",
              "version": "fd8489294dd2beefb70f12ec4f6132aeec61a4d0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2ccf1c75d39949d8ea043d04a2e92d7100ea723d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d2d9c5127122745da6e887f451dd248cfeffca33",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dac2723d8bfa9cf5333f477741e6e5fa1ed34645",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "60595923371c2ebe7faf82536c47eb0c967e3425",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hns/hns_roce_hw_v2.c",
            "drivers/infiniband/hw/hns/hns_roce_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.6.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix double destruction of rsv_qp\n\nrsv_qp may be double destroyed in error flow, first in free_mr_init(),\nand then in hns_roce_exit(). Fix it by moving the free_mr_init() call\ninto hns_roce_v2_init().\n\nlist_del corruption, ffff589732eb9b50-\u003enext is LIST_POISON1 (dead000000000100)\nWARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240\n...\nCall trace:\n __list_del_entry_valid+0x148/0x240\n hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2]\n hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2]\n hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2]\n free_mr_exit+0x6c/0x120 [hns_roce_hw_v2]\n hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2]\n hns_roce_exit+0x118/0x350 [hns_roce_hw_v2]\n __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2]\n hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2]\n hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2]\n hclge_notify_roce_client+0x6c/0x160 [hclge]\n hclge_reset_rebuild+0x150/0x5c0 [hclge]\n hclge_reset+0x10c/0x140 [hclge]\n hclge_reset_subtask+0x80/0x104 [hclge]\n hclge_reset_service_task+0x168/0x3ac [hclge]\n hclge_service_task+0x50/0x100 [hclge]\n process_one_work+0x250/0x9a0\n worker_thread+0x324/0x990\n kthread+0x190/0x210\n ret_from_fork+0x10/0x18"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:13.704Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dab173bae3303f074f063750a8dead2550d8c782"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc8b0f5b16bab2e032b4cfcd6218d5df3b80b2ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/10b083dbba22be19baa848432b6f25aa68ab2db5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6957b95ecc5b63c5a4bb4ecc28af326cf8f6dc8"
        }
      ],
      "title": "RDMA/hns: Fix double destruction of rsv_qp",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38582",
    "datePublished": "2025-08-19T17:03:04.535Z",
    "dateReserved": "2025-04-16T04:51:24.026Z",
    "dateUpdated": "2025-09-29T05:54:13.704Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38553 (GCVE-0-2025-38553)

Vulnerability from cvelistv5 – Published: 2025-08-19 06:06 – Updated: 2025-11-03 17:39

Title

net/sched: Restrict conditions for adding duplicating netems to qdisc tree

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: Restrict conditions for adding duplicating netems to qdisc tree netem_enqueue's duplication prevention logic breaks when a netem resides in a qdisc tree with other netems - this can lead to a soft lockup and OOM loop in netem_dequeue, as seen in [1]. Ensure that a duplicating netem cannot exist in a tree with other netems. Previous approaches suggested in discussions in chronological order: 1) Track duplication status or ttl in the sk_buff struct. Considered too specific a use case to extend such a struct, though this would be a resilient fix and address other previous and potential future DOS bugs like the one described in loopy fun [2]. 2) Restrict netem_enqueue recursion depth like in act_mirred with a per cpu variable. However, netem_dequeue can call enqueue on its child, and the depth restriction could be bypassed if the child is a netem. 3) Use the same approach as in 2, but add metadata in netem_skb_cb to handle the netem_dequeue case and track a packet's involvement in duplication. This is an overly complex approach, and Jamal notes that the skb cb can be overwritten to circumvent this safeguard. 4) Prevent the addition of a netem to a qdisc tree if its ancestral path contains a netem. However, filters and actions can cause a packet to change paths when re-enqueued to the root from netem duplication, leading us to the current solution: prevent a duplicating netem from inhabiting the same tree as other netems. [1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/ [2] https://lwn.net/Articles/719297/

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ad340a4b4adb855b1…
	https://git.kernel.org/stable/c/f088b6ebe8797a3f9…
	https://git.kernel.org/stable/c/cab2809944989889f…
	https://git.kernel.org/stable/c/325f5ec67cc0a77f2…
	https://git.kernel.org/stable/c/103c4e27ec9f5fe53…
	https://git.kernel.org/stable/c/795cb393e38977aa9…
	https://git.kernel.org/stable/c/250f8796006c0f2bc…
	https://git.kernel.org/stable/c/09317dfb681ac5a96…
	https://git.kernel.org/stable/c/ec8e0e3d7adef940c…

Impacted products

Vendor

Product

Version

Linux

Affected: 0afb51e72855971dba83b3c6b70c547c2d1161fd , < ad340a4b4adb855b18b3666f26ad65c8968e2deb (git)
Affected: 0afb51e72855971dba83b3c6b70c547c2d1161fd , < f088b6ebe8797a3f948d2cae47f34bfb45cc6522 (git)
Affected: 0afb51e72855971dba83b3c6b70c547c2d1161fd , < cab2809944989889f88a1a8b5cff1c78460c72cb (git)
Affected: 0afb51e72855971dba83b3c6b70c547c2d1161fd , < 325f5ec67cc0a77f2d0d453445b9857f1cd06c76 (git)
Affected: 0afb51e72855971dba83b3c6b70c547c2d1161fd , < 103c4e27ec9f5fe53022e46e976abf52c7221baf (git)
Affected: 0afb51e72855971dba83b3c6b70c547c2d1161fd , < 795cb393e38977aa991e70a9363da0ee734b2114 (git)
Affected: 0afb51e72855971dba83b3c6b70c547c2d1161fd , < 250f8796006c0f2bc638ce545f601d49ae8d528b (git)
Affected: 0afb51e72855971dba83b3c6b70c547c2d1161fd , < 09317dfb681ac5a96fc69bea0c54441cf91b8270 (git)
Affected: 0afb51e72855971dba83b3c6b70c547c2d1161fd , < ec8e0e3d7adef940cdf9475e2352c0680189d14e (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:46.686Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_netem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ad340a4b4adb855b18b3666f26ad65c8968e2deb",
              "status": "affected",
              "version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
              "versionType": "git"
            },
            {
              "lessThan": "f088b6ebe8797a3f948d2cae47f34bfb45cc6522",
              "status": "affected",
              "version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
              "versionType": "git"
            },
            {
              "lessThan": "cab2809944989889f88a1a8b5cff1c78460c72cb",
              "status": "affected",
              "version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
              "versionType": "git"
            },
            {
              "lessThan": "325f5ec67cc0a77f2d0d453445b9857f1cd06c76",
              "status": "affected",
              "version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
              "versionType": "git"
            },
            {
              "lessThan": "103c4e27ec9f5fe53022e46e976abf52c7221baf",
              "status": "affected",
              "version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
              "versionType": "git"
            },
            {
              "lessThan": "795cb393e38977aa991e70a9363da0ee734b2114",
              "status": "affected",
              "version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
              "versionType": "git"
            },
            {
              "lessThan": "250f8796006c0f2bc638ce545f601d49ae8d528b",
              "status": "affected",
              "version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
              "versionType": "git"
            },
            {
              "lessThan": "09317dfb681ac5a96fc69bea0c54441cf91b8270",
              "status": "affected",
              "version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
              "versionType": "git"
            },
            {
              "lessThan": "ec8e0e3d7adef940cdf9475e2352c0680189d14e",
              "status": "affected",
              "version": "0afb51e72855971dba83b3c6b70c547c2d1161fd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_netem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Restrict conditions for adding duplicating netems to qdisc tree\n\nnetem_enqueue\u0027s duplication prevention logic breaks when a netem\nresides in a qdisc tree with other netems - this can lead to a\nsoft lockup and OOM loop in netem_dequeue, as seen in [1].\nEnsure that a duplicating netem cannot exist in a tree with other\nnetems.\n\nPrevious approaches suggested in discussions in chronological order:\n\n1) Track duplication status or ttl in the sk_buff struct. Considered\ntoo specific a use case to extend such a struct, though this would\nbe a resilient fix and address other previous and potential future\nDOS bugs like the one described in loopy fun [2].\n\n2) Restrict netem_enqueue recursion depth like in act_mirred with a\nper cpu variable. However, netem_dequeue can call enqueue on its\nchild, and the depth restriction could be bypassed if the child is a\nnetem.\n\n3) Use the same approach as in 2, but add metadata in netem_skb_cb\nto handle the netem_dequeue case and track a packet\u0027s involvement\nin duplication. This is an overly complex approach, and Jamal\nnotes that the skb cb can be overwritten to circumvent this\nsafeguard.\n\n4) Prevent the addition of a netem to a qdisc tree if its ancestral\npath contains a netem. However, filters and actions can cause a\npacket to change paths when re-enqueued to the root from netem\nduplication, leading us to the current solution: prevent a\nduplicating netem from inhabiting the same tree as other netems.\n\n[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/\n[2] https://lwn.net/Articles/719297/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:53:39.976Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ad340a4b4adb855b18b3666f26ad65c8968e2deb"
        },
        {
          "url": "https://git.kernel.org/stable/c/f088b6ebe8797a3f948d2cae47f34bfb45cc6522"
        },
        {
          "url": "https://git.kernel.org/stable/c/cab2809944989889f88a1a8b5cff1c78460c72cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/325f5ec67cc0a77f2d0d453445b9857f1cd06c76"
        },
        {
          "url": "https://git.kernel.org/stable/c/103c4e27ec9f5fe53022e46e976abf52c7221baf"
        },
        {
          "url": "https://git.kernel.org/stable/c/795cb393e38977aa991e70a9363da0ee734b2114"
        },
        {
          "url": "https://git.kernel.org/stable/c/250f8796006c0f2bc638ce545f601d49ae8d528b"
        },
        {
          "url": "https://git.kernel.org/stable/c/09317dfb681ac5a96fc69bea0c54441cf91b8270"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec8e0e3d7adef940cdf9475e2352c0680189d14e"
        }
      ],
      "title": "net/sched: Restrict conditions for adding duplicating netems to qdisc tree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38553",
    "datePublished": "2025-08-19T06:06:53.204Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2025-11-03T17:39:46.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38473 (GCVE-0-2025-38473)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-11-03 17:38

Title

Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL. Let's not access to the killed socket in l2cap_sock_resume_cb(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hci_rx_work Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_report+0x58/0x84 mm/kasan/report.c:524 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_write include/linux/instrumented.h:82 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/262cd18f5f7ede6a5…
	https://git.kernel.org/stable/c/2b27b389006623673…
	https://git.kernel.org/stable/c/3a4eca2a1859955c6…
	https://git.kernel.org/stable/c/ac3a8147bb24314fb…
	https://git.kernel.org/stable/c/c4f16f6b071a74ac7…
	https://git.kernel.org/stable/c/b97be7ee8a1cd96b8…
	https://git.kernel.org/stable/c/6d63901dcd592a1e3…
	https://git.kernel.org/stable/c/a0075accbf0d76c2d…

Impacted products

Vendor

Product

Version

Linux

Affected: d97c899bde330cd1c76c3a162558177563a74362 , < 262cd18f5f7ede6a586580cadc5d0799e52e2e7c (git)
Affected: d97c899bde330cd1c76c3a162558177563a74362 , < 2b27b389006623673e8cfff4ce1e119cce640b05 (git)
Affected: d97c899bde330cd1c76c3a162558177563a74362 , < 3a4eca2a1859955c65f07a570156bd2d9048ce33 (git)
Affected: d97c899bde330cd1c76c3a162558177563a74362 , < ac3a8147bb24314fb3e84986590148e79f9872ec (git)
Affected: d97c899bde330cd1c76c3a162558177563a74362 , < c4f16f6b071a74ac7eefe5c28985285cbbe2cd96 (git)
Affected: d97c899bde330cd1c76c3a162558177563a74362 , < b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08 (git)
Affected: d97c899bde330cd1c76c3a162558177563a74362 , < 6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0 (git)
Affected: d97c899bde330cd1c76c3a162558177563a74362 , < a0075accbf0d76c2dad1ad3993d2e944505d99a0 (git)

Linux

Affected: 3.13
Unaffected: 0 , < 3.13 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:39.105Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "262cd18f5f7ede6a586580cadc5d0799e52e2e7c",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "2b27b389006623673e8cfff4ce1e119cce640b05",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "3a4eca2a1859955c65f07a570156bd2d9048ce33",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "ac3a8147bb24314fb3e84986590148e79f9872ec",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "c4f16f6b071a74ac7eefe5c28985285cbbe2cd96",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            },
            {
              "lessThan": "a0075accbf0d76c2dad1ad3993d2e944505d99a0",
              "status": "affected",
              "version": "d97c899bde330cd1c76c3a162558177563a74362",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()\n\nsyzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]\n\nl2cap_sock_resume_cb() has a similar problem that was fixed by commit\n1bff51ea59a9 (\"Bluetooth: fix use-after-free error in lock_sock_nested()\").\n\nSince both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed\nunder l2cap_sock_resume_cb(), we can avoid the issue simply by checking\nif chan-\u003edata is NULL.\n\nLet\u0027s not access to the killed socket in l2cap_sock_resume_cb().\n\n[0]:\nBUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]\nBUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\nBUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\nWrite of size 8 at addr 0000000000000570 by task kworker/u9:0/52\n\nCPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nWorkqueue: hci0 hci_rx_work\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_report+0x58/0x84 mm/kasan/report.c:524\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\n __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37\n instrument_atomic_write include/linux/instrumented.h:82 [inline]\n clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\n l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\n l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357\n hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]\n hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514\n hci_event_func net/bluetooth/hci_event.c:7511 [inline]\n hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565\n hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3321 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3402\n kthread+0x5fc/0x75c kernel/kthread.c:464\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:10.331Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96"
        },
        {
          "url": "https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0"
        }
      ],
      "title": "Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38473",
    "datePublished": "2025-07-28T11:21:34.880Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:39.105Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38586 (GCVE-0-2025-38586)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-09-29 05:54

Title

bpf, arm64: Fix fp initialization for exception boundary

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix fp initialization for exception boundary In the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF program, find_used_callee_regs() is not called because for a program acting as exception boundary, all callee saved registers are saved. find_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP being used in any of the instructions. For programs acting as exception boundary, ctx->fp_used remains false even if frame pointer is used by the program and therefore, FP is not set-up for such programs in the prologue. This can cause the kernel to crash due to a pagefault. Fix it by setting ctx->fp_used = true for exception boundary programs as fp is always saved in such programs.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0dbef493cae7d451f…
	https://git.kernel.org/stable/c/e23184725dbb72d5d…
	https://git.kernel.org/stable/c/1ce30231e0a2c8c36…
	https://git.kernel.org/stable/c/b114fcee766d5101e…

Impacted products

Vendor

Product

Version

Linux

Affected: 5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff , < 0dbef493cae7d451f740558665893c000adb2321 (git)
Affected: 5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff , < e23184725dbb72d5d02940222eee36dbba2aa422 (git)
Affected: 5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff , < 1ce30231e0a2c8c361ee5f8f7f265fc17130adce (git)
Affected: 5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff , < b114fcee766d5101eada1aca7bb5fd0a86c89b35 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/net/bpf_jit_comp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0dbef493cae7d451f740558665893c000adb2321",
              "status": "affected",
              "version": "5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff",
              "versionType": "git"
            },
            {
              "lessThan": "e23184725dbb72d5d02940222eee36dbba2aa422",
              "status": "affected",
              "version": "5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff",
              "versionType": "git"
            },
            {
              "lessThan": "1ce30231e0a2c8c361ee5f8f7f265fc17130adce",
              "status": "affected",
              "version": "5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff",
              "versionType": "git"
            },
            {
              "lessThan": "b114fcee766d5101eada1aca7bb5fd0a86c89b35",
              "status": "affected",
              "version": "5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/net/bpf_jit_comp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fix fp initialization for exception boundary\n\nIn the ARM64 BPF JIT when prog-\u003eaux-\u003eexception_boundary is set for a BPF\nprogram, find_used_callee_regs() is not called because for a program\nacting as exception boundary, all callee saved registers are saved.\nfind_used_callee_regs() sets `ctx-\u003efp_used = true;` when it sees FP\nbeing used in any of the instructions.\n\nFor programs acting as exception boundary, ctx-\u003efp_used remains false\neven if frame pointer is used by the program and therefore, FP is not\nset-up for such programs in the prologue. This can cause the kernel to\ncrash due to a pagefault.\n\nFix it by setting ctx-\u003efp_used = true for exception boundary programs as\nfp is always saved in such programs."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:18.300Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0dbef493cae7d451f740558665893c000adb2321"
        },
        {
          "url": "https://git.kernel.org/stable/c/e23184725dbb72d5d02940222eee36dbba2aa422"
        },
        {
          "url": "https://git.kernel.org/stable/c/1ce30231e0a2c8c361ee5f8f7f265fc17130adce"
        },
        {
          "url": "https://git.kernel.org/stable/c/b114fcee766d5101eada1aca7bb5fd0a86c89b35"
        }
      ],
      "title": "bpf, arm64: Fix fp initialization for exception boundary",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38586",
    "datePublished": "2025-08-19T17:03:08.012Z",
    "dateReserved": "2025-04-16T04:51:24.026Z",
    "dateUpdated": "2025-09-29T05:54:18.300Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-39724 (GCVE-0-2025-39724)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-11-03 17:42

Title

serial: 8250: fix panic due to PSLVERR

Summary

In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0b882f00655afefbc…
	https://git.kernel.org/stable/c/b8ca8e3f75ede308b…
	https://git.kernel.org/stable/c/68c4613e89f000e81…
	https://git.kernel.org/stable/c/c826943abf473a3f7…
	https://git.kernel.org/stable/c/cb7b3633ed749db8e…
	https://git.kernel.org/stable/c/8e2739478c164147d…
	https://git.kernel.org/stable/c/38c0ea484dedb58cb…
	https://git.kernel.org/stable/c/7f8fdd4dbffc05982…

Impacted products

Vendor

Product

Version

Linux

Affected: c49436b657d0a56a6ad90d14a7c3041add7cf64d , < 0b882f00655afefbc7729c6b5aec86f7a5473a3d (git)
Affected: c49436b657d0a56a6ad90d14a7c3041add7cf64d , < b8ca8e3f75ede308b4d49a6ca5081460be01bdb5 (git)
Affected: c49436b657d0a56a6ad90d14a7c3041add7cf64d , < 68c4613e89f000e8198f9ace643082c697921c9f (git)
Affected: c49436b657d0a56a6ad90d14a7c3041add7cf64d , < c826943abf473a3f7260fbadfad65e44db475460 (git)
Affected: c49436b657d0a56a6ad90d14a7c3041add7cf64d , < cb7b3633ed749db8e56f475f43c960652cbd6882 (git)
Affected: c49436b657d0a56a6ad90d14a7c3041add7cf64d , < 8e2739478c164147d0774802008528d9e03fb802 (git)
Affected: c49436b657d0a56a6ad90d14a7c3041add7cf64d , < 38c0ea484dedb58cb3a4391229933e16be0d1031 (git)
Affected: c49436b657d0a56a6ad90d14a7c3041add7cf64d , < 7f8fdd4dbffc05982b96caf586f77a014b2a9353 (git)
Affected: 6d5e79331417886196cb3a733bdb6645ba85bc42 (git)
Affected: 2401577586898b3590db80f8b97a26f81f0f6d4e (git)

Linux

Affected: 3.13
Unaffected: 0 , < 3.13 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:46.902Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/8250/8250_port.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0b882f00655afefbc7729c6b5aec86f7a5473a3d",
              "status": "affected",
              "version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
              "versionType": "git"
            },
            {
              "lessThan": "b8ca8e3f75ede308b4d49a6ca5081460be01bdb5",
              "status": "affected",
              "version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
              "versionType": "git"
            },
            {
              "lessThan": "68c4613e89f000e8198f9ace643082c697921c9f",
              "status": "affected",
              "version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
              "versionType": "git"
            },
            {
              "lessThan": "c826943abf473a3f7260fbadfad65e44db475460",
              "status": "affected",
              "version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
              "versionType": "git"
            },
            {
              "lessThan": "cb7b3633ed749db8e56f475f43c960652cbd6882",
              "status": "affected",
              "version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
              "versionType": "git"
            },
            {
              "lessThan": "8e2739478c164147d0774802008528d9e03fb802",
              "status": "affected",
              "version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
              "versionType": "git"
            },
            {
              "lessThan": "38c0ea484dedb58cb3a4391229933e16be0d1031",
              "status": "affected",
              "version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
              "versionType": "git"
            },
            {
              "lessThan": "7f8fdd4dbffc05982b96caf586f77a014b2a9353",
              "status": "affected",
              "version": "c49436b657d0a56a6ad90d14a7c3041add7cf64d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6d5e79331417886196cb3a733bdb6645ba85bc42",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2401577586898b3590db80f8b97a26f81f0f6d4e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/8250/8250_port.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.48",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.24",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: fix panic due to PSLVERR\n\nWhen the PSLVERR_RESP_EN parameter is set to 1, the device generates\nan error response if an attempt is made to read an empty RBR (Receive\nBuffer Register) while the FIFO is enabled.\n\nIn serial8250_do_startup(), calling serial_port_out(port, UART_LCR,\nUART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes\ndw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter\nfunction enables the FIFO via serial_out(p, UART_FCR, p-\u003efcr).\nExecution proceeds to the serial_port_in(port, UART_RX).\nThis satisfies the PSLVERR trigger condition.\n\nWhen another CPU (e.g., using printk()) is accessing the UART (UART\nis busy), the current CPU fails the check (value \u0026 ~UART_LCR_SPAR) ==\n(lcr \u0026 ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter\ndw8250_force_idle().\n\nPut serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port-\u003elock\nto fix this issue.\n\nPanic backtrace:\n[    0.442336] Oops - unknown exception [#1]\n[    0.442343] epc : dw8250_serial_in32+0x1e/0x4a\n[    0.442351]  ra : serial8250_do_startup+0x2c8/0x88e\n...\n[    0.442416] console_on_rootfs+0x26/0x70"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:58:11.937Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0b882f00655afefbc7729c6b5aec86f7a5473a3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8ca8e3f75ede308b4d49a6ca5081460be01bdb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/68c4613e89f000e8198f9ace643082c697921c9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c826943abf473a3f7260fbadfad65e44db475460"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb7b3633ed749db8e56f475f43c960652cbd6882"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e2739478c164147d0774802008528d9e03fb802"
        },
        {
          "url": "https://git.kernel.org/stable/c/38c0ea484dedb58cb3a4391229933e16be0d1031"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f8fdd4dbffc05982b96caf586f77a014b2a9353"
        }
      ],
      "title": "serial: 8250: fix panic due to PSLVERR",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39724",
    "datePublished": "2025-09-05T17:21:32.005Z",
    "dateReserved": "2025-04-16T07:20:57.117Z",
    "dateUpdated": "2025-11-03T17:42:46.902Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39714 (GCVE-0-2025-39714)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2025-11-03 17:42

Title

media: usbtv: Lock resolution while streaming

Summary

In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV standard from NTSC to PAL, the kernel crashes due to trying to copy to unmapped memory. Changing from NTSC to PAL increases the resolution in the usbtv struct, but the video plane buffer isn't adjusted, so it overflows. [hverkuil: call vb2_is_busy instead of vb2_is_streaming]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c35e7c7a004ef379a…
	https://git.kernel.org/stable/c/ee7bade8b92448342…
	https://git.kernel.org/stable/c/5427dda195d6baf23…
	https://git.kernel.org/stable/c/ef9b3c22405192afa…
	https://git.kernel.org/stable/c/3d83d0b5ae5045a7a…
	https://git.kernel.org/stable/c/c3d75524e10021aa5…
	https://git.kernel.org/stable/c/9f886d21e235c4bd0…
	https://git.kernel.org/stable/c/7e40e0bb778907b24…

Impacted products

Vendor

Product

Version

Linux

Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < c35e7c7a004ef379a1ae7c7486d4829419acad1d (git)
Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < ee7bade8b9244834229b12b6e1e724939bedd484 (git)
Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 5427dda195d6baf23028196fd55a0c90f66ffa61 (git)
Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < ef9b3c22405192afaa279077ddd45a51db90b83d (git)
Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9 (git)
Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < c3d75524e10021aa5c223d94da4996640aed46c0 (git)
Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 9f886d21e235c4bd038cb20f6696084304197ab3 (git)
Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 7e40e0bb778907b2441bff68d73c3eb6b6cd319f (git)

Linux

Affected: 3.14
Unaffected: 0 , < 3.14 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:41.101Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/usbtv/usbtv-video.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c35e7c7a004ef379a1ae7c7486d4829419acad1d",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "ee7bade8b9244834229b12b6e1e724939bedd484",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "5427dda195d6baf23028196fd55a0c90f66ffa61",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "ef9b3c22405192afaa279077ddd45a51db90b83d",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "c3d75524e10021aa5c223d94da4996640aed46c0",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "9f886d21e235c4bd038cb20f6696084304197ab3",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "7e40e0bb778907b2441bff68d73c3eb6b6cd319f",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/usbtv/usbtv-video.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.14"
            },
            {
              "lessThan": "3.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Lock resolution while streaming\n\nWhen an program is streaming (ffplay) and another program (qv4l2)\nchanges the TV standard from NTSC to PAL, the kernel crashes due to trying\nto copy to unmapped memory.\n\nChanging from NTSC to PAL increases the resolution in the usbtv struct,\nbut the video plane buffer isn\u0027t adjusted, so it overflows.\n\n[hverkuil: call vb2_is_busy instead of vb2_is_streaming]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:57:59.084Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c35e7c7a004ef379a1ae7c7486d4829419acad1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee7bade8b9244834229b12b6e1e724939bedd484"
        },
        {
          "url": "https://git.kernel.org/stable/c/5427dda195d6baf23028196fd55a0c90f66ffa61"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef9b3c22405192afaa279077ddd45a51db90b83d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3d75524e10021aa5c223d94da4996640aed46c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f886d21e235c4bd038cb20f6696084304197ab3"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e40e0bb778907b2441bff68d73c3eb6b6cd319f"
        }
      ],
      "title": "media: usbtv: Lock resolution while streaming",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39714",
    "datePublished": "2025-09-05T17:21:21.435Z",
    "dateReserved": "2025-04-16T07:20:57.117Z",
    "dateUpdated": "2025-11-03T17:42:41.101Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39853 (GCVE-0-2025-39853)

Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44

Title

i40e: Fix potential invalid access when MAC list is empty

Summary

In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entry() never returns NULL - if the list is empty, it still returns a pointer to an invalid object, leading to potential invalid memory access when dereferenced. Fix this by using list_first_entry_or_null instead of list_first_entry.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/971feafe157afac44…
	https://git.kernel.org/stable/c/3c6fb929afa313d9d…
	https://git.kernel.org/stable/c/1eadabcf5623f1237…
	https://git.kernel.org/stable/c/e2a5e74879f9b494b…
	https://git.kernel.org/stable/c/fb216d980fae6561c…
	https://git.kernel.org/stable/c/66e7cdbda74ee823e…
	https://git.kernel.org/stable/c/9c21fc4cebd44dd21…
	https://git.kernel.org/stable/c/a556f06338e1d5a85…

Impacted products

Vendor

Product

Version

Linux

Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < 971feafe157afac443027acdc235badc6838560b (git)
Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < 3c6fb929afa313d9d11f780451d113f73922fe5d (git)
Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < 1eadabcf5623f1237a539b16586b4ed8ac8dffcd (git)
Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < e2a5e74879f9b494bbd66fa93f355feacde450c7 (git)
Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < fb216d980fae6561c7c70af8ef826faf059c6515 (git)
Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < 66e7cdbda74ee823ec2bf7b830ebd235c54f5ddf (git)
Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < 9c21fc4cebd44dd21016c61261a683af390343f8 (git)
Affected: e3219ce6a775468368fb270fae3eb82a6787b436 , < a556f06338e1d5a85af0e32ecb46e365547f92b9 (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 5.4.299 , ≤ 5.4.* (semver)
Unaffected: 5.10.243 , ≤ 5.10.* (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.16.6 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:44:09.789Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/i40e/i40e_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "971feafe157afac443027acdc235badc6838560b",
              "status": "affected",
              "version": "e3219ce6a775468368fb270fae3eb82a6787b436",
              "versionType": "git"
            },
            {
              "lessThan": "3c6fb929afa313d9d11f780451d113f73922fe5d",
              "status": "affected",
              "version": "e3219ce6a775468368fb270fae3eb82a6787b436",
              "versionType": "git"
            },
            {
              "lessThan": "1eadabcf5623f1237a539b16586b4ed8ac8dffcd",
              "status": "affected",
              "version": "e3219ce6a775468368fb270fae3eb82a6787b436",
              "versionType": "git"
            },
            {
              "lessThan": "e2a5e74879f9b494bbd66fa93f355feacde450c7",
              "status": "affected",
              "version": "e3219ce6a775468368fb270fae3eb82a6787b436",
              "versionType": "git"
            },
            {
              "lessThan": "fb216d980fae6561c7c70af8ef826faf059c6515",
              "status": "affected",
              "version": "e3219ce6a775468368fb270fae3eb82a6787b436",
              "versionType": "git"
            },
            {
              "lessThan": "66e7cdbda74ee823ec2bf7b830ebd235c54f5ddf",
              "status": "affected",
              "version": "e3219ce6a775468368fb270fae3eb82a6787b436",
              "versionType": "git"
            },
            {
              "lessThan": "9c21fc4cebd44dd21016c61261a683af390343f8",
              "status": "affected",
              "version": "e3219ce6a775468368fb270fae3eb82a6787b436",
              "versionType": "git"
            },
            {
              "lessThan": "a556f06338e1d5a85af0e32ecb46e365547f92b9",
              "status": "affected",
              "version": "e3219ce6a775468368fb270fae3eb82a6787b436",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/i40e/i40e_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.299",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.299",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.243",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.6",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix potential invalid access when MAC list is empty\n\nlist_first_entry() never returns NULL - if the list is empty, it still\nreturns a pointer to an invalid object, leading to potential invalid\nmemory access when dereferenced.\n\nFix this by using list_first_entry_or_null instead of list_first_entry."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T06:01:05.844Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/971feafe157afac443027acdc235badc6838560b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c6fb929afa313d9d11f780451d113f73922fe5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1eadabcf5623f1237a539b16586b4ed8ac8dffcd"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2a5e74879f9b494bbd66fa93f355feacde450c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb216d980fae6561c7c70af8ef826faf059c6515"
        },
        {
          "url": "https://git.kernel.org/stable/c/66e7cdbda74ee823ec2bf7b830ebd235c54f5ddf"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c21fc4cebd44dd21016c61261a683af390343f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/a556f06338e1d5a85af0e32ecb46e365547f92b9"
        }
      ],
      "title": "i40e: Fix potential invalid access when MAC list is empty",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39853",
    "datePublished": "2025-09-19T15:26:25.101Z",
    "dateReserved": "2025-04-16T07:20:57.142Z",
    "dateUpdated": "2025-11-03T17:44:09.789Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-50061 (GCVE-0-2024-50061)

Vulnerability from cvelistv5 – Published: 2024-10-21 19:39 – Updated: 2025-11-03 19:31

Title

i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition

Summary

In the Linux kernel, the following vulnerability has been resolved: i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work. If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | cdns_i3c_master_hj cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2a21bad9964c91b34…
	https://git.kernel.org/stable/c/ea0256e393e0072e8…
	https://git.kernel.org/stable/c/687016d6a1efbfacd…
	https://git.kernel.org/stable/c/609366e7a06d03599…

Impacted products

Vendor

Product

Version

Linux

Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 2a21bad9964c91b34d65ba269914233720c0b1ce (git)
Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < ea0256e393e0072e8c80fd941547807f0c28108b (git)
Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 687016d6a1efbfacdd2af913e2108de6b75a28d5 (git)
Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 609366e7a06d035990df78f1562291c3bf0d4a12 (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.57 , ≤ 6.6.* (semver)
Unaffected: 6.11.4 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-50061",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:22:52.478098Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:28:42.185Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:31:38.673Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/i3c/master/i3c-master-cdns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2a21bad9964c91b34d65ba269914233720c0b1ce",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "ea0256e393e0072e8c80fd941547807f0c28108b",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "687016d6a1efbfacdd2af913e2108de6b75a28d5",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "609366e7a06d035990df78f1562291c3bf0d4a12",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/i3c/master/i3c-master-cdns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.57",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.4",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition\n\nIn the cdns_i3c_master_probe function, \u0026master-\u003ehj_work is bound with\ncdns_i3c_master_hj. And cdns_i3c_master_interrupt can call\ncnds_i3c_master_demux_ibis function to start the work.\n\nIf we remove the module which will call cdns_i3c_master_remove to\nmake cleanup, it will free master-\u003ebase through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0                                      CPU1\n\n                                     | cdns_i3c_master_hj\ncdns_i3c_master_remove               |\ni3c_master_unregister(\u0026master-\u003ebase) |\ndevice_unregister(\u0026master-\u003edev)      |\ndevice_release                       |\n//free master-\u003ebase                  |\n                                     | i3c_master_do_daa(\u0026master-\u003ebase)\n                                     | //use master-\u003ebase\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in cdns_i3c_master_remove."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:45:00.112Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2a21bad9964c91b34d65ba269914233720c0b1ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea0256e393e0072e8c80fd941547807f0c28108b"
        },
        {
          "url": "https://git.kernel.org/stable/c/687016d6a1efbfacdd2af913e2108de6b75a28d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/609366e7a06d035990df78f1562291c3bf0d4a12"
        }
      ],
      "title": "i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50061",
    "datePublished": "2024-10-21T19:39:50.415Z",
    "dateReserved": "2024-10-21T19:36:19.939Z",
    "dateUpdated": "2025-11-03T19:31:38.673Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38532 (GCVE-0-2025-38532)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-08-16 11:12

Title

net: libwx: properly reset Rx ring descriptor

Summary

In the Linux kernel, the following vulnerability has been resolved: net: libwx: properly reset Rx ring descriptor When device reset is triggered by feature changes such as toggling Rx VLAN offload, wx->do_reset() is called to reinitialize Rx rings. The hardware descriptor ring may retain stale values from previous sessions. And only set the length to 0 in rx_desc[0] would result in building malformed SKBs. Fix it to ensure a clean slate after device reset. [ 549.186435] [ C16] ------------[ cut here ]------------ [ 549.186457] [ C16] kernel BUG at net/core/skbuff.c:2814! [ 549.186468] [ C16] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 549.186472] [ C16] CPU: 16 UID: 0 PID: 0 Comm: swapper/16 Kdump: loaded Not tainted 6.16.0-rc4+ #23 PREEMPT(voluntary) [ 549.186476] [ C16] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 [ 549.186478] [ C16] RIP: 0010:__pskb_pull_tail+0x3ff/0x510 [ 549.186484] [ C16] Code: 06 f0 ff 4f 34 74 7b 4d 8b 8c 24 c8 00 00 00 45 8b 84 24 c0 00 00 00 e9 c8 fd ff ff 48 c7 44 24 08 00 00 00 00 e9 5e fe ff ff <0f> 0b 31 c0 e9 23 90 5b ff 41 f7 c6 ff 0f 00 00 75 bf 49 8b 06 a8 [ 549.186487] [ C16] RSP: 0018:ffffb391c0640d70 EFLAGS: 00010282 [ 549.186490] [ C16] RAX: 00000000fffffff2 RBX: ffff8fe7e4d40200 RCX: 00000000fffffff2 [ 549.186492] [ C16] RDX: ffff8fe7c3a4bf8e RSI: 0000000000000180 RDI: ffff8fe7c3a4bf40 [ 549.186494] [ C16] RBP: ffffb391c0640da8 R08: ffff8fe7c3a4c0c0 R09: 000000000000000e [ 549.186496] [ C16] R10: ffffb391c0640d88 R11: 000000000000000e R12: ffff8fe7e4d40200 [ 549.186497] [ C16] R13: 00000000fffffff2 R14: ffff8fe7fa01a000 R15: 00000000fffffff2 [ 549.186499] [ C16] FS: 0000000000000000(0000) GS:ffff8fef5ae40000(0000) knlGS:0000000000000000 [ 549.186502] [ C16] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 549.186503] [ C16] CR2: 00007f77d81d6000 CR3: 000000051a032000 CR4: 0000000000750ef0 [ 549.186505] [ C16] PKRU: 55555554 [ 549.186507] [ C16] Call Trace: [ 549.186510] [ C16] <IRQ> [ 549.186513] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186517] [ C16] __skb_pad+0xc7/0xf0 [ 549.186523] [ C16] wx_clean_rx_irq+0x355/0x3b0 [libwx] [ 549.186533] [ C16] wx_poll+0x92/0x120 [libwx] [ 549.186540] [ C16] __napi_poll+0x28/0x190 [ 549.186544] [ C16] net_rx_action+0x301/0x3f0 [ 549.186548] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186551] [ C16] ? __raw_spin_lock_irqsave+0x1e/0x50 [ 549.186554] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186557] [ C16] ? wake_up_nohz_cpu+0x35/0x160 [ 549.186559] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186563] [ C16] handle_softirqs+0xf9/0x2c0 [ 549.186568] [ C16] __irq_exit_rcu+0xc7/0x130 [ 549.186572] [ C16] common_interrupt+0xb8/0xd0 [ 549.186576] [ C16] </IRQ> [ 549.186577] [ C16] <TASK> [ 549.186579] [ C16] asm_common_interrupt+0x22/0x40 [ 549.186582] [ C16] RIP: 0010:cpuidle_enter_state+0xc2/0x420 [ 549.186585] [ C16] Code: 00 00 e8 11 0e 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 0d ed 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d [ 549.186587] [ C16] RSP: 0018:ffffb391c0277e78 EFLAGS: 00000246 [ 549.186590] [ C16] RAX: ffff8fef5ae40000 RBX: 0000000000000003 RCX: 0000000000000000 [ 549.186591] [ C16] RDX: 0000007fde0faac5 RSI: ffffffff826e53f6 RDI: ffffffff826fa9b3 [ 549.186593] [ C16] RBP: ffff8fe7c3a20800 R08: 0000000000000002 R09: 0000000000000000 [ 549.186595] [ C16] R10: 0000000000000000 R11: 000000000000ffff R12: ffffffff82ed7a40 [ 549.186596] [ C16] R13: 0000007fde0faac5 R14: 0000000000000003 R15: 0000000000000000 [ 549.186601] [ C16] ? cpuidle_enter_state+0xb3/0x420 [ 549.186605] [ C16] cpuidle_en ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d510116c80b37efb1…
	https://git.kernel.org/stable/c/10e27b2a6ebeda49e…
	https://git.kernel.org/stable/c/ee527d3fba4dae1d6…
	https://git.kernel.org/stable/c/d992ed7e1b687ad7d…

Impacted products

Vendor

Product

Version

Linux

Affected: 3c47e8ae113a68da47987750d9896e325d0aeedd , < d510116c80b37efb100ce8d5ee326214b0157293 (git)
Affected: 3c47e8ae113a68da47987750d9896e325d0aeedd , < 10e27b2a6ebeda49e9c2897a699d3ce1ded565ee (git)
Affected: 3c47e8ae113a68da47987750d9896e325d0aeedd , < ee527d3fba4dae1d619d2d0438624002c8e99e24 (git)
Affected: 3c47e8ae113a68da47987750d9896e325d0aeedd , < d992ed7e1b687ad7df0763d3e015a5358646210b (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/wangxun/libwx/wx_hw.c",
            "drivers/net/ethernet/wangxun/libwx/wx_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d510116c80b37efb100ce8d5ee326214b0157293",
              "status": "affected",
              "version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
              "versionType": "git"
            },
            {
              "lessThan": "10e27b2a6ebeda49e9c2897a699d3ce1ded565ee",
              "status": "affected",
              "version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
              "versionType": "git"
            },
            {
              "lessThan": "ee527d3fba4dae1d619d2d0438624002c8e99e24",
              "status": "affected",
              "version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
              "versionType": "git"
            },
            {
              "lessThan": "d992ed7e1b687ad7df0763d3e015a5358646210b",
              "status": "affected",
              "version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/wangxun/libwx/wx_hw.c",
            "drivers/net/ethernet/wangxun/libwx/wx_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: properly reset Rx ring descriptor\n\nWhen device reset is triggered by feature changes such as toggling Rx\nVLAN offload, wx-\u003edo_reset() is called to reinitialize Rx rings. The\nhardware descriptor ring may retain stale values from previous sessions.\nAnd only set the length to 0 in rx_desc[0] would result in building\nmalformed SKBs. Fix it to ensure a clean slate after device reset.\n\n[  549.186435] [     C16] ------------[ cut here ]------------\n[  549.186457] [     C16] kernel BUG at net/core/skbuff.c:2814!\n[  549.186468] [     C16] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[  549.186472] [     C16] CPU: 16 UID: 0 PID: 0 Comm: swapper/16 Kdump: loaded Not tainted 6.16.0-rc4+ #23 PREEMPT(voluntary)\n[  549.186476] [     C16] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024\n[  549.186478] [     C16] RIP: 0010:__pskb_pull_tail+0x3ff/0x510\n[  549.186484] [     C16] Code: 06 f0 ff 4f 34 74 7b 4d 8b 8c 24 c8 00 00 00 45 8b 84 24 c0 00 00 00 e9 c8 fd ff ff 48 c7 44 24 08 00 00 00 00 e9 5e fe ff ff \u003c0f\u003e 0b 31 c0 e9 23 90 5b ff 41 f7 c6 ff 0f 00 00 75 bf 49 8b 06 a8\n[  549.186487] [     C16] RSP: 0018:ffffb391c0640d70 EFLAGS: 00010282\n[  549.186490] [     C16] RAX: 00000000fffffff2 RBX: ffff8fe7e4d40200 RCX: 00000000fffffff2\n[  549.186492] [     C16] RDX: ffff8fe7c3a4bf8e RSI: 0000000000000180 RDI: ffff8fe7c3a4bf40\n[  549.186494] [     C16] RBP: ffffb391c0640da8 R08: ffff8fe7c3a4c0c0 R09: 000000000000000e\n[  549.186496] [     C16] R10: ffffb391c0640d88 R11: 000000000000000e R12: ffff8fe7e4d40200\n[  549.186497] [     C16] R13: 00000000fffffff2 R14: ffff8fe7fa01a000 R15: 00000000fffffff2\n[  549.186499] [     C16] FS:  0000000000000000(0000) GS:ffff8fef5ae40000(0000) knlGS:0000000000000000\n[  549.186502] [     C16] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  549.186503] [     C16] CR2: 00007f77d81d6000 CR3: 000000051a032000 CR4: 0000000000750ef0\n[  549.186505] [     C16] PKRU: 55555554\n[  549.186507] [     C16] Call Trace:\n[  549.186510] [     C16]  \u003cIRQ\u003e\n[  549.186513] [     C16]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  549.186517] [     C16]  __skb_pad+0xc7/0xf0\n[  549.186523] [     C16]  wx_clean_rx_irq+0x355/0x3b0 [libwx]\n[  549.186533] [     C16]  wx_poll+0x92/0x120 [libwx]\n[  549.186540] [     C16]  __napi_poll+0x28/0x190\n[  549.186544] [     C16]  net_rx_action+0x301/0x3f0\n[  549.186548] [     C16]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  549.186551] [     C16]  ? __raw_spin_lock_irqsave+0x1e/0x50\n[  549.186554] [     C16]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  549.186557] [     C16]  ? wake_up_nohz_cpu+0x35/0x160\n[  549.186559] [     C16]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  549.186563] [     C16]  handle_softirqs+0xf9/0x2c0\n[  549.186568] [     C16]  __irq_exit_rcu+0xc7/0x130\n[  549.186572] [     C16]  common_interrupt+0xb8/0xd0\n[  549.186576] [     C16]  \u003c/IRQ\u003e\n[  549.186577] [     C16]  \u003cTASK\u003e\n[  549.186579] [     C16]  asm_common_interrupt+0x22/0x40\n[  549.186582] [     C16] RIP: 0010:cpuidle_enter_state+0xc2/0x420\n[  549.186585] [     C16] Code: 00 00 e8 11 0e 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 0d ed 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 \u003c45\u003e 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d\n[  549.186587] [     C16] RSP: 0018:ffffb391c0277e78 EFLAGS: 00000246\n[  549.186590] [     C16] RAX: ffff8fef5ae40000 RBX: 0000000000000003 RCX: 0000000000000000\n[  549.186591] [     C16] RDX: 0000007fde0faac5 RSI: ffffffff826e53f6 RDI: ffffffff826fa9b3\n[  549.186593] [     C16] RBP: ffff8fe7c3a20800 R08: 0000000000000002 R09: 0000000000000000\n[  549.186595] [     C16] R10: 0000000000000000 R11: 000000000000ffff R12: ffffffff82ed7a40\n[  549.186596] [     C16] R13: 0000007fde0faac5 R14: 0000000000000003 R15: 0000000000000000\n[  549.186601] [     C16]  ? cpuidle_enter_state+0xb3/0x420\n[  549.186605] [     C16]  cpuidle_en\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T11:12:25.161Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d510116c80b37efb100ce8d5ee326214b0157293"
        },
        {
          "url": "https://git.kernel.org/stable/c/10e27b2a6ebeda49e9c2897a699d3ce1ded565ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee527d3fba4dae1d619d2d0438624002c8e99e24"
        },
        {
          "url": "https://git.kernel.org/stable/c/d992ed7e1b687ad7df0763d3e015a5358646210b"
        }
      ],
      "title": "net: libwx: properly reset Rx ring descriptor",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38532",
    "datePublished": "2025-08-16T11:12:25.161Z",
    "dateReserved": "2025-04-16T04:51:24.023Z",
    "dateUpdated": "2025-08-16T11:12:25.161Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-39845 (GCVE-0-2025-39845)

Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44

Title

x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so synchronization is instead performed at the P4D level via p4d_populate_kernel(). This fixes intermittent boot failures on systems using 4-level paging and a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap before sync_global_pgds() [1]: BUG: unable to handle page fault for address: ffffeb3ff1200000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI Tainted: [W]=WARN RIP: 0010:vmemmap_set_pmd+0xff/0x230 <TASK> vmemmap_populate_hugepages+0x176/0x180 vmemmap_populate+0x34/0x80 __populate_section_memmap+0x41/0x90 sparse_add_section+0x121/0x3e0 __add_pages+0xba/0x150 add_pages+0x1d/0x70 memremap_pages+0x3dc/0x810 devm_memremap_pages+0x1c/0x60 xe_devm_add+0x8b/0x100 [xe] xe_tile_init_noalloc+0x6a/0x70 [xe] xe_device_probe+0x48c/0x740 [xe] [... snip ...]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/744ff519c72de3134…
	https://git.kernel.org/stable/c/5f761d40ee95d2624…
	https://git.kernel.org/stable/c/26ff568f390a531d1…
	https://git.kernel.org/stable/c/b7f4051dd3388edd3…
	https://git.kernel.org/stable/c/6bf9473727569e828…
	https://git.kernel.org/stable/c/6659d027998083fbb…

Impacted products

Vendor

Product

Version

Linux

Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 744ff519c72de31344a627eaf9b24e9595aae554 (git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 5f761d40ee95d2624f839c90ebeef2d5c55007f5 (git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 26ff568f390a531d1bd792e49f1a401849921960 (git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < b7f4051dd3388edd30e9a6077c05c486aa31e0d4 (git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 6bf9473727569e8283c1e2445c7ac42cf4fc9fa9 (git)
Affected: 8d400913c231bd1da74067255816453f96cd35b0 , < 6659d027998083fbb6d42a165b0c90dc2e8ba989 (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.16.6 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:44:00.910Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/pgtable_64_types.h",
            "arch/x86/mm/init_64.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "744ff519c72de31344a627eaf9b24e9595aae554",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            },
            {
              "lessThan": "5f761d40ee95d2624f839c90ebeef2d5c55007f5",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            },
            {
              "lessThan": "26ff568f390a531d1bd792e49f1a401849921960",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            },
            {
              "lessThan": "b7f4051dd3388edd30e9a6077c05c486aa31e0d4",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            },
            {
              "lessThan": "6bf9473727569e8283c1e2445c7ac42cf4fc9fa9",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            },
            {
              "lessThan": "6659d027998083fbb6d42a165b0c90dc2e8ba989",
              "status": "affected",
              "version": "8d400913c231bd1da74067255816453f96cd35b0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/pgtable_64_types.h",
            "arch/x86/mm/init_64.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.6",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()\n\nDefine ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure\npage tables are properly synchronized when calling p*d_populate_kernel().\n\nFor 5-level paging, synchronization is performed via\npgd_populate_kernel().  In 4-level paging, pgd_populate() is a no-op, so\nsynchronization is instead performed at the P4D level via\np4d_populate_kernel().\n\nThis fixes intermittent boot failures on systems using 4-level paging and\na large amount of persistent memory:\n\n  BUG: unable to handle page fault for address: ffffe70000000034\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x0002) - not-present page\n  PGD 0 P4D 0\n  Oops: 0002 [#1] SMP NOPTI\n  RIP: 0010:__init_single_page+0x9/0x6d\n  Call Trace:\n   \u003cTASK\u003e\n   __init_zone_device_page+0x17/0x5d\n   memmap_init_zone_device+0x154/0x1bb\n   pagemap_range+0x2e0/0x40f\n   memremap_pages+0x10b/0x2f0\n   devm_memremap_pages+0x1e/0x60\n   dev_dax_probe+0xce/0x2ec [device_dax]\n   dax_bus_probe+0x6d/0xc9\n   [... snip ...]\n   \u003c/TASK\u003e\n\nIt also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap\nbefore sync_global_pgds() [1]:\n\n  BUG: unable to handle page fault for address: ffffeb3ff1200000\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x0002) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI\n  Tainted: [W]=WARN\n  RIP: 0010:vmemmap_set_pmd+0xff/0x230\n   \u003cTASK\u003e\n   vmemmap_populate_hugepages+0x176/0x180\n   vmemmap_populate+0x34/0x80\n   __populate_section_memmap+0x41/0x90\n   sparse_add_section+0x121/0x3e0\n   __add_pages+0xba/0x150\n   add_pages+0x1d/0x70\n   memremap_pages+0x3dc/0x810\n   devm_memremap_pages+0x1c/0x60\n   xe_devm_add+0x8b/0x100 [xe]\n   xe_tile_init_noalloc+0x6a/0x70 [xe]\n   xe_device_probe+0x48c/0x740 [xe]\n   [... snip ...]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T06:00:54.904Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/744ff519c72de31344a627eaf9b24e9595aae554"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f761d40ee95d2624f839c90ebeef2d5c55007f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/26ff568f390a531d1bd792e49f1a401849921960"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7f4051dd3388edd30e9a6077c05c486aa31e0d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bf9473727569e8283c1e2445c7ac42cf4fc9fa9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6659d027998083fbb6d42a165b0c90dc2e8ba989"
        }
      ],
      "title": "x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39845",
    "datePublished": "2025-09-19T15:26:19.225Z",
    "dateReserved": "2025-04-16T07:20:57.141Z",
    "dateUpdated": "2025-11-03T17:44:00.910Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38614 (GCVE-0-2025-38614)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40

Title

eventpoll: Fix semi-unbounded recursion

Summary

In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons: - They don't look upwards in the tree. - If there are multiple downwards paths of different lengths, only one of the paths is actually considered for the depth check since commit 28d82dc1c4ed ("epoll: limit paths"). Essentially, the current recursion depth check in ep_loop_check_proc() just serves to prevent it from recursing too deeply while checking for loops. A more thorough check is done in reverse_path_check() after the new graph edge has already been created; this checks, among other things, that no paths going upwards from any non-epoll file with a length of more than 5 edges exist. However, this check does not apply to non-epoll files. As a result, it is possible to recurse to a depth of at least roughly 500, tested on v6.15. (I am unsure if deeper recursion is possible; and this may have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion problem").) To fix it: 1. In ep_loop_check_proc(), note the subtree depth of each visited node, and use subtree depths for the total depth calculation even when a subtree has already been visited. 2. Add ep_get_upwards_depth_proc() for similarly determining the maximum depth of an upwards walk. 3. In ep_loop_check(), use these values to limit the total path length between epoll nodes to EP_MAX_NESTS edges.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/71379495ab70eaba1…
	https://git.kernel.org/stable/c/1b13b033062824495…
	https://git.kernel.org/stable/c/2a0c0c974bea9619c…
	https://git.kernel.org/stable/c/7a2125962c42d5336…
	https://git.kernel.org/stable/c/ea5f97dbdcb165158…
	https://git.kernel.org/stable/c/3542c90797bc3ab83…
	https://git.kernel.org/stable/c/f2e467a48287c8688…

Impacted products

Vendor

Product

Version

Linux

Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < 71379495ab70eaba19224bd71b5b9b399eb85e04 (git)
Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < 1b13b033062824495554e836a1ff5f85ccf6b039 (git)
Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < 2a0c0c974bea9619c6f41794775ae4b97530e0e6 (git)
Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < 7a2125962c42d5336ca0495a9ce4cb38a63e9161 (git)
Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6 (git)
Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < 3542c90797bc3ab83ebab54b737d751cf3682036 (git)
Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < f2e467a48287c868818085aa35389a224d226732 (git)
Affected: 8216e1a0d47cae06a75c42346f19dffe14e42d57 (git)
Affected: 28a92748aa4bc57d35e7b079498b0ac2e7610a37 (git)
Affected: 7eebcd4792c5a341559aed327b6afecbb1c46402 (git)
Affected: 0eccd188cfeaf857a26f2d72941d27d298cf6a54 (git)
Affected: a72affdbb09f3f24f64ffcbbdf62c2e57c58f379 (git)

Linux

Affected: 2.6.38
Unaffected: 0 , < 2.6.38 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:26.593Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/eventpoll.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "71379495ab70eaba19224bd71b5b9b399eb85e04",
              "status": "affected",
              "version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
              "versionType": "git"
            },
            {
              "lessThan": "1b13b033062824495554e836a1ff5f85ccf6b039",
              "status": "affected",
              "version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
              "versionType": "git"
            },
            {
              "lessThan": "2a0c0c974bea9619c6f41794775ae4b97530e0e6",
              "status": "affected",
              "version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
              "versionType": "git"
            },
            {
              "lessThan": "7a2125962c42d5336ca0495a9ce4cb38a63e9161",
              "status": "affected",
              "version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
              "versionType": "git"
            },
            {
              "lessThan": "ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6",
              "status": "affected",
              "version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
              "versionType": "git"
            },
            {
              "lessThan": "3542c90797bc3ab83ebab54b737d751cf3682036",
              "status": "affected",
              "version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
              "versionType": "git"
            },
            {
              "lessThan": "f2e467a48287c868818085aa35389a224d226732",
              "status": "affected",
              "version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8216e1a0d47cae06a75c42346f19dffe14e42d57",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "28a92748aa4bc57d35e7b079498b0ac2e7610a37",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7eebcd4792c5a341559aed327b6afecbb1c46402",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0eccd188cfeaf857a26f2d72941d27d298cf6a54",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a72affdbb09f3f24f64ffcbbdf62c2e57c58f379",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/eventpoll.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.32.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.33.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.34.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.35.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.37.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: Fix semi-unbounded recursion\n\nEnsure that epoll instances can never form a graph deeper than\nEP_MAX_NESTS+1 links.\n\nCurrently, ep_loop_check_proc() ensures that the graph is loop-free and\ndoes some recursion depth checks, but those recursion depth checks don\u0027t\nlimit the depth of the resulting tree for two reasons:\n\n - They don\u0027t look upwards in the tree.\n - If there are multiple downwards paths of different lengths, only one of\n   the paths is actually considered for the depth check since commit\n   28d82dc1c4ed (\"epoll: limit paths\").\n\nEssentially, the current recursion depth check in ep_loop_check_proc() just\nserves to prevent it from recursing too deeply while checking for loops.\n\nA more thorough check is done in reverse_path_check() after the new graph\nedge has already been created; this checks, among other things, that no\npaths going upwards from any non-epoll file with a length of more than 5\nedges exist. However, this check does not apply to non-epoll files.\n\nAs a result, it is possible to recurse to a depth of at least roughly 500,\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may\nhave changed with commit 8c44dac8add7 (\"eventpoll: Fix priority inversion\nproblem\").)\n\nTo fix it:\n\n1. In ep_loop_check_proc(), note the subtree depth of each visited node,\nand use subtree depths for the total depth calculation even when a subtree\nhas already been visited.\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum\ndepth of an upwards walk.\n3. In ep_loop_check(), use these values to limit the total path length\nbetween epoll nodes to EP_MAX_NESTS edges."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:48.885Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/71379495ab70eaba19224bd71b5b9b399eb85e04"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b13b033062824495554e836a1ff5f85ccf6b039"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a0c0c974bea9619c6f41794775ae4b97530e0e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a2125962c42d5336ca0495a9ce4cb38a63e9161"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/3542c90797bc3ab83ebab54b737d751cf3682036"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2e467a48287c868818085aa35389a224d226732"
        }
      ],
      "title": "eventpoll: Fix semi-unbounded recursion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38614",
    "datePublished": "2025-08-19T17:03:56.348Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-11-03T17:40:26.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39846 (GCVE-0-2025-39846)

Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44

Title

pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()

Summary

In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference on failure of pcmcia_make_resource(). Fix this bug by adding a check of res.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b990c8c6ff50649ad…
	https://git.kernel.org/stable/c/5ff2826c998370bf7…
	https://git.kernel.org/stable/c/4bd570f494124608a…
	https://git.kernel.org/stable/c/ce3b7766276894d2f…
	https://git.kernel.org/stable/c/2ee32c4c4f636e474…
	https://git.kernel.org/stable/c/fafa7450075f41d23…
	https://git.kernel.org/stable/c/d7286005e8fde0a43…
	https://git.kernel.org/stable/c/44822df89e8f33868…

Impacted products

Vendor

Product

Version

Linux

Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < b990c8c6ff50649ad3352507398e443b1e3527b2 (git)
Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < 5ff2826c998370bf7f9ae26fe802140d220e3510 (git)
Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < 4bd570f494124608a0696da070f00236a96fb610 (git)
Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < ce3b7766276894d2fbb07e2047a171f9deb965de (git)
Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < 2ee32c4c4f636e474cd8ab7c19a68cf36072ea93 (git)
Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < fafa7450075f41d232bc785a4ebcbf16374f2076 (git)
Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < d7286005e8fde0a430dc180a9f46c088c7d74483 (git)
Affected: 49b1153adfe18a3cce7e70aa26c690f275917cd0 , < 44822df89e8f3386871d9cad563ece8e2fd8f0e7 (git)

Linux

Affected: 2.6.35
Unaffected: 0 , < 2.6.35 (semver)
Unaffected: 5.4.299 , ≤ 5.4.* (semver)
Unaffected: 5.10.243 , ≤ 5.10.* (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.16.6 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:44:02.991Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pcmcia/rsrc_iodyn.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b990c8c6ff50649ad3352507398e443b1e3527b2",
              "status": "affected",
              "version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
              "versionType": "git"
            },
            {
              "lessThan": "5ff2826c998370bf7f9ae26fe802140d220e3510",
              "status": "affected",
              "version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
              "versionType": "git"
            },
            {
              "lessThan": "4bd570f494124608a0696da070f00236a96fb610",
              "status": "affected",
              "version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
              "versionType": "git"
            },
            {
              "lessThan": "ce3b7766276894d2fbb07e2047a171f9deb965de",
              "status": "affected",
              "version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
              "versionType": "git"
            },
            {
              "lessThan": "2ee32c4c4f636e474cd8ab7c19a68cf36072ea93",
              "status": "affected",
              "version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
              "versionType": "git"
            },
            {
              "lessThan": "fafa7450075f41d232bc785a4ebcbf16374f2076",
              "status": "affected",
              "version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
              "versionType": "git"
            },
            {
              "lessThan": "d7286005e8fde0a430dc180a9f46c088c7d74483",
              "status": "affected",
              "version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
              "versionType": "git"
            },
            {
              "lessThan": "44822df89e8f3386871d9cad563ece8e2fd8f0e7",
              "status": "affected",
              "version": "49b1153adfe18a3cce7e70aa26c690f275917cd0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pcmcia/rsrc_iodyn.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.35"
            },
            {
              "lessThan": "2.6.35",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.299",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.299",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.243",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.6",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()\n\nIn __iodyn_find_io_region(), pcmcia_make_resource() is assigned to\nres and used in pci_bus_alloc_resource(). There is a dereference of res\nin pci_bus_alloc_resource(), which could lead to a NULL pointer\ndereference on failure of pcmcia_make_resource().\n\nFix this bug by adding a check of res."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T06:00:56.145Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b990c8c6ff50649ad3352507398e443b1e3527b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ff2826c998370bf7f9ae26fe802140d220e3510"
        },
        {
          "url": "https://git.kernel.org/stable/c/4bd570f494124608a0696da070f00236a96fb610"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce3b7766276894d2fbb07e2047a171f9deb965de"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ee32c4c4f636e474cd8ab7c19a68cf36072ea93"
        },
        {
          "url": "https://git.kernel.org/stable/c/fafa7450075f41d232bc785a4ebcbf16374f2076"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7286005e8fde0a430dc180a9f46c088c7d74483"
        },
        {
          "url": "https://git.kernel.org/stable/c/44822df89e8f3386871d9cad563ece8e2fd8f0e7"
        }
      ],
      "title": "pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39846",
    "datePublished": "2025-09-19T15:26:19.932Z",
    "dateReserved": "2025-04-16T07:20:57.141Z",
    "dateUpdated": "2025-11-03T17:44:02.991Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38537 (GCVE-0-2025-38537)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-08-16 11:12

Title

net: phy: Don't register LEDs for genphy

Summary

In the Linux kernel, the following vulnerability has been resolved: net: phy: Don't register LEDs for genphy If a PHY has no driver, the genphy driver is probed/removed directly in phy_attach/detach. If the PHY's ofnode has an "leds" subnode, then the LEDs will be (un)registered when probing/removing the genphy driver. This could occur if the leds are for a non-generic driver that isn't loaded for whatever reason. Synchronously removing the PHY device in phy_detach leads to the following deadlock: rtnl_lock() ndo_close() ... phy_detach() phy_remove() phy_leds_unregister() led_classdev_unregister() led_trigger_set() netdev_trigger_deactivate() unregister_netdevice_notifier() rtnl_lock() There is a corresponding deadlock on the open/register side of things (and that one is reported by lockdep), but it requires a race while this one is deterministic. Generic PHYs do not support LEDs anyway, so don't bother registering them.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ec158d05eaa91b280…
	https://git.kernel.org/stable/c/fd6493533af9e5d73…
	https://git.kernel.org/stable/c/75e1b2079ef0653a2…
	https://git.kernel.org/stable/c/f0f2b992d8185a036…

Impacted products

Vendor

Product

Version

Linux

Affected: 01e5b728e9e43ae444e0369695a5f72209906464 , < ec158d05eaa91b2809cab65f8068290e3c05ebdd (git)
Affected: 01e5b728e9e43ae444e0369695a5f72209906464 , < fd6493533af9e5d73d0d42ff2a8ded978a701dc6 (git)
Affected: 01e5b728e9e43ae444e0369695a5f72209906464 , < 75e1b2079ef0653a2f7aa69be515d86b7faf1908 (git)
Affected: 01e5b728e9e43ae444e0369695a5f72209906464 , < f0f2b992d8185a0366be951685e08643aae17d6d (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/phy_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ec158d05eaa91b2809cab65f8068290e3c05ebdd",
              "status": "affected",
              "version": "01e5b728e9e43ae444e0369695a5f72209906464",
              "versionType": "git"
            },
            {
              "lessThan": "fd6493533af9e5d73d0d42ff2a8ded978a701dc6",
              "status": "affected",
              "version": "01e5b728e9e43ae444e0369695a5f72209906464",
              "versionType": "git"
            },
            {
              "lessThan": "75e1b2079ef0653a2f7aa69be515d86b7faf1908",
              "status": "affected",
              "version": "01e5b728e9e43ae444e0369695a5f72209906464",
              "versionType": "git"
            },
            {
              "lessThan": "f0f2b992d8185a0366be951685e08643aae17d6d",
              "status": "affected",
              "version": "01e5b728e9e43ae444e0369695a5f72209906464",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/phy_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: Don\u0027t register LEDs for genphy\n\nIf a PHY has no driver, the genphy driver is probed/removed directly in\nphy_attach/detach. If the PHY\u0027s ofnode has an \"leds\" subnode, then the\nLEDs will be (un)registered when probing/removing the genphy driver.\nThis could occur if the leds are for a non-generic driver that isn\u0027t\nloaded for whatever reason. Synchronously removing the PHY device in\nphy_detach leads to the following deadlock:\n\nrtnl_lock()\nndo_close()\n    ...\n    phy_detach()\n        phy_remove()\n            phy_leds_unregister()\n                led_classdev_unregister()\n                    led_trigger_set()\n                        netdev_trigger_deactivate()\n                            unregister_netdevice_notifier()\n                                rtnl_lock()\n\nThere is a corresponding deadlock on the open/register side of things\n(and that one is reported by lockdep), but it requires a race while this\none is deterministic.\n\nGeneric PHYs do not support LEDs anyway, so don\u0027t bother registering\nthem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T11:12:29.432Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ec158d05eaa91b2809cab65f8068290e3c05ebdd"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd6493533af9e5d73d0d42ff2a8ded978a701dc6"
        },
        {
          "url": "https://git.kernel.org/stable/c/75e1b2079ef0653a2f7aa69be515d86b7faf1908"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0f2b992d8185a0366be951685e08643aae17d6d"
        }
      ],
      "title": "net: phy: Don\u0027t register LEDs for genphy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38537",
    "datePublished": "2025-08-16T11:12:29.432Z",
    "dateReserved": "2025-04-16T04:51:24.024Z",
    "dateUpdated": "2025-08-16T11:12:29.432Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40028 (GCVE-0-2025-40028)

Vulnerability from cvelistv5 – Published: 2025-10-28 09:32 – Updated: 2025-12-01 06:16

Title

binder: fix double-free in dbitmap

Summary

In the Linux kernel, the following vulnerability has been resolved: binder: fix double-free in dbitmap A process might fail to allocate a new bitmap when trying to expand its proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap via dbitmap_free(). However, the driver calls dbitmap_free() again when the same process terminates, leading to a double-free error: ================================================================== BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c Free of addr ffff00000b7c1420 by task kworker/9:1/209 CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: kfree+0x164/0x31c binder_proc_dec_tmpref+0x2e0/0x55c binder_deferred_func+0xc24/0x1120 process_one_work+0x520/0xba4 [...] Allocated by task 448: __kmalloc_noprof+0x178/0x3c0 bitmap_zalloc+0x24/0x30 binder_open+0x14c/0xc10 [...] Freed by task 449: kfree+0x184/0x31c binder_inc_ref_for_node+0xb44/0xe44 binder_transaction+0x29b4/0x7fbc binder_thread_write+0x1708/0x442c binder_ioctl+0x1b50/0x2900 [...] ================================================================== Fix this issue by marking proc->map NULL in dbitmap_free().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c301ec61ce6f16e21…
	https://git.kernel.org/stable/c/0390633979969c54c…
	https://git.kernel.org/stable/c/b781e5635a3398e2b…
	https://git.kernel.org/stable/c/3ebcd3460cad351f1…

Impacted products

Vendor

Product

Version

Linux

Affected: 15d9da3f818cae676f822a04407d3c17b53357d2 , < c301ec61ce6f16e21a36b99225ca8a20c1591e10 (git)
Affected: 15d9da3f818cae676f822a04407d3c17b53357d2 , < 0390633979969c54c0ce6a198d6f45cdbe2c84b1 (git)
Affected: 15d9da3f818cae676f822a04407d3c17b53357d2 , < b781e5635a3398e2b64440371233c2c5102cd6cb (git)
Affected: 15d9da3f818cae676f822a04407d3c17b53357d2 , < 3ebcd3460cad351f198c39c6edb4af519a0ed934 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.52 , ≤ 6.12.* (semver)
Unaffected: 6.16.12 , ≤ 6.16.* (semver)
Unaffected: 6.17.2 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/android/dbitmap.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c301ec61ce6f16e21a36b99225ca8a20c1591e10",
              "status": "affected",
              "version": "15d9da3f818cae676f822a04407d3c17b53357d2",
              "versionType": "git"
            },
            {
              "lessThan": "0390633979969c54c0ce6a198d6f45cdbe2c84b1",
              "status": "affected",
              "version": "15d9da3f818cae676f822a04407d3c17b53357d2",
              "versionType": "git"
            },
            {
              "lessThan": "b781e5635a3398e2b64440371233c2c5102cd6cb",
              "status": "affected",
              "version": "15d9da3f818cae676f822a04407d3c17b53357d2",
              "versionType": "git"
            },
            {
              "lessThan": "3ebcd3460cad351f198c39c6edb4af519a0ed934",
              "status": "affected",
              "version": "15d9da3f818cae676f822a04407d3c17b53357d2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/android/dbitmap.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.52",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.52",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.12",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.2",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix double-free in dbitmap\n\nA process might fail to allocate a new bitmap when trying to expand its\nproc-\u003edmap. In that case, dbitmap_grow() fails and frees the old bitmap\nvia dbitmap_free(). However, the driver calls dbitmap_free() again when\nthe same process terminates, leading to a double-free error:\n\n  ==================================================================\n  BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c\n  Free of addr ffff00000b7c1420 by task kworker/9:1/209\n\n  CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT\n  Hardware name: linux,dummy-virt (DT)\n  Workqueue: events binder_deferred_func\n  Call trace:\n   kfree+0x164/0x31c\n   binder_proc_dec_tmpref+0x2e0/0x55c\n   binder_deferred_func+0xc24/0x1120\n   process_one_work+0x520/0xba4\n  [...]\n\n  Allocated by task 448:\n   __kmalloc_noprof+0x178/0x3c0\n   bitmap_zalloc+0x24/0x30\n   binder_open+0x14c/0xc10\n  [...]\n\n  Freed by task 449:\n   kfree+0x184/0x31c\n   binder_inc_ref_for_node+0xb44/0xe44\n   binder_transaction+0x29b4/0x7fbc\n   binder_thread_write+0x1708/0x442c\n   binder_ioctl+0x1b50/0x2900\n  [...]\n  ==================================================================\n\nFix this issue by marking proc-\u003emap NULL in dbitmap_free()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:16:30.652Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c301ec61ce6f16e21a36b99225ca8a20c1591e10"
        },
        {
          "url": "https://git.kernel.org/stable/c/0390633979969c54c0ce6a198d6f45cdbe2c84b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/b781e5635a3398e2b64440371233c2c5102cd6cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ebcd3460cad351f198c39c6edb4af519a0ed934"
        }
      ],
      "title": "binder: fix double-free in dbitmap",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40028",
    "datePublished": "2025-10-28T09:32:35.681Z",
    "dateReserved": "2025-04-16T07:20:57.152Z",
    "dateUpdated": "2025-12-01T06:16:30.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39894 (GCVE-0-2025-39894)

Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2025-11-03 17:44

Title

netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm When send a broadcast packet to a tap device, which was added to a bridge, br_nf_local_in() is called to confirm the conntrack. If another conntrack with the same hash value is added to the hash table, which can be triggered by a normal packet to a non-bridge device, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) RIP: 0010:br_nf_local_in+0x168/0x200 Call Trace: <TASK> nf_hook_slow+0x3e/0xf0 br_pass_frame_up+0x103/0x180 br_handle_frame_finish+0x2de/0x5b0 br_nf_hook_thresh+0xc0/0x120 br_nf_pre_routing_finish+0x168/0x3a0 br_nf_pre_routing+0x237/0x5e0 br_handle_frame+0x1ec/0x3c0 __netif_receive_skb_core+0x225/0x1210 __netif_receive_skb_one_core+0x37/0xa0 netif_receive_skb+0x36/0x160 tun_get_user+0xa54/0x10c0 tun_chr_write_iter+0x65/0xb0 vfs_write+0x305/0x410 ksys_write+0x60/0xd0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> ---[ end trace 0000000000000000 ]--- To solve the hash conflict, nf_ct_resolve_clash() try to merge the conntracks, and update skb->_nfct. However, br_nf_local_in() still use the old ct from local variable 'nfct' after confirm(), which leads to this warning. If confirm() does not insert the conntrack entry and return NF_DROP, the warning may also occur. There is no need to reserve the WARN_ON_ONCE, just remove it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d00c8b0daf56012f6…
	https://git.kernel.org/stable/c/ccbad4803225eafe0…
	https://git.kernel.org/stable/c/50db11e2bbb635e38…
	https://git.kernel.org/stable/c/c47ca77fee9071aa5…
	https://git.kernel.org/stable/c/a74abcf0f09f59dae…
	https://git.kernel.org/stable/c/479a54ab920873185…

Impacted products

Vendor

Product

Version

Linux

Affected: 7c3f28599652acf431a2211168de4a583f30b6d5 , < d00c8b0daf56012f69075e3377da67878c775e4c (git)
Affected: 2b1414d5e94e477edff1d2c79030f1d742625ea0 , < ccbad4803225eafe0175d3cb19f0d8d73b504a94 (git)
Affected: 80cd0487f630b5382734997c3e5e3003a77db315 , < 50db11e2bbb635e38e3dd096215580d6adb41fb0 (git)
Affected: 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 , < c47ca77fee9071aa543bae592dd2a384f895c8b6 (git)
Affected: 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 , < a74abcf0f09f59daeecf7a3ba9c1d690808b0afe (git)
Affected: 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 , < 479a54ab92087318514c82428a87af2d7af1a576 (git)
Affected: cb734975b0ffa688ff6cc0eed463865bf07b6c01 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.16.6 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:44:28.733Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_netfilter_hooks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d00c8b0daf56012f69075e3377da67878c775e4c",
              "status": "affected",
              "version": "7c3f28599652acf431a2211168de4a583f30b6d5",
              "versionType": "git"
            },
            {
              "lessThan": "ccbad4803225eafe0175d3cb19f0d8d73b504a94",
              "status": "affected",
              "version": "2b1414d5e94e477edff1d2c79030f1d742625ea0",
              "versionType": "git"
            },
            {
              "lessThan": "50db11e2bbb635e38e3dd096215580d6adb41fb0",
              "status": "affected",
              "version": "80cd0487f630b5382734997c3e5e3003a77db315",
              "versionType": "git"
            },
            {
              "lessThan": "c47ca77fee9071aa543bae592dd2a384f895c8b6",
              "status": "affected",
              "version": "62e7151ae3eb465e0ab52a20c941ff33bb6332e9",
              "versionType": "git"
            },
            {
              "lessThan": "a74abcf0f09f59daeecf7a3ba9c1d690808b0afe",
              "status": "affected",
              "version": "62e7151ae3eb465e0ab52a20c941ff33bb6332e9",
              "versionType": "git"
            },
            {
              "lessThan": "479a54ab92087318514c82428a87af2d7af1a576",
              "status": "affected",
              "version": "62e7151ae3eb465e0ab52a20c941ff33bb6332e9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cb734975b0ffa688ff6cc0eed463865bf07b6c01",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_netfilter_hooks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "5.15.151",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "6.1.81",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "6.6.21",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.6",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm\n\nWhen send a broadcast packet to a tap device, which was added to a bridge,\nbr_nf_local_in() is called to confirm the conntrack. If another conntrack\nwith the same hash value is added to the hash table, which can be\ntriggered by a normal packet to a non-bridge device, the below warning\nmay happen.\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200\n  CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)\n  RIP: 0010:br_nf_local_in+0x168/0x200\n  Call Trace:\n   \u003cTASK\u003e\n   nf_hook_slow+0x3e/0xf0\n   br_pass_frame_up+0x103/0x180\n   br_handle_frame_finish+0x2de/0x5b0\n   br_nf_hook_thresh+0xc0/0x120\n   br_nf_pre_routing_finish+0x168/0x3a0\n   br_nf_pre_routing+0x237/0x5e0\n   br_handle_frame+0x1ec/0x3c0\n   __netif_receive_skb_core+0x225/0x1210\n   __netif_receive_skb_one_core+0x37/0xa0\n   netif_receive_skb+0x36/0x160\n   tun_get_user+0xa54/0x10c0\n   tun_chr_write_iter+0x65/0xb0\n   vfs_write+0x305/0x410\n   ksys_write+0x60/0xd0\n   do_syscall_64+0xa4/0x260\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   \u003c/TASK\u003e\n  ---[ end trace 0000000000000000 ]---\n\nTo solve the hash conflict, nf_ct_resolve_clash() try to merge the\nconntracks, and update skb-\u003e_nfct. However, br_nf_local_in() still use the\nold ct from local variable \u0027nfct\u0027 after confirm(), which leads to this\nwarning.\n\nIf confirm() does not insert the conntrack entry and return NF_DROP, the\nwarning may also occur. There is no need to reserve the WARN_ON_ONCE, just\nremove it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-01T07:42:43.126Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d00c8b0daf56012f69075e3377da67878c775e4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ccbad4803225eafe0175d3cb19f0d8d73b504a94"
        },
        {
          "url": "https://git.kernel.org/stable/c/50db11e2bbb635e38e3dd096215580d6adb41fb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c47ca77fee9071aa543bae592dd2a384f895c8b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/a74abcf0f09f59daeecf7a3ba9c1d690808b0afe"
        },
        {
          "url": "https://git.kernel.org/stable/c/479a54ab92087318514c82428a87af2d7af1a576"
        }
      ],
      "title": "netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39894",
    "datePublished": "2025-10-01T07:42:43.126Z",
    "dateReserved": "2025-04-16T07:20:57.145Z",
    "dateUpdated": "2025-11-03T17:44:28.733Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37968 (GCVE-0-2025-37968)

Vulnerability from cvelistv5 – Published: 2025-05-20 16:47 – Updated: 2025-11-03 17:32

Title

iio: light: opt3001: fix deadlock due to concurrent flag access

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a9c56ccb7cddfca75…
	https://git.kernel.org/stable/c/957e8be112636d9bc…
	https://git.kernel.org/stable/c/1d7def97e7eb65865…
	https://git.kernel.org/stable/c/748ebd8e61d0bc182…
	https://git.kernel.org/stable/c/e791bf216c9e236b3…
	https://git.kernel.org/stable/c/7ca84f6a22d50bf8b…
	https://git.kernel.org/stable/c/2c95c8f0959d0a725…
	https://git.kernel.org/stable/c/f063a28002e335008…

Impacted products

Vendor

Product

Version

Linux

Affected: 94a9b7b1809f56cfaa080e70ec49b6979563a237 , < a9c56ccb7cddfca754291fb24b108a5350a5fbe9 (git)
Affected: 94a9b7b1809f56cfaa080e70ec49b6979563a237 , < 957e8be112636d9bc692917286e81e54bd87decc (git)
Affected: 94a9b7b1809f56cfaa080e70ec49b6979563a237 , < 1d7def97e7eb65865ccc01bbdf4eb9e6bbe8a5b5 (git)
Affected: 94a9b7b1809f56cfaa080e70ec49b6979563a237 , < 748ebd8e61d0bc182c331b8df3887af7285c8a8f (git)
Affected: 94a9b7b1809f56cfaa080e70ec49b6979563a237 , < e791bf216c9e236b34dabf514ec0ede140cca719 (git)
Affected: 94a9b7b1809f56cfaa080e70ec49b6979563a237 , < 7ca84f6a22d50bf8b31efe9eb05f9859947266d7 (git)
Affected: 94a9b7b1809f56cfaa080e70ec49b6979563a237 , < 2c95c8f0959d0a72575eabf2ff888f47ed6d8b77 (git)
Affected: 94a9b7b1809f56cfaa080e70ec49b6979563a237 , < f063a28002e3350088b4577c5640882bf4ea17ea (git)

Linux

Affected: 4.3
Unaffected: 0 , < 4.3 (semver)
Unaffected: 5.4.299 , ≤ 5.4.* (semver)
Unaffected: 5.10.243 , ≤ 5.10.* (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.30 , ≤ 6.12.* (semver)
Unaffected: 6.14.7 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:32:49.287Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/light/opt3001.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a9c56ccb7cddfca754291fb24b108a5350a5fbe9",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "957e8be112636d9bc692917286e81e54bd87decc",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "1d7def97e7eb65865ccc01bbdf4eb9e6bbe8a5b5",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "748ebd8e61d0bc182c331b8df3887af7285c8a8f",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "e791bf216c9e236b34dabf514ec0ede140cca719",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "7ca84f6a22d50bf8b31efe9eb05f9859947266d7",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "2c95c8f0959d0a72575eabf2ff888f47ed6d8b77",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            },
            {
              "lessThan": "f063a28002e3350088b4577c5640882bf4ea17ea",
              "status": "affected",
              "version": "94a9b7b1809f56cfaa080e70ec49b6979563a237",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/light/opt3001.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.299",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.299",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.243",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: opt3001: fix deadlock due to concurrent flag access\n\nThe threaded IRQ function in this driver is reading the flag twice: once to\nlock a mutex and once to unlock it. Even though the code setting the flag\nis designed to prevent it, there are subtle cases where the flag could be\ntrue at the mutex_lock stage and false at the mutex_unlock stage. This\nresults in the mutex not being unlocked, resulting in a deadlock.\n\nFix it by making the opt3001_irq() code generally more robust, reading the\nflag into a variable and using the variable value at both stages."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T17:06:05.365Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a9c56ccb7cddfca754291fb24b108a5350a5fbe9"
        },
        {
          "url": "https://git.kernel.org/stable/c/957e8be112636d9bc692917286e81e54bd87decc"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d7def97e7eb65865ccc01bbdf4eb9e6bbe8a5b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/748ebd8e61d0bc182c331b8df3887af7285c8a8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e791bf216c9e236b34dabf514ec0ede140cca719"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ca84f6a22d50bf8b31efe9eb05f9859947266d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c95c8f0959d0a72575eabf2ff888f47ed6d8b77"
        },
        {
          "url": "https://git.kernel.org/stable/c/f063a28002e3350088b4577c5640882bf4ea17ea"
        }
      ],
      "title": "iio: light: opt3001: fix deadlock due to concurrent flag access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37968",
    "datePublished": "2025-05-20T16:47:16.051Z",
    "dateReserved": "2025-04-16T04:51:23.974Z",
    "dateUpdated": "2025-11-03T17:32:49.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38528 (GCVE-0-2025-38528)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-11-03 17:39

Title

bpf: Reject %p% format string in bprintf-like helpers

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string in bprintf-like helpers static const char fmt[] = "%p%"; bpf_trace_printk(fmt, sizeof(fmt)); The above BPF program isn't rejected and causes a kernel warning at runtime: Please remove unsupported %\x00 in format string WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0 This happens because bpf_bprintf_prepare skips over the second %, detected as punctuation, while processing %p. This patch fixes it by not skipping over punctuation. %\x00 is then processed in the next iteration and rejected.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/97303e541e12f1fea…
	https://git.kernel.org/stable/c/61d5fa45ed13e42af…
	https://git.kernel.org/stable/c/e7be679124bae8cf4…
	https://git.kernel.org/stable/c/6952aeace93f8c9ea…
	https://git.kernel.org/stable/c/1c5f5fd47bbda17cb…
	https://git.kernel.org/stable/c/f8242745871f81a3a…

Impacted products

Vendor

Product

Version

Linux

Affected: 48cac3f4a96ddf08df8e53809ed066de0dc93915 , < 97303e541e12f1fea97834ec64b98991e8775f39 (git)
Affected: 48cac3f4a96ddf08df8e53809ed066de0dc93915 , < 61d5fa45ed13e42af14c7e959baba9908b8ee6d4 (git)
Affected: 48cac3f4a96ddf08df8e53809ed066de0dc93915 , < e7be679124bae8cf4fa6e40d7e1661baddfb3289 (git)
Affected: 48cac3f4a96ddf08df8e53809ed066de0dc93915 , < 6952aeace93f8c9ea01849efecac24dd3152c9c9 (git)
Affected: 48cac3f4a96ddf08df8e53809ed066de0dc93915 , < 1c5f5fd47bbda17cb885fe6f03730702cd53d3f8 (git)
Affected: 48cac3f4a96ddf08df8e53809ed066de0dc93915 , < f8242745871f81a3ac37f9f51853d12854fd0b58 (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:24.864Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/helpers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "97303e541e12f1fea97834ec64b98991e8775f39",
              "status": "affected",
              "version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
              "versionType": "git"
            },
            {
              "lessThan": "61d5fa45ed13e42af14c7e959baba9908b8ee6d4",
              "status": "affected",
              "version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
              "versionType": "git"
            },
            {
              "lessThan": "e7be679124bae8cf4fa6e40d7e1661baddfb3289",
              "status": "affected",
              "version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
              "versionType": "git"
            },
            {
              "lessThan": "6952aeace93f8c9ea01849efecac24dd3152c9c9",
              "status": "affected",
              "version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
              "versionType": "git"
            },
            {
              "lessThan": "1c5f5fd47bbda17cb885fe6f03730702cd53d3f8",
              "status": "affected",
              "version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
              "versionType": "git"
            },
            {
              "lessThan": "f8242745871f81a3ac37f9f51853d12854fd0b58",
              "status": "affected",
              "version": "48cac3f4a96ddf08df8e53809ed066de0dc93915",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/helpers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject %p% format string in bprintf-like helpers\n\nstatic const char fmt[] = \"%p%\";\n    bpf_trace_printk(fmt, sizeof(fmt));\n\nThe above BPF program isn\u0027t rejected and causes a kernel warning at\nruntime:\n\n    Please remove unsupported %\\x00 in format string\n    WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0\n\nThis happens because bpf_bprintf_prepare skips over the second %,\ndetected as punctuation, while processing %p. This patch fixes it by\nnot skipping over punctuation. %\\x00 is then processed in the next\niteration and rejected."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:34.943Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/97303e541e12f1fea97834ec64b98991e8775f39"
        },
        {
          "url": "https://git.kernel.org/stable/c/61d5fa45ed13e42af14c7e959baba9908b8ee6d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7be679124bae8cf4fa6e40d7e1661baddfb3289"
        },
        {
          "url": "https://git.kernel.org/stable/c/6952aeace93f8c9ea01849efecac24dd3152c9c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c5f5fd47bbda17cb885fe6f03730702cd53d3f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8242745871f81a3ac37f9f51853d12854fd0b58"
        }
      ],
      "title": "bpf: Reject %p% format string in bprintf-like helpers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38528",
    "datePublished": "2025-08-16T11:12:21.667Z",
    "dateReserved": "2025-04-16T04:51:24.023Z",
    "dateUpdated": "2025-11-03T17:39:24.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39681 (GCVE-0-2025-39681)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42

Title

x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot") resctrl_cpu_detect() has been moved from common CPU initialization code to the vendor-specific BSP init helper, while Hygon didn't put that call in their code. This triggers a division by zero fault during early booting stage on our machines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries to calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale. Add the missing resctrl_cpu_detect() in the Hygon BSP init helper. [ bp: Massage commit message. ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/62f12cde101182533…
	https://git.kernel.org/stable/c/873f32201df8876bd…
	https://git.kernel.org/stable/c/fb81222c1559f89bf…
	https://git.kernel.org/stable/c/7207923d8453ebfb3…
	https://git.kernel.org/stable/c/a9e5924daa954c9f5…
	https://git.kernel.org/stable/c/d23264c257a70dbe0…
	https://git.kernel.org/stable/c/d8df126349dad855c…

Impacted products

Vendor

Product

Version

Linux

Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < 62f12cde10118253348a7540e85606869bd69432 (git)
Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < 873f32201df8876bdb2563e3187e79149427cab4 (git)
Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < fb81222c1559f89bfe3aa1010f6d112531d55353 (git)
Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < 7207923d8453ebfb35667c1736169f2dd796772e (git)
Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < a9e5924daa954c9f585c1ca00358afe71d6781c4 (git)
Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < d23264c257a70dbe021b43b3bc2ee16134cd2c69 (git)
Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < d8df126349dad855cdfedd6bbf315bad2e901c2f (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.242 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:12.739Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/hygon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "62f12cde10118253348a7540e85606869bd69432",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "873f32201df8876bdb2563e3187e79149427cab4",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "fb81222c1559f89bfe3aa1010f6d112531d55353",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "7207923d8453ebfb35667c1736169f2dd796772e",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "a9e5924daa954c9f585c1ca00358afe71d6781c4",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "d23264c257a70dbe021b43b3bc2ee16134cd2c69",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "d8df126349dad855cdfedd6bbf315bad2e901c2f",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/hygon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.242",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.242",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper\n\nSince\n\n  923f3a2b48bd (\"x86/resctrl: Query LLC monitoring properties once during boot\")\n\nresctrl_cpu_detect() has been moved from common CPU initialization code to\nthe vendor-specific BSP init helper, while Hygon didn\u0027t put that call in their\ncode.\n\nThis triggers a division by zero fault during early booting stage on our\nmachines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries\nto calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale.\n\nAdd the missing resctrl_cpu_detect() in the Hygon BSP init helper.\n\n  [ bp: Massage commit message. ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:57:18.226Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/62f12cde10118253348a7540e85606869bd69432"
        },
        {
          "url": "https://git.kernel.org/stable/c/873f32201df8876bdb2563e3187e79149427cab4"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb81222c1559f89bfe3aa1010f6d112531d55353"
        },
        {
          "url": "https://git.kernel.org/stable/c/7207923d8453ebfb35667c1736169f2dd796772e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9e5924daa954c9f585c1ca00358afe71d6781c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d23264c257a70dbe021b43b3bc2ee16134cd2c69"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8df126349dad855cdfedd6bbf315bad2e901c2f"
        }
      ],
      "title": "x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39681",
    "datePublished": "2025-09-05T17:20:47.564Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2025-11-03T17:42:12.739Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37958 (GCVE-0-2025-37958)

Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2025-11-03 17:32

Title

mm/huge_memory: fix dereferencing invalid pmd migration entry

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/753f142f7ff7d2223…
	https://git.kernel.org/stable/c/9468afbda3fbfcec2…
	https://git.kernel.org/stable/c/ef5706bed97e240b4…
	https://git.kernel.org/stable/c/22f6368768340260e…
	https://git.kernel.org/stable/c/3977946f61cdba87b…
	https://git.kernel.org/stable/c/6166c3cf405441f71…
	https://git.kernel.org/stable/c/fbab262b0c8226c69…
	https://git.kernel.org/stable/c/be6e843fc51a58467…

Impacted products

Vendor

Product

Version

Linux

Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 753f142f7ff7d2223a47105b61e1efd91587d711 (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 9468afbda3fbfcec21ac8132364dff3dab945faf (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < ef5706bed97e240b4abf4233ceb03da7336bc775 (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 22f6368768340260e862f35151d2e1c55cb1dc75 (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 3977946f61cdba87b6b5aaf7d7094e96089583a5 (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 6166c3cf405441f7147b322980144feb3cefc617 (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < fbab262b0c8226c697af1851a424896ed47dedcc (git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 (git)

Linux

Affected: 4.14
Unaffected: 0 , < 4.14 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.29 , ≤ 6.12.* (semver)
Unaffected: 6.14.7 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:32:46.448Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/huge_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "753f142f7ff7d2223a47105b61e1efd91587d711",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "9468afbda3fbfcec21ac8132364dff3dab945faf",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "ef5706bed97e240b4abf4233ceb03da7336bc775",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "22f6368768340260e862f35151d2e1c55cb1dc75",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "3977946f61cdba87b6b5aaf7d7094e96089583a5",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "6166c3cf405441f7147b322980144feb3cefc617",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "fbab262b0c8226c697af1851a424896ed47dedcc",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/huge_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.29",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix dereferencing invalid pmd migration entry\n\nWhen migrating a THP, concurrent access to the PMD migration entry during\na deferred split scan can lead to an invalid address access, as\nillustrated below.  To prevent this invalid access, it is necessary to\ncheck the PMD migration entry and return early.  In this context, there is\nno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the\nequality of the target folio.  Since the PMD migration entry is locked, it\ncannot be served as the target.\n\nMailing list discussion and explanation from Hugh Dickins: \"An anon_vma\nlookup points to a location which may contain the folio of interest, but\nmight instead contain another folio: and weeding out those other folios is\nprecisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of\nreplacing the wrong folio\" comment a few lines above it) is for.\"\n\nBUG: unable to handle page fault for address: ffffea60001db008\nCPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60\nCall Trace:\n\u003cTASK\u003e\ntry_to_migrate_one+0x28c/0x3730\nrmap_walk_anon+0x4f6/0x770\nunmap_folio+0x196/0x1f0\nsplit_huge_page_to_list_to_order+0x9f6/0x1560\ndeferred_split_scan+0xac5/0x12a0\nshrinker_debugfs_scan_write+0x376/0x470\nfull_proxy_write+0x15c/0x220\nvfs_write+0x2fc/0xcb0\nksys_write+0x146/0x250\ndo_syscall_64+0x6a/0x120\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug is found by syzkaller on an internal kernel, then confirmed on\nupstream."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-27T10:21:21.641Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/753f142f7ff7d2223a47105b61e1efd91587d711"
        },
        {
          "url": "https://git.kernel.org/stable/c/9468afbda3fbfcec21ac8132364dff3dab945faf"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef5706bed97e240b4abf4233ceb03da7336bc775"
        },
        {
          "url": "https://git.kernel.org/stable/c/22f6368768340260e862f35151d2e1c55cb1dc75"
        },
        {
          "url": "https://git.kernel.org/stable/c/3977946f61cdba87b6b5aaf7d7094e96089583a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6166c3cf405441f7147b322980144feb3cefc617"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbab262b0c8226c697af1851a424896ed47dedcc"
        },
        {
          "url": "https://git.kernel.org/stable/c/be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7"
        }
      ],
      "title": "mm/huge_memory: fix dereferencing invalid pmd migration entry",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37958",
    "datePublished": "2025-05-20T16:01:51.740Z",
    "dateReserved": "2025-04-16T04:51:23.974Z",
    "dateUpdated": "2025-11-03T17:32:46.448Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39683 (GCVE-0-2025-39683)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42

Title

tracing: Limit access to parser->buffer when trace_get_user failed

Summary

In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser->buffer when trace_get_user failed When the length of the string written to set_ftrace_filter exceeds FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d00bd5ba by task ash/165 CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x34/0x50 (C) dump_stack_lvl+0xa0/0x158 print_address_description.constprop.0+0x88/0x398 print_report+0xb0/0x280 kasan_report+0xa4/0xf0 __asan_report_load1_noabort+0x20/0x30 strsep+0x18c/0x1b0 ftrace_process_regex.isra.0+0x100/0x2d8 ftrace_regex_release+0x484/0x618 __fput+0x364/0xa58 ____fput+0x28/0x40 task_work_run+0x154/0x278 do_notify_resume+0x1f0/0x220 el0_svc+0xec/0xf0 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1ac/0x1b0 The reason is that trace_get_user will fail when processing a string longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0. Then an OOB access will be triggered in ftrace_regex_release-> ftrace_process_regex->strsep->strpbrk. We can solve this problem by limiting access to parser->buffer when trace_get_user failed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b842ef39c2ad6156c…
	https://git.kernel.org/stable/c/41b838420457802f2…
	https://git.kernel.org/stable/c/418b448e1d7470da9…
	https://git.kernel.org/stable/c/58ff8064cb4c7edda…
	https://git.kernel.org/stable/c/d0c68045b8b0f3737…
	https://git.kernel.org/stable/c/3079517a5ba80901f…
	https://git.kernel.org/stable/c/6a909ea83f226803e…

Impacted products

Vendor

Product

Version

Linux

Affected: 634684d79733124f7470b226b0f42aada4426b07 , < b842ef39c2ad6156c13afdec25ecc6792a9b67b9 (git)
Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < 41b838420457802f21918df66764b6fbf829d330 (git)
Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < 418b448e1d7470da9d4d4797f71782595ee69c49 (git)
Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < 58ff8064cb4c7eddac4da1a59da039ead586950a (git)
Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < d0c68045b8b0f3737ed7bd6b8c83b7887014adee (git)
Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < 3079517a5ba80901fe828a06998da64b9b8749be (git)
Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < 6a909ea83f226803ea0e718f6e88613df9234d58 (git)
Affected: 24cd31752f47699b89b4b3471155c8e599a1a23a (git)
Affected: e9cb474de7ff7a970c2a3951c12ec7e3113c0c35 (git)
Affected: 6ab671191f64b0da7d547e2ad4dc199ca7e5b558 (git)
Affected: 3d9281a4ac7171c808f9507f0937eb236b353905 (git)
Affected: 0b641b25870f02e2423e494365fc5243cc1e2759 (git)
Affected: ffd51dbfd2900e50c71b5c069fe407957e52d61f (git)
Affected: cdd107d7f18158d966c2bc136204fe826dac445c (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:15.575Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace.c",
            "kernel/trace/trace.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b842ef39c2ad6156c13afdec25ecc6792a9b67b9",
              "status": "affected",
              "version": "634684d79733124f7470b226b0f42aada4426b07",
              "versionType": "git"
            },
            {
              "lessThan": "41b838420457802f21918df66764b6fbf829d330",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "lessThan": "418b448e1d7470da9d4d4797f71782595ee69c49",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "lessThan": "58ff8064cb4c7eddac4da1a59da039ead586950a",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "lessThan": "d0c68045b8b0f3737ed7bd6b8c83b7887014adee",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "lessThan": "3079517a5ba80901fe828a06998da64b9b8749be",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "lessThan": "6a909ea83f226803ea0e718f6e88613df9234d58",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "24cd31752f47699b89b4b3471155c8e599a1a23a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e9cb474de7ff7a970c2a3951c12ec7e3113c0c35",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6ab671191f64b0da7d547e2ad4dc199ca7e5b558",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3d9281a4ac7171c808f9507f0937eb236b353905",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0b641b25870f02e2423e494365fc5243cc1e2759",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ffd51dbfd2900e50c71b5c069fe407957e52d61f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cdd107d7f18158d966c2bc136204fe826dac445c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace.c",
            "kernel/trace/trace.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.10.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.269",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.269",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.233",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.191",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.118",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.11.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.12.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Limit access to parser-\u003ebuffer when trace_get_user failed\n\nWhen the length of the string written to set_ftrace_filter exceeds\nFTRACE_BUFF_MAX, the following KASAN alarm will be triggered:\n\nBUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0\nRead of size 1 at addr ffff0000d00bd5ba by task ash/165\n\nCPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x34/0x50 (C)\n dump_stack_lvl+0xa0/0x158\n print_address_description.constprop.0+0x88/0x398\n print_report+0xb0/0x280\n kasan_report+0xa4/0xf0\n __asan_report_load1_noabort+0x20/0x30\n strsep+0x18c/0x1b0\n ftrace_process_regex.isra.0+0x100/0x2d8\n ftrace_regex_release+0x484/0x618\n __fput+0x364/0xa58\n ____fput+0x28/0x40\n task_work_run+0x154/0x278\n do_notify_resume+0x1f0/0x220\n el0_svc+0xec/0xf0\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1ac/0x1b0\n\nThe reason is that trace_get_user will fail when processing a string\nlonger than FTRACE_BUFF_MAX, but not set the end of parser-\u003ebuffer to 0.\nThen an OOB access will be triggered in ftrace_regex_release-\u003e\nftrace_process_regex-\u003estrsep-\u003estrpbrk. We can solve this problem by\nlimiting access to parser-\u003ebuffer when trace_get_user failed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:57:20.731Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b842ef39c2ad6156c13afdec25ecc6792a9b67b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/41b838420457802f21918df66764b6fbf829d330"
        },
        {
          "url": "https://git.kernel.org/stable/c/418b448e1d7470da9d4d4797f71782595ee69c49"
        },
        {
          "url": "https://git.kernel.org/stable/c/58ff8064cb4c7eddac4da1a59da039ead586950a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0c68045b8b0f3737ed7bd6b8c83b7887014adee"
        },
        {
          "url": "https://git.kernel.org/stable/c/3079517a5ba80901fe828a06998da64b9b8749be"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a909ea83f226803ea0e718f6e88613df9234d58"
        }
      ],
      "title": "tracing: Limit access to parser-\u003ebuffer when trace_get_user failed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39683",
    "datePublished": "2025-09-05T17:20:49.821Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2025-11-03T17:42:15.575Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39848 (GCVE-0-2025-39848)

Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44

Title

ax25: properly unshare skbs in ax25_kiss_rcv()

Summary

In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs or corruptions could happen without a major crash. But the root cause is that ax25_kiss_rcv() can queue/mangle input skb without checking if this skb is shared or not. Many thanks to Bernard Pidoux for his help, diagnosis and tests. We had a similar issue years ago fixed with commit 7aaed57c5c28 ("phonet: properly unshare skbs in phonet_rcv()").

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/42b46684e2c78ee05…
	https://git.kernel.org/stable/c/5b079be1b9da49ad8…
	https://git.kernel.org/stable/c/2bd0f67212908243c…
	https://git.kernel.org/stable/c/01a2984cb803f2d48…
	https://git.kernel.org/stable/c/7d449b7a6c8ee434d…
	https://git.kernel.org/stable/c/89064cf534bea4bb2…
	https://git.kernel.org/stable/c/b1c71d674a308d2fb…
	https://git.kernel.org/stable/c/8156210d36a43e763…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 42b46684e2c78ee052d8c2ee8d9c2089233c9094 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5b079be1b9da49ad88fc304c874d4be7085f7883 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2bd0f67212908243ce88e35bf69fa77155b47b14 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 01a2984cb803f2d487b7074f9718db2bf3531f69 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7d449b7a6c8ee434d10a483feed7c5c50108cf56 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 89064cf534bea4bb28c83fe6bbb26657b19dd5fe (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b1c71d674a308d2fbc83efcf88bfc4217a86aa17 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8156210d36a43e76372312c87eb5ea3dbb405a85 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.299 , ≤ 5.4.* (semver)
Unaffected: 5.10.243 , ≤ 5.10.* (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.16.6 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:44:06.959Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ax25/ax25_in.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "42b46684e2c78ee052d8c2ee8d9c2089233c9094",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5b079be1b9da49ad88fc304c874d4be7085f7883",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2bd0f67212908243ce88e35bf69fa77155b47b14",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "01a2984cb803f2d487b7074f9718db2bf3531f69",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7d449b7a6c8ee434d10a483feed7c5c50108cf56",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "89064cf534bea4bb28c83fe6bbb26657b19dd5fe",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b1c71d674a308d2fbc83efcf88bfc4217a86aa17",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8156210d36a43e76372312c87eb5ea3dbb405a85",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ax25/ax25_in.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.299",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.299",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.243",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.6",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: properly unshare skbs in ax25_kiss_rcv()\n\nBernard Pidoux reported a regression apparently caused by commit\nc353e8983e0d (\"net: introduce per netns packet chains\").\n\nskb-\u003edev becomes NULL and we crash in __netif_receive_skb_core().\n\nBefore above commit, different kind of bugs or corruptions could happen\nwithout a major crash.\n\nBut the root cause is that ax25_kiss_rcv() can queue/mangle input skb\nwithout checking if this skb is shared or not.\n\nMany thanks to Bernard Pidoux for his help, diagnosis and tests.\n\nWe had a similar issue years ago fixed with commit 7aaed57c5c28\n(\"phonet: properly unshare skbs in phonet_rcv()\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T06:00:58.643Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/42b46684e2c78ee052d8c2ee8d9c2089233c9094"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b079be1b9da49ad88fc304c874d4be7085f7883"
        },
        {
          "url": "https://git.kernel.org/stable/c/2bd0f67212908243ce88e35bf69fa77155b47b14"
        },
        {
          "url": "https://git.kernel.org/stable/c/01a2984cb803f2d487b7074f9718db2bf3531f69"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d449b7a6c8ee434d10a483feed7c5c50108cf56"
        },
        {
          "url": "https://git.kernel.org/stable/c/89064cf534bea4bb28c83fe6bbb26657b19dd5fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1c71d674a308d2fbc83efcf88bfc4217a86aa17"
        },
        {
          "url": "https://git.kernel.org/stable/c/8156210d36a43e76372312c87eb5ea3dbb405a85"
        }
      ],
      "title": "ax25: properly unshare skbs in ax25_kiss_rcv()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39848",
    "datePublished": "2025-09-19T15:26:21.403Z",
    "dateReserved": "2025-04-16T07:20:57.142Z",
    "dateUpdated": "2025-11-03T17:44:06.959Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39689 (GCVE-0-2025-39689)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42

Title

ftrace: Also allocate and copy hash for reading of filter files

Summary

In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy hash for reading of filter files Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the filter hashes. This is problematic because this pointer is static across function calls that release the locks that can update the global tracer hashes. This can cause UAF and similar bugs. Allocate and copy the hash for reading the filter files like it is done for the writers. This not only fixes UAF bugs, but also makes the code a bit simpler as it doesn't have to differentiate when to free the iterator's hash between writers and readers.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/12064e1880fc9202b…
	https://git.kernel.org/stable/c/c4cd93811e038d19f…
	https://git.kernel.org/stable/c/e0b6b223167e1edde…
	https://git.kernel.org/stable/c/a40c69f4f1ed96acb…
	https://git.kernel.org/stable/c/3b114a3282ab1a12c…
	https://git.kernel.org/stable/c/c591ba1acd081d498…
	https://git.kernel.org/stable/c/64db338140d2bad99…
	https://git.kernel.org/stable/c/bfb336cf97df7b37b…

Impacted products

Vendor

Product

Version

Linux

Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < 12064e1880fc9202be75ff668205b1703d92f74f (git)
Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < c4cd93811e038d19f961985735ef7bb128078dfb (git)
Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < e0b6b223167e1edde5c82edf38e393c06eda1f13 (git)
Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < a40c69f4f1ed96acbcd62e9b5ff3a596f0a91309 (git)
Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < 3b114a3282ab1a12cb4618a8f45db5d7185e784a (git)
Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < c591ba1acd081d4980713e47869dd1cc3d963d19 (git)
Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < 64db338140d2bad99a0a8c6a118dd60b3e1fb8cb (git)
Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < bfb336cf97df7b37b2b2edec0f69773e06d11955 (git)

Linux

Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:22.147Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "12064e1880fc9202be75ff668205b1703d92f74f",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "c4cd93811e038d19f961985735ef7bb128078dfb",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "e0b6b223167e1edde5c82edf38e393c06eda1f13",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "a40c69f4f1ed96acbcd62e9b5ff3a596f0a91309",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "3b114a3282ab1a12cb4618a8f45db5d7185e784a",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "c591ba1acd081d4980713e47869dd1cc3d963d19",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "64db338140d2bad99a0a8c6a118dd60b3e1fb8cb",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "bfb336cf97df7b37b2b2edec0f69773e06d11955",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Also allocate and copy hash for reading of filter files\n\nCurrently the reader of set_ftrace_filter and set_ftrace_notrace just adds\nthe pointer to the global tracer hash to its iterator. Unlike the writer\nthat allocates a copy of the hash, the reader keeps the pointer to the\nfilter hashes. This is problematic because this pointer is static across\nfunction calls that release the locks that can update the global tracer\nhashes. This can cause UAF and similar bugs.\n\nAllocate and copy the hash for reading the filter files like it is done\nfor the writers. This not only fixes UAF bugs, but also makes the code a\nbit simpler as it doesn\u0027t have to differentiate when to free the\niterator\u0027s hash between writers and readers."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:57:27.158Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/12064e1880fc9202be75ff668205b1703d92f74f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4cd93811e038d19f961985735ef7bb128078dfb"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0b6b223167e1edde5c82edf38e393c06eda1f13"
        },
        {
          "url": "https://git.kernel.org/stable/c/a40c69f4f1ed96acbcd62e9b5ff3a596f0a91309"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b114a3282ab1a12cb4618a8f45db5d7185e784a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c591ba1acd081d4980713e47869dd1cc3d963d19"
        },
        {
          "url": "https://git.kernel.org/stable/c/64db338140d2bad99a0a8c6a118dd60b3e1fb8cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfb336cf97df7b37b2b2edec0f69773e06d11955"
        }
      ],
      "title": "ftrace: Also allocate and copy hash for reading of filter files",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39689",
    "datePublished": "2025-09-05T17:20:55.270Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2025-11-03T17:42:22.147Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39891 (GCVE-0-2025-39891)

Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2025-11-03 17:44

Title

wifi: mwifiex: Initialize the chan_stats array to zero

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Initialize the chan_stats array to zero The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out memory. The array is filled in mwifiex_update_chan_statistics() and then the user can query the data in mwifiex_cfg80211_dump_survey(). There are two potential issues here. What if the user calls mwifiex_cfg80211_dump_survey() before the data has been filled in. Also the mwifiex_update_chan_statistics() function doesn't necessarily initialize the whole array. Since the array was not initialized at the start that could result in an information leak. Also this array is pretty small. It's a maximum of 900 bytes so it's more appropriate to use kcalloc() instead vmalloc().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9eb0118b3470b4d2e…
	https://git.kernel.org/stable/c/05daef0442d28350a…
	https://git.kernel.org/stable/c/acdf26a912190fc67…
	https://git.kernel.org/stable/c/32c124c9c03aa755c…
	https://git.kernel.org/stable/c/9df29aa5637d94d24…
	https://git.kernel.org/stable/c/06616410a3e5e6cd1…
	https://git.kernel.org/stable/c/5285b7009dc1e09d5…
	https://git.kernel.org/stable/c/0e20450829ca3c1db…

Impacted products

Vendor

Product

Version

Linux

Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65 (git)
Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 05daef0442d28350a1a0d6d0e2cab4a7a91df475 (git)
Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < acdf26a912190fc6746e2a890d7d0338190527b4 (git)
Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 32c124c9c03aa755cbaf60ef7f76afd918d47659 (git)
Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 9df29aa5637d94d24f7c5f054ef4feaa7b766111 (git)
Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 06616410a3e5e6cd1de5b7cbc668f1a7edeedad9 (git)
Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 5285b7009dc1e09d5bb9e05fae82e1a807882dbc (git)
Affected: bf35443314acb43fa8a3f9f8046e14cbe178762b , < 0e20450829ca3c1dbc2db536391537c57a40fe0b (git)

Linux

Affected: 3.19
Unaffected: 0 , < 3.19 (semver)
Unaffected: 5.4.299 , ≤ 5.4.* (semver)
Unaffected: 5.10.243 , ≤ 5.10.* (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.16.6 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:44:27.798Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/marvell/mwifiex/cfg80211.c",
            "drivers/net/wireless/marvell/mwifiex/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65",
              "status": "affected",
              "version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
              "versionType": "git"
            },
            {
              "lessThan": "05daef0442d28350a1a0d6d0e2cab4a7a91df475",
              "status": "affected",
              "version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
              "versionType": "git"
            },
            {
              "lessThan": "acdf26a912190fc6746e2a890d7d0338190527b4",
              "status": "affected",
              "version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
              "versionType": "git"
            },
            {
              "lessThan": "32c124c9c03aa755cbaf60ef7f76afd918d47659",
              "status": "affected",
              "version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
              "versionType": "git"
            },
            {
              "lessThan": "9df29aa5637d94d24f7c5f054ef4feaa7b766111",
              "status": "affected",
              "version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
              "versionType": "git"
            },
            {
              "lessThan": "06616410a3e5e6cd1de5b7cbc668f1a7edeedad9",
              "status": "affected",
              "version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
              "versionType": "git"
            },
            {
              "lessThan": "5285b7009dc1e09d5bb9e05fae82e1a807882dbc",
              "status": "affected",
              "version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
              "versionType": "git"
            },
            {
              "lessThan": "0e20450829ca3c1dbc2db536391537c57a40fe0b",
              "status": "affected",
              "version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/marvell/mwifiex/cfg80211.c",
            "drivers/net/wireless/marvell/mwifiex/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.299",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.299",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.243",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.6",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Initialize the chan_stats array to zero\n\nThe adapter-\u003echan_stats[] array is initialized in\nmwifiex_init_channel_scan_gap() with vmalloc(), which doesn\u0027t zero out\nmemory.  The array is filled in mwifiex_update_chan_statistics()\nand then the user can query the data in mwifiex_cfg80211_dump_survey().\n\nThere are two potential issues here.  What if the user calls\nmwifiex_cfg80211_dump_survey() before the data has been filled in.\nAlso the mwifiex_update_chan_statistics() function doesn\u0027t necessarily\ninitialize the whole array.  Since the array was not initialized at\nthe start that could result in an information leak.\n\nAlso this array is pretty small.  It\u0027s a maximum of 900 bytes so it\u0027s\nmore appropriate to use kcalloc() instead vmalloc()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-01T07:42:40.633Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65"
        },
        {
          "url": "https://git.kernel.org/stable/c/05daef0442d28350a1a0d6d0e2cab4a7a91df475"
        },
        {
          "url": "https://git.kernel.org/stable/c/acdf26a912190fc6746e2a890d7d0338190527b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/32c124c9c03aa755cbaf60ef7f76afd918d47659"
        },
        {
          "url": "https://git.kernel.org/stable/c/9df29aa5637d94d24f7c5f054ef4feaa7b766111"
        },
        {
          "url": "https://git.kernel.org/stable/c/06616410a3e5e6cd1de5b7cbc668f1a7edeedad9"
        },
        {
          "url": "https://git.kernel.org/stable/c/5285b7009dc1e09d5bb9e05fae82e1a807882dbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e20450829ca3c1dbc2db536391537c57a40fe0b"
        }
      ],
      "title": "wifi: mwifiex: Initialize the chan_stats array to zero",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39891",
    "datePublished": "2025-10-01T07:42:40.633Z",
    "dateReserved": "2025-04-16T07:20:57.145Z",
    "dateUpdated": "2025-11-03T17:44:27.798Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39736 (GCVE-0-2025-39736)

Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2025-11-03 17:42

Title

mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock When netpoll is enabled, calling pr_warn_once() while holding kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock inversion with the netconsole subsystem. This occurs because pr_warn_once() may trigger netpoll, which eventually leads to __alloc_skb() and back into kmemleak code, attempting to reacquire kmemleak_lock. This is the path for the deadlock. mem_pool_alloc() -> raw_spin_lock_irqsave(&kmemleak_lock, flags); -> pr_warn_once() -> netconsole subsystem -> netpoll -> __alloc_skb -> __create_object -> raw_spin_lock_irqsave(&kmemleak_lock, flags); Fix this by setting a flag and issuing the pr_warn_once() after kmemleak_lock is released.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c7b6ea0ede687e746…
	https://git.kernel.org/stable/c/4b0151e1d468eb266…
	https://git.kernel.org/stable/c/f249d32bb54876b4b…
	https://git.kernel.org/stable/c/62879faa8efe8d8a9…
	https://git.kernel.org/stable/c/1da95d3d4b7b1d380…
	https://git.kernel.org/stable/c/a0854de00ce2ee27e…
	https://git.kernel.org/stable/c/08f70be5e406ce47c…
	https://git.kernel.org/stable/c/a181b228b37a6a562…
	https://git.kernel.org/stable/c/47b0f6d8f0d2be4d3…

Impacted products

Vendor

Product

Version

Linux

Affected: c5665868183fec689dbab9fb8505188b2c4f0757 , < c7b6ea0ede687e7460e593c5ea478f50aa41682a (git)
Affected: c5665868183fec689dbab9fb8505188b2c4f0757 , < 4b0151e1d468eb2667c37b7af99b3c075072d334 (git)
Affected: c5665868183fec689dbab9fb8505188b2c4f0757 , < f249d32bb54876b4b6c3ae071af8ddca77af390b (git)
Affected: c5665868183fec689dbab9fb8505188b2c4f0757 , < 62879faa8efe8d8a9c7bf7606ee9c068012d7dac (git)
Affected: c5665868183fec689dbab9fb8505188b2c4f0757 , < 1da95d3d4b7b1d380ebd87b71a61e7e6aed3265d (git)
Affected: c5665868183fec689dbab9fb8505188b2c4f0757 , < a0854de00ce2ee27edf39037e7836ad580eb3350 (git)
Affected: c5665868183fec689dbab9fb8505188b2c4f0757 , < 08f70be5e406ce47c822f2dd11c1170ca259605b (git)
Affected: c5665868183fec689dbab9fb8505188b2c4f0757 , < a181b228b37a6a5625dad2bb4265bb7abb673e9f (git)
Affected: c5665868183fec689dbab9fb8505188b2c4f0757 , < 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:52.536Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/kmemleak.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c7b6ea0ede687e7460e593c5ea478f50aa41682a",
              "status": "affected",
              "version": "c5665868183fec689dbab9fb8505188b2c4f0757",
              "versionType": "git"
            },
            {
              "lessThan": "4b0151e1d468eb2667c37b7af99b3c075072d334",
              "status": "affected",
              "version": "c5665868183fec689dbab9fb8505188b2c4f0757",
              "versionType": "git"
            },
            {
              "lessThan": "f249d32bb54876b4b6c3ae071af8ddca77af390b",
              "status": "affected",
              "version": "c5665868183fec689dbab9fb8505188b2c4f0757",
              "versionType": "git"
            },
            {
              "lessThan": "62879faa8efe8d8a9c7bf7606ee9c068012d7dac",
              "status": "affected",
              "version": "c5665868183fec689dbab9fb8505188b2c4f0757",
              "versionType": "git"
            },
            {
              "lessThan": "1da95d3d4b7b1d380ebd87b71a61e7e6aed3265d",
              "status": "affected",
              "version": "c5665868183fec689dbab9fb8505188b2c4f0757",
              "versionType": "git"
            },
            {
              "lessThan": "a0854de00ce2ee27edf39037e7836ad580eb3350",
              "status": "affected",
              "version": "c5665868183fec689dbab9fb8505188b2c4f0757",
              "versionType": "git"
            },
            {
              "lessThan": "08f70be5e406ce47c822f2dd11c1170ca259605b",
              "status": "affected",
              "version": "c5665868183fec689dbab9fb8505188b2c4f0757",
              "versionType": "git"
            },
            {
              "lessThan": "a181b228b37a6a5625dad2bb4265bb7abb673e9f",
              "status": "affected",
              "version": "c5665868183fec689dbab9fb8505188b2c4f0757",
              "versionType": "git"
            },
            {
              "lessThan": "47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2",
              "status": "affected",
              "version": "c5665868183fec689dbab9fb8505188b2c4f0757",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/kmemleak.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock\n\nWhen netpoll is enabled, calling pr_warn_once() while holding\nkmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock\ninversion with the netconsole subsystem.  This occurs because\npr_warn_once() may trigger netpoll, which eventually leads to\n__alloc_skb() and back into kmemleak code, attempting to reacquire\nkmemleak_lock.\n\nThis is the path for the deadlock.\n\nmem_pool_alloc()\n  -\u003e raw_spin_lock_irqsave(\u0026kmemleak_lock, flags);\n      -\u003e pr_warn_once()\n          -\u003e netconsole subsystem\n\t     -\u003e netpoll\n\t         -\u003e __alloc_skb\n\t\t   -\u003e __create_object\n\t\t     -\u003e raw_spin_lock_irqsave(\u0026kmemleak_lock, flags);\n\nFix this by setting a flag and issuing the pr_warn_once() after\nkmemleak_lock is released."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:58:21.948Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c7b6ea0ede687e7460e593c5ea478f50aa41682a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b0151e1d468eb2667c37b7af99b3c075072d334"
        },
        {
          "url": "https://git.kernel.org/stable/c/f249d32bb54876b4b6c3ae071af8ddca77af390b"
        },
        {
          "url": "https://git.kernel.org/stable/c/62879faa8efe8d8a9c7bf7606ee9c068012d7dac"
        },
        {
          "url": "https://git.kernel.org/stable/c/1da95d3d4b7b1d380ebd87b71a61e7e6aed3265d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0854de00ce2ee27edf39037e7836ad580eb3350"
        },
        {
          "url": "https://git.kernel.org/stable/c/08f70be5e406ce47c822f2dd11c1170ca259605b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a181b228b37a6a5625dad2bb4265bb7abb673e9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2"
        }
      ],
      "title": "mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39736",
    "datePublished": "2025-09-11T16:52:11.772Z",
    "dateReserved": "2025-04-16T07:20:57.119Z",
    "dateUpdated": "2025-11-03T17:42:52.536Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39772 (GCVE-0-2025-39772)

Vulnerability from cvelistv5 – Published: 2025-09-11 16:56 – Updated: 2025-11-03 17:43

Title

drm/hisilicon/hibmc: fix the hibmc loaded failed bug

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded failed, the driver use hibmc_unload to free the resource, but the mutexes in mode.config are not init, which will access an NULL pointer. Just change goto statement to return, because hibnc_hw_init() doesn't need to free anything.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ddf1691f253456992…
	https://git.kernel.org/stable/c/c950e1be3a24d0214…
	https://git.kernel.org/stable/c/f93032e5d68f45960…
	https://git.kernel.org/stable/c/a4f1b9c57092c48bd…
	https://git.kernel.org/stable/c/d3e774266c28aefab…
	https://git.kernel.org/stable/c/93a08f856fcc5aaee…

Impacted products

Vendor

Product

Version

Linux

Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < ddf1691f25345699296e642f0f59f2d464722fa3 (git)
Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < c950e1be3a24d021475b56efdb49daa7fbba63a9 (git)
Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < f93032e5d68f459601c701f6ab087b5feb3382e8 (git)
Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < a4f1b9c57092c48bdc7958abd23403ccaed437b2 (git)
Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < d3e774266c28aefab3e9db334fdf568f936cae04 (git)
Affected: b3df5e65cc03696b0624a877d03a3ddf3ef43f52 , < 93a08f856fcc5aaeeecad01f71bef3088588216a (git)

Linux

Affected: 4.14
Unaffected: 0 , < 4.14 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:43:13.756Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ddf1691f25345699296e642f0f59f2d464722fa3",
              "status": "affected",
              "version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
              "versionType": "git"
            },
            {
              "lessThan": "c950e1be3a24d021475b56efdb49daa7fbba63a9",
              "status": "affected",
              "version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
              "versionType": "git"
            },
            {
              "lessThan": "f93032e5d68f459601c701f6ab087b5feb3382e8",
              "status": "affected",
              "version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
              "versionType": "git"
            },
            {
              "lessThan": "a4f1b9c57092c48bdc7958abd23403ccaed437b2",
              "status": "affected",
              "version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
              "versionType": "git"
            },
            {
              "lessThan": "d3e774266c28aefab3e9db334fdf568f936cae04",
              "status": "affected",
              "version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
              "versionType": "git"
            },
            {
              "lessThan": "93a08f856fcc5aaeeecad01f71bef3088588216a",
              "status": "affected",
              "version": "b3df5e65cc03696b0624a877d03a3ddf3ef43f52",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/hisilicon/hibmc: fix the hibmc loaded failed bug\n\nWhen hibmc loaded failed, the driver use hibmc_unload to free the\nresource, but the mutexes in mode.config are not init, which will\naccess an NULL pointer. Just change goto statement to return, because\nhibnc_hw_init() doesn\u0027t need to free anything."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:59:06.904Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ddf1691f25345699296e642f0f59f2d464722fa3"
        },
        {
          "url": "https://git.kernel.org/stable/c/c950e1be3a24d021475b56efdb49daa7fbba63a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f93032e5d68f459601c701f6ab087b5feb3382e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4f1b9c57092c48bdc7958abd23403ccaed437b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3e774266c28aefab3e9db334fdf568f936cae04"
        },
        {
          "url": "https://git.kernel.org/stable/c/93a08f856fcc5aaeeecad01f71bef3088588216a"
        }
      ],
      "title": "drm/hisilicon/hibmc: fix the hibmc loaded failed bug",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39772",
    "datePublished": "2025-09-11T16:56:26.130Z",
    "dateReserved": "2025-04-16T07:20:57.128Z",
    "dateUpdated": "2025-11-03T17:43:13.756Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38441 (GCVE-0-2025-38441)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5742 [inline] __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 __netif_receive_skb_one_core net/core/dev.c:5975 [inline] __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 netif_receive_skb_internal net/core/dev.c:6176 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6235 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xb4b/0x1580 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a3aea97d55964e70a…
	https://git.kernel.org/stable/c/eed8960b289327235…
	https://git.kernel.org/stable/c/9fbc49429a23b0259…
	https://git.kernel.org/stable/c/e0dd2e9729660f3f4…
	https://git.kernel.org/stable/c/cfbf0665969af2c69…
	https://git.kernel.org/stable/c/18cdb3d982da8976b…

Impacted products

Vendor

Product

Version

Linux

Affected: d06977b9a4109f8738bb276125eb6a0b772bc433 , < a3aea97d55964e70a1e6426aa4cafdc036e8a2dd (git)
Affected: 8bf7c76a2a207ca2b4cfda0a279192adf27678d7 , < eed8960b289327235185b7c32649c3470a3e969b (git)
Affected: a2471d271042ea18e8a6babc132a8716bb2f08b9 , < 9fbc49429a23b02595ba82536c5ea425fdabb221 (git)
Affected: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf , < e0dd2e9729660f3f4fcb16e0aef87342911528ef (git)
Affected: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf , < cfbf0665969af2c69d10c377d4c3d306e717efb4 (git)
Affected: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf , < 18cdb3d982da8976b28d57691eb256ec5688fad2 (git)
Affected: cf366ee3bc1b7d1c76a882640ba3b3f8f1039163 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:03.697Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_flow_table.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a3aea97d55964e70a1e6426aa4cafdc036e8a2dd",
              "status": "affected",
              "version": "d06977b9a4109f8738bb276125eb6a0b772bc433",
              "versionType": "git"
            },
            {
              "lessThan": "eed8960b289327235185b7c32649c3470a3e969b",
              "status": "affected",
              "version": "8bf7c76a2a207ca2b4cfda0a279192adf27678d7",
              "versionType": "git"
            },
            {
              "lessThan": "9fbc49429a23b02595ba82536c5ea425fdabb221",
              "status": "affected",
              "version": "a2471d271042ea18e8a6babc132a8716bb2f08b9",
              "versionType": "git"
            },
            {
              "lessThan": "e0dd2e9729660f3f4fcb16e0aef87342911528ef",
              "status": "affected",
              "version": "87b3593bed1868b2d9fe096c01bcdf0ea86cbebf",
              "versionType": "git"
            },
            {
              "lessThan": "cfbf0665969af2c69d10c377d4c3d306e717efb4",
              "status": "affected",
              "version": "87b3593bed1868b2d9fe096c01bcdf0ea86cbebf",
              "versionType": "git"
            },
            {
              "lessThan": "18cdb3d982da8976b28d57691eb256ec5688fad2",
              "status": "affected",
              "version": "87b3593bed1868b2d9fe096c01bcdf0ea86cbebf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cf366ee3bc1b7d1c76a882640ba3b3f8f1039163",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_flow_table.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "5.15.157",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "6.1.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "6.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()\n\nsyzbot found a potential access to uninit-value in nf_flow_pppoe_proto()\n\nBlamed commit forgot the Ethernet header.\n\nBUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27\n  nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27\n  nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]\n  nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623\n  nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]\n  nf_ingress net/core/dev.c:5742 [inline]\n  __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837\n  __netif_receive_skb_one_core net/core/dev.c:5975 [inline]\n  __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090\n  netif_receive_skb_internal net/core/dev.c:6176 [inline]\n  netif_receive_skb+0x57/0x630 net/core/dev.c:6235\n  tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n  tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938\n  tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984\n  new_sync_write fs/read_write.c:593 [inline]\n  vfs_write+0xb4b/0x1580 fs/read_write.c:686\n  ksys_write fs/read_write.c:738 [inline]\n  __do_sys_write fs/read_write.c:749 [inline]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:22.394Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a3aea97d55964e70a1e6426aa4cafdc036e8a2dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/eed8960b289327235185b7c32649c3470a3e969b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9fbc49429a23b02595ba82536c5ea425fdabb221"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0dd2e9729660f3f4fcb16e0aef87342911528ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/cfbf0665969af2c69d10c377d4c3d306e717efb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/18cdb3d982da8976b28d57691eb256ec5688fad2"
        }
      ],
      "title": "netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38441",
    "datePublished": "2025-07-25T15:27:20.276Z",
    "dateReserved": "2025-04-16T04:51:24.016Z",
    "dateUpdated": "2025-11-03T17:38:03.697Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-52935 (GCVE-0-2023-52935)

Vulnerability from cvelistv5 – Published: 2025-03-27 16:37 – Updated: 2025-11-03 17:31

Title

mm/khugepaged: fix ->anon_vma race

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: fix ->anon_vma race If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/352fbf61ce776fef1…
	https://git.kernel.org/stable/c/cee956ab1efbd858b…
	https://git.kernel.org/stable/c/abdf3c33918185c3e…
	https://git.kernel.org/stable/c/acb08187b5a83cdb9…
	https://git.kernel.org/stable/c/023f47a8250c6bdb4…

Impacted products

Vendor

Product

Version

Linux

Affected: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 , < 352fbf61ce776fef18dca6a68680a6cd943dac95 (git)
Affected: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 , < cee956ab1efbd858b4ca61c8b474af5aa24b29a6 (git)
Affected: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 , < abdf3c33918185c3e8ffeb09ed3e334b3d7df47c (git)
Affected: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 , < acb08187b5a83cdb9ac4112fae9e18cf983b0128 (git)
Affected: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 , < 023f47a8250c6bdb4aebe744db4bf7f73414028b (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.299 , ≤ 5.4.* (semver)
Unaffected: 5.10.243 , ≤ 5.10.* (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.11 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-52935",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-28T15:22:40.271006Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-28T15:31:59.667Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:05.059Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/khugepaged.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "352fbf61ce776fef18dca6a68680a6cd943dac95",
              "status": "affected",
              "version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
              "versionType": "git"
            },
            {
              "lessThan": "cee956ab1efbd858b4ca61c8b474af5aa24b29a6",
              "status": "affected",
              "version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
              "versionType": "git"
            },
            {
              "lessThan": "abdf3c33918185c3e8ffeb09ed3e334b3d7df47c",
              "status": "affected",
              "version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
              "versionType": "git"
            },
            {
              "lessThan": "acb08187b5a83cdb9ac4112fae9e18cf983b0128",
              "status": "affected",
              "version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
              "versionType": "git"
            },
            {
              "lessThan": "023f47a8250c6bdb4aebe744db4bf7f73414028b",
              "status": "affected",
              "version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/khugepaged.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.299",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.299",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.243",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.11",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/khugepaged: fix -\u003eanon_vma race\n\nIf an -\u003eanon_vma is attached to the VMA, collapse_and_free_pmd() requires\nit to be locked.\n\nPage table traversal is allowed under any one of the mmap lock, the\nanon_vma lock (if the VMA is associated with an anon_vma), and the\nmapping lock (if the VMA is associated with a mapping); and so to be\nable to remove page tables, we must hold all three of them. \nretract_page_tables() bails out if an -\u003eanon_vma is attached, but does\nthis check before holding the mmap lock (as the comment above the check\nexplains).\n\nIf we racily merged an existing -\u003eanon_vma (shared with a child\nprocess) from a neighboring VMA, subsequent rmap traversals on pages\nbelonging to the child will be able to see the page tables that we are\nconcurrently removing while assuming that nothing else can access them.\n\nRepeat the -\u003eanon_vma check once we hold the mmap lock to ensure that\nthere really is no concurrent page table access.\n\nHitting this bug causes a lockdep warning in collapse_and_free_pmd(),\nin the line \"lockdep_assert_held_write(\u0026vma-\u003eanon_vma-\u003eroot-\u003erwsem)\". \nIt can also lead to use-after-free access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T17:05:44.962Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/352fbf61ce776fef18dca6a68680a6cd943dac95"
        },
        {
          "url": "https://git.kernel.org/stable/c/cee956ab1efbd858b4ca61c8b474af5aa24b29a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/abdf3c33918185c3e8ffeb09ed3e334b3d7df47c"
        },
        {
          "url": "https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128"
        },
        {
          "url": "https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b"
        }
      ],
      "title": "mm/khugepaged: fix -\u003eanon_vma race",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52935",
    "datePublished": "2025-03-27T16:37:15.505Z",
    "dateReserved": "2024-08-21T06:07:11.020Z",
    "dateUpdated": "2025-11-03T17:31:05.059Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38650 (GCVE-0-2025-38650)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-11-03 17:40

Title

hfsplus: remove mutex_lock check in hfsplus_free_extents

Summary

In the Linux kernel, the following vulnerability has been resolved: hfsplus: remove mutex_lock check in hfsplus_free_extents Syzbot reported an issue in hfsplus filesystem: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346 hfsplus_free_extents+0x700/0xad0 Call Trace: <TASK> hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606 hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56 cont_expand_zero fs/buffer.c:2383 [inline] cont_write_begin+0x2cf/0x860 fs/buffer.c:2446 hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52 generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347 hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263 notify_change+0xe38/0x10f0 fs/attr.c:420 do_truncate+0x1fb/0x2e0 fs/open.c:65 do_sys_ftruncate+0x2eb/0x380 fs/open.c:193 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") unlock extree before hfsplus_free_extents(), and add check wheather extree is locked in hfsplus_free_extents(). However, when operations such as hfsplus_file_release, hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed concurrently in different files, it is very likely to trigger the WARN_ON, which will lead syzbot and xfstest to consider it as an abnormality. The comment above this warning also describes one of the easy triggering situations, which can easily trigger and cause xfstest&syzbot to report errors. [task A] [task B] ->hfsplus_file_release ->hfsplus_file_truncate ->hfs_find_init ->mutex_lock ->mutex_unlock ->hfsplus_write_begin ->hfsplus_get_block ->hfsplus_file_extend ->hfsplus_ext_read_extent ->hfs_find_init ->mutex_lock ->hfsplus_free_extents WARN_ON(mutex_is_locked) !!! Several threads could try to lock the shared extents tree. And warning can be triggered in one thread when another thread has locked the tree. This is the wrong behavior of the code and we need to remove the warning.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0807e4ac59a546f23…
	https://git.kernel.org/stable/c/fdd6aca652122d6e9…
	https://git.kernel.org/stable/c/14922f0cc92e010b1…
	https://git.kernel.org/stable/c/a19ce9230b22a0866…
	https://git.kernel.org/stable/c/084933961ecda7561…
	https://git.kernel.org/stable/c/5055b7db94110f228…
	https://git.kernel.org/stable/c/9764b8bb9f5f94df1…
	https://git.kernel.org/stable/c/314310166ba1fdff7…
	https://git.kernel.org/stable/c/fcb96956c921f1aae…

Impacted products

Vendor

Product

Version

Linux

Affected: 31651c607151f1034cfb57e5a78678bea54c362b , < 0807e4ac59a546f2346961c5e26a98901594b205 (git)
Affected: 31651c607151f1034cfb57e5a78678bea54c362b , < fdd6aca652122d6e97787e88d7dd53ddc8b74e7e (git)
Affected: 31651c607151f1034cfb57e5a78678bea54c362b , < 14922f0cc92e010b160121679c0a6ca072f4e975 (git)
Affected: 31651c607151f1034cfb57e5a78678bea54c362b , < a19ce9230b22a0866313932e7964cf05557a6008 (git)
Affected: 31651c607151f1034cfb57e5a78678bea54c362b , < 084933961ecda7561dedfb78c4676ccb90c91ada (git)
Affected: 31651c607151f1034cfb57e5a78678bea54c362b , < 5055b7db94110f228961dea6b74eed0a93a50b01 (git)
Affected: 31651c607151f1034cfb57e5a78678bea54c362b , < 9764b8bb9f5f94df105cd2ac43829dd0d2c82b9f (git)
Affected: 31651c607151f1034cfb57e5a78678bea54c362b , < 314310166ba1fdff7660dfd9d18ea42d7058f7ae (git)
Affected: 31651c607151f1034cfb57e5a78678bea54c362b , < fcb96956c921f1aae7e7b477f2435c56f77a31b4 (git)

Linux

Affected: 4.19
Unaffected: 0 , < 4.19 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:43.767Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/hfsplus/extents.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0807e4ac59a546f2346961c5e26a98901594b205",
              "status": "affected",
              "version": "31651c607151f1034cfb57e5a78678bea54c362b",
              "versionType": "git"
            },
            {
              "lessThan": "fdd6aca652122d6e97787e88d7dd53ddc8b74e7e",
              "status": "affected",
              "version": "31651c607151f1034cfb57e5a78678bea54c362b",
              "versionType": "git"
            },
            {
              "lessThan": "14922f0cc92e010b160121679c0a6ca072f4e975",
              "status": "affected",
              "version": "31651c607151f1034cfb57e5a78678bea54c362b",
              "versionType": "git"
            },
            {
              "lessThan": "a19ce9230b22a0866313932e7964cf05557a6008",
              "status": "affected",
              "version": "31651c607151f1034cfb57e5a78678bea54c362b",
              "versionType": "git"
            },
            {
              "lessThan": "084933961ecda7561dedfb78c4676ccb90c91ada",
              "status": "affected",
              "version": "31651c607151f1034cfb57e5a78678bea54c362b",
              "versionType": "git"
            },
            {
              "lessThan": "5055b7db94110f228961dea6b74eed0a93a50b01",
              "status": "affected",
              "version": "31651c607151f1034cfb57e5a78678bea54c362b",
              "versionType": "git"
            },
            {
              "lessThan": "9764b8bb9f5f94df105cd2ac43829dd0d2c82b9f",
              "status": "affected",
              "version": "31651c607151f1034cfb57e5a78678bea54c362b",
              "versionType": "git"
            },
            {
              "lessThan": "314310166ba1fdff7660dfd9d18ea42d7058f7ae",
              "status": "affected",
              "version": "31651c607151f1034cfb57e5a78678bea54c362b",
              "versionType": "git"
            },
            {
              "lessThan": "fcb96956c921f1aae7e7b477f2435c56f77a31b4",
              "status": "affected",
              "version": "31651c607151f1034cfb57e5a78678bea54c362b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/hfsplus/extents.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: remove mutex_lock check in hfsplus_free_extents\n\nSyzbot reported an issue in hfsplus filesystem:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346\n\thfsplus_free_extents+0x700/0xad0\nCall Trace:\n\u003cTASK\u003e\nhfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606\nhfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56\ncont_expand_zero fs/buffer.c:2383 [inline]\ncont_write_begin+0x2cf/0x860 fs/buffer.c:2446\nhfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52\ngeneric_cont_expand_simple+0x151/0x250 fs/buffer.c:2347\nhfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263\nnotify_change+0xe38/0x10f0 fs/attr.c:420\ndo_truncate+0x1fb/0x2e0 fs/open.c:65\ndo_sys_ftruncate+0x2eb/0x380 fs/open.c:193\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTo avoid deadlock, Commit 31651c607151 (\"hfsplus: avoid deadlock\non file truncation\") unlock extree before hfsplus_free_extents(),\nand add check wheather extree is locked in hfsplus_free_extents().\n\nHowever, when operations such as hfsplus_file_release,\nhfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed\nconcurrently in different files, it is very likely to trigger the\nWARN_ON, which will lead syzbot and xfstest to consider it as an\nabnormality.\n\nThe comment above this warning also describes one of the easy\ntriggering situations, which can easily trigger and cause\nxfstest\u0026syzbot to report errors.\n\n[task A]\t\t\t[task B]\n-\u003ehfsplus_file_release\n  -\u003ehfsplus_file_truncate\n    -\u003ehfs_find_init\n      -\u003emutex_lock\n    -\u003emutex_unlock\n\t\t\t\t-\u003ehfsplus_write_begin\n\t\t\t\t  -\u003ehfsplus_get_block\n\t\t\t\t    -\u003ehfsplus_file_extend\n\t\t\t\t      -\u003ehfsplus_ext_read_extent\n\t\t\t\t        -\u003ehfs_find_init\n\t\t\t\t\t  -\u003emutex_lock\n    -\u003ehfsplus_free_extents\n      WARN_ON(mutex_is_locked) !!!\n\nSeveral threads could try to lock the shared extents tree.\nAnd warning can be triggered in one thread when another thread\nhas locked the tree. This is the wrong behavior of the code and\nwe need to remove the warning."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:31.043Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0807e4ac59a546f2346961c5e26a98901594b205"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdd6aca652122d6e97787e88d7dd53ddc8b74e7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/14922f0cc92e010b160121679c0a6ca072f4e975"
        },
        {
          "url": "https://git.kernel.org/stable/c/a19ce9230b22a0866313932e7964cf05557a6008"
        },
        {
          "url": "https://git.kernel.org/stable/c/084933961ecda7561dedfb78c4676ccb90c91ada"
        },
        {
          "url": "https://git.kernel.org/stable/c/5055b7db94110f228961dea6b74eed0a93a50b01"
        },
        {
          "url": "https://git.kernel.org/stable/c/9764b8bb9f5f94df105cd2ac43829dd0d2c82b9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/314310166ba1fdff7660dfd9d18ea42d7058f7ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcb96956c921f1aae7e7b477f2435c56f77a31b4"
        }
      ],
      "title": "hfsplus: remove mutex_lock check in hfsplus_free_extents",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38650",
    "datePublished": "2025-08-22T16:00:54.556Z",
    "dateReserved": "2025-04-16T04:51:24.030Z",
    "dateUpdated": "2025-11-03T17:40:43.767Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21791 (GCVE-0-2025-21791)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 20:59

Title

vrf: use RCU protection in l3mdev_l3_out()

Summary

In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6ccaa5797f5362a2a…
	https://git.kernel.org/stable/c/20a3489b396764cc9…
	https://git.kernel.org/stable/c/5bb4228c32261d06e…
	https://git.kernel.org/stable/c/c7574740be8ce68a5…
	https://git.kernel.org/stable/c/c40cb5c03e37552d6…
	https://git.kernel.org/stable/c/022cac1c693add610…
	https://git.kernel.org/stable/c/7b81425b517accefd…
	https://git.kernel.org/stable/c/6d0ce46a93135d96b…

Impacted products

Vendor

Product

Version

Linux

Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 20a3489b396764cc9376e32a9172bee26a89dc3b (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 5bb4228c32261d06e4fbece37ec3828bcc005b6b (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < c7574740be8ce68a57d0aece24987b9be2114c3c (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < c40cb5c03e37552d6eff963187109e2c3f78ef6f (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 022cac1c693add610ae76ede03adf4d9d5a2cf21 (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 7b81425b517accefd46bee854d94954f5c57e019 (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 6d0ce46a93135d96b7fa075a94a88fe0da8e8773 (git)

Linux

Affected: 4.9
Unaffected: 0 , < 4.9 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.79 , ≤ 6.6.* (semver)
Unaffected: 6.12.16 , ≤ 6.12.* (semver)
Unaffected: 6.13.4 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21791",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:16.236835Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:26.723Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:59:34.647Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/l3mdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "20a3489b396764cc9376e32a9172bee26a89dc3b",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "5bb4228c32261d06e4fbece37ec3828bcc005b6b",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "c7574740be8ce68a57d0aece24987b9be2114c3c",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "c40cb5c03e37552d6eff963187109e2c3f78ef6f",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "022cac1c693add610ae76ede03adf4d9d5a2cf21",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "7b81425b517accefd46bee854d94954f5c57e019",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "6d0ce46a93135d96b7fa075a94a88fe0da8e8773",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/l3mdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvrf: use RCU protection in l3mdev_l3_out()\n\nl3mdev_l3_out() can be called without RCU being held:\n\nraw_sendmsg()\n ip_push_pending_frames()\n  ip_send_skb()\n   ip_local_out()\n    __ip_local_out()\n     l3mdev_ip_out()\n\nAdd rcu_read_lock() / rcu_read_unlock() pair to avoid\na potential UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:18.929Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e"
        },
        {
          "url": "https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773"
        }
      ],
      "title": "vrf: use RCU protection in l3mdev_l3_out()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21791",
    "datePublished": "2025-02-27T02:18:29.014Z",
    "dateReserved": "2024-12-29T08:45:45.766Z",
    "dateUpdated": "2025-11-03T20:59:34.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38697 (GCVE-0-2025-38697)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2026-01-02 15:31

Title

jfs: upper bound check of tree index in dbAllocAG

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of bounds realative to the size of the stree. This could happen in a scenario where the filesystem metadata are corrupted.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5bdb9553fb134fd52…
	https://git.kernel.org/stable/c/a4f199203f79ca9cd…
	https://git.kernel.org/stable/c/1467a75819e41341c…
	https://git.kernel.org/stable/c/49ea46d9025aa1914…
	https://git.kernel.org/stable/c/173cfd741ad707364…
	https://git.kernel.org/stable/c/c8ca21a2836993d7c…
	https://git.kernel.org/stable/c/2dd05f09cc3230181…
	https://git.kernel.org/stable/c/30e19a884c0b11f33…
	https://git.kernel.org/stable/c/c214006856ff52a8f…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5bdb9553fb134fd52ec208a8b378120670f6e784 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a4f199203f79ca9cd7355799ccb26800174ff093 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1467a75819e41341cd5ebd16faa2af1ca3c8f4fe (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 49ea46d9025aa1914b24ea957636cbe4367a7311 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 173cfd741ad7073640bfb7e2344c2a0ee005e769 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c8ca21a2836993d7cb816668458e05e598574e55 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2dd05f09cc323018136a7ecdb3d1007be9ede27f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 30e19a884c0b11f33821aacda7e72e914bec26ef (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c214006856ff52a8ff17ed8da52d50601d54f9ce (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:26.028Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5bdb9553fb134fd52ec208a8b378120670f6e784",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a4f199203f79ca9cd7355799ccb26800174ff093",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1467a75819e41341cd5ebd16faa2af1ca3c8f4fe",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "49ea46d9025aa1914b24ea957636cbe4367a7311",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "173cfd741ad7073640bfb7e2344c2a0ee005e769",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c8ca21a2836993d7cb816668458e05e598574e55",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2dd05f09cc323018136a7ecdb3d1007be9ede27f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "30e19a884c0b11f33821aacda7e72e914bec26ef",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c214006856ff52a8ff17ed8da52d50601d54f9ce",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: upper bound check of tree index in dbAllocAG\n\nWhen computing the tree index in dbAllocAG, we never check if we are\nout of bounds realative to the size of the stree.\nThis could happen in a scenario where the filesystem metadata are\ncorrupted."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:31:12.287Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5bdb9553fb134fd52ec208a8b378120670f6e784"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4f199203f79ca9cd7355799ccb26800174ff093"
        },
        {
          "url": "https://git.kernel.org/stable/c/1467a75819e41341cd5ebd16faa2af1ca3c8f4fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/49ea46d9025aa1914b24ea957636cbe4367a7311"
        },
        {
          "url": "https://git.kernel.org/stable/c/173cfd741ad7073640bfb7e2344c2a0ee005e769"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8ca21a2836993d7cb816668458e05e598574e55"
        },
        {
          "url": "https://git.kernel.org/stable/c/2dd05f09cc323018136a7ecdb3d1007be9ede27f"
        },
        {
          "url": "https://git.kernel.org/stable/c/30e19a884c0b11f33821aacda7e72e914bec26ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/c214006856ff52a8ff17ed8da52d50601d54f9ce"
        }
      ],
      "title": "jfs: upper bound check of tree index in dbAllocAG",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38697",
    "datePublished": "2025-09-04T15:32:49.848Z",
    "dateReserved": "2025-04-16T04:51:24.032Z",
    "dateUpdated": "2026-01-02T15:31:12.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-50067 (GCVE-0-2024-50067)

Vulnerability from cvelistv5 – Published: 2024-10-28 00:57 – Updated: 2025-11-03 22:25

Title

uprobe: avoid out-of-bounds memory access of fetching args

Summary

In the Linux kernel, the following vulnerability has been resolved: uprobe: avoid out-of-bounds memory access of fetching args Uprobe needs to fetch args into a percpu buffer, and then copy to ring buffer to avoid non-atomic context problem. Sometimes user-space strings, arrays can be very large, but the size of percpu buffer is only page size. And store_trace_args() won't check whether these data exceeds a single page or not, caused out-of-bounds memory access. It could be reproduced by following steps: 1. build kernel with CONFIG_KASAN enabled 2. save follow program as test.c ``` \#include <stdio.h> \#include <stdlib.h> \#include <string.h> // If string length large than MAX_STRING_SIZE, the fetch_store_strlen() // will return 0, cause __get_data_size() return shorter size, and // store_trace_args() will not trigger out-of-bounds access. // So make string length less than 4096. \#define STRLEN 4093 void generate_string(char *str, int n) { int i; for (i = 0; i < n; ++i) { char c = i % 26 + 'a'; str[i] = c; } str[n-1] = '\0'; } void print_string(char *str) { printf("%s\n", str); } int main() { char tmp[STRLEN]; generate_string(tmp, STRLEN); print_string(tmp); return 0; } ``` 3. compile program `gcc -o test test.c` 4. get the offset of `print_string()` ``` objdump -t test | grep -w print_string 0000000000401199 g F .text 000000000000001b print_string ``` 5. configure uprobe with offset 0x1199 ``` off=0x1199 cd /sys/kernel/debug/tracing/ echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" > uprobe_events echo 1 > events/uprobes/enable echo 1 > tracing_on ``` 6. run `test`, and kasan will report error. ================================================================== BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0 Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18 Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x27/0x310 kasan_report+0x10f/0x120 ? strncpy_from_user+0x1d6/0x1f0 strncpy_from_user+0x1d6/0x1f0 ? rmqueue.constprop.0+0x70d/0x2ad0 process_fetch_insn+0xb26/0x1470 ? __pfx_process_fetch_insn+0x10/0x10 ? _raw_spin_lock+0x85/0xe0 ? __pfx__raw_spin_lock+0x10/0x10 ? __pte_offset_map+0x1f/0x2d0 ? unwind_next_frame+0xc5f/0x1f80 ? arch_stack_walk+0x68/0xf0 ? is_bpf_text_address+0x23/0x30 ? kernel_text_address.part.0+0xbb/0xd0 ? __kernel_text_address+0x66/0xb0 ? unwind_get_return_address+0x5e/0xa0 ? __pfx_stack_trace_consume_entry+0x10/0x10 ? arch_stack_walk+0xa2/0xf0 ? _raw_spin_lock_irqsave+0x8b/0xf0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? depot_alloc_stack+0x4c/0x1f0 ? _raw_spin_unlock_irqrestore+0xe/0x30 ? stack_depot_save_flags+0x35d/0x4f0 ? kasan_save_stack+0x34/0x50 ? kasan_save_stack+0x24/0x50 ? mutex_lock+0x91/0xe0 ? __pfx_mutex_lock+0x10/0x10 prepare_uprobe_buffer.part.0+0x2cd/0x500 uprobe_dispatcher+0x2c3/0x6a0 ? __pfx_uprobe_dispatcher+0x10/0x10 ? __kasan_slab_alloc+0x4d/0x90 handler_chain+0xdd/0x3e0 handle_swbp+0x26e/0x3d0 ? __pfx_handle_swbp+0x10/0x10 ? uprobe_pre_sstep_notifier+0x151/0x1b0 irqentry_exit_to_user_mode+0xe2/0x1b0 asm_exc_int3+0x39/0x40 RIP: 0033:0x401199 Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206 RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2 RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0 RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20 R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040 R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000 </TASK> This commit enforces the buffer's maxlen less than a page-size to avoid store_trace_args() out-of-memory access.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0dc3ad9ad2188da7f…
	https://git.kernel.org/stable/c/9e5f93788c9dd4309…
	https://git.kernel.org/stable/c/537ad4a431f6dddbf…
	https://git.kernel.org/stable/c/373b9338c9722a368…

Impacted products

Vendor

Product

Version

Linux

Affected: dcad1a204f72624796ae83359403898d10393b9c , < 0dc3ad9ad2188da7f090b3dbe4d2fcd9ae8ae64f (git)
Affected: dcad1a204f72624796ae83359403898d10393b9c , < 9e5f93788c9dd4309e75a56860a1ac44a8e117b9 (git)
Affected: dcad1a204f72624796ae83359403898d10393b9c , < 537ad4a431f6dddbf15d40d19f24bb9ee12b55cb (git)
Affected: dcad1a204f72624796ae83359403898d10393b9c , < 373b9338c9722a368925d83bc622c596896b328e (git)

Linux

Affected: 3.14
Unaffected: 0 , < 3.14 (semver)
Unaffected: 6.1.118 , ≤ 6.1.* (semver)
Unaffected: 6.6.59 , ≤ 6.6.* (semver)
Unaffected: 6.11.6 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-50067",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-11T14:49:09.097229Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-11T14:58:34.869Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:25:03.914Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_uprobe.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0dc3ad9ad2188da7f090b3dbe4d2fcd9ae8ae64f",
              "status": "affected",
              "version": "dcad1a204f72624796ae83359403898d10393b9c",
              "versionType": "git"
            },
            {
              "lessThan": "9e5f93788c9dd4309e75a56860a1ac44a8e117b9",
              "status": "affected",
              "version": "dcad1a204f72624796ae83359403898d10393b9c",
              "versionType": "git"
            },
            {
              "lessThan": "537ad4a431f6dddbf15d40d19f24bb9ee12b55cb",
              "status": "affected",
              "version": "dcad1a204f72624796ae83359403898d10393b9c",
              "versionType": "git"
            },
            {
              "lessThan": "373b9338c9722a368925d83bc622c596896b328e",
              "status": "affected",
              "version": "dcad1a204f72624796ae83359403898d10393b9c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_uprobe.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.14"
            },
            {
              "lessThan": "3.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.118",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.59",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.6",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuprobe: avoid out-of-bounds memory access of fetching args\n\nUprobe needs to fetch args into a percpu buffer, and then copy to ring\nbuffer to avoid non-atomic context problem.\n\nSometimes user-space strings, arrays can be very large, but the size of\npercpu buffer is only page size. And store_trace_args() won\u0027t check\nwhether these data exceeds a single page or not, caused out-of-bounds\nmemory access.\n\nIt could be reproduced by following steps:\n1. build kernel with CONFIG_KASAN enabled\n2. save follow program as test.c\n\n```\n\\#include \u003cstdio.h\u003e\n\\#include \u003cstdlib.h\u003e\n\\#include \u003cstring.h\u003e\n\n// If string length large than MAX_STRING_SIZE, the fetch_store_strlen()\n// will return 0, cause __get_data_size() return shorter size, and\n// store_trace_args() will not trigger out-of-bounds access.\n// So make string length less than 4096.\n\\#define STRLEN 4093\n\nvoid generate_string(char *str, int n)\n{\n    int i;\n    for (i = 0; i \u003c n; ++i)\n    {\n        char c = i % 26 + \u0027a\u0027;\n        str[i] = c;\n    }\n    str[n-1] = \u0027\\0\u0027;\n}\n\nvoid print_string(char *str)\n{\n    printf(\"%s\\n\", str);\n}\n\nint main()\n{\n    char tmp[STRLEN];\n\n    generate_string(tmp, STRLEN);\n    print_string(tmp);\n\n    return 0;\n}\n```\n3. compile program\n`gcc -o test test.c`\n\n4. get the offset of `print_string()`\n```\nobjdump -t test | grep -w print_string\n0000000000401199 g     F .text  000000000000001b              print_string\n```\n\n5. configure uprobe with offset 0x1199\n```\noff=0x1199\n\ncd /sys/kernel/debug/tracing/\necho \"p /root/test:${off} arg1=+0(%di):ustring arg2=\\$comm arg3=+0(%di):ustring\"\n \u003e uprobe_events\necho 1 \u003e events/uprobes/enable\necho 1 \u003e tracing_on\n```\n\n6. run `test`, and kasan will report error.\n==================================================================\nBUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0\nWrite of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18\nHardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x55/0x70\n print_address_description.constprop.0+0x27/0x310\n kasan_report+0x10f/0x120\n ? strncpy_from_user+0x1d6/0x1f0\n strncpy_from_user+0x1d6/0x1f0\n ? rmqueue.constprop.0+0x70d/0x2ad0\n process_fetch_insn+0xb26/0x1470\n ? __pfx_process_fetch_insn+0x10/0x10\n ? _raw_spin_lock+0x85/0xe0\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __pte_offset_map+0x1f/0x2d0\n ? unwind_next_frame+0xc5f/0x1f80\n ? arch_stack_walk+0x68/0xf0\n ? is_bpf_text_address+0x23/0x30\n ? kernel_text_address.part.0+0xbb/0xd0\n ? __kernel_text_address+0x66/0xb0\n ? unwind_get_return_address+0x5e/0xa0\n ? __pfx_stack_trace_consume_entry+0x10/0x10\n ? arch_stack_walk+0xa2/0xf0\n ? _raw_spin_lock_irqsave+0x8b/0xf0\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? depot_alloc_stack+0x4c/0x1f0\n ? _raw_spin_unlock_irqrestore+0xe/0x30\n ? stack_depot_save_flags+0x35d/0x4f0\n ? kasan_save_stack+0x34/0x50\n ? kasan_save_stack+0x24/0x50\n ? mutex_lock+0x91/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n prepare_uprobe_buffer.part.0+0x2cd/0x500\n uprobe_dispatcher+0x2c3/0x6a0\n ? __pfx_uprobe_dispatcher+0x10/0x10\n ? __kasan_slab_alloc+0x4d/0x90\n handler_chain+0xdd/0x3e0\n handle_swbp+0x26e/0x3d0\n ? __pfx_handle_swbp+0x10/0x10\n ? uprobe_pre_sstep_notifier+0x151/0x1b0\n irqentry_exit_to_user_mode+0xe2/0x1b0\n asm_exc_int3+0x39/0x40\nRIP: 0033:0x401199\nCode: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce\nRSP: 002b:00007ffdf00576a8 EFLAGS: 00000206\nRAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2\nRDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0\nRBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20\nR10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040\nR13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nThis commit enforces the buffer\u0027s maxlen less than a page-size to avoid\nstore_trace_args() out-of-memory access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:45:09.161Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0dc3ad9ad2188da7f090b3dbe4d2fcd9ae8ae64f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e5f93788c9dd4309e75a56860a1ac44a8e117b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/537ad4a431f6dddbf15d40d19f24bb9ee12b55cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/373b9338c9722a368925d83bc622c596896b328e"
        }
      ],
      "title": "uprobe: avoid out-of-bounds memory access of fetching args",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50067",
    "datePublished": "2024-10-28T00:57:05.734Z",
    "dateReserved": "2024-10-21T19:36:19.939Z",
    "dateUpdated": "2025-11-03T22:25:03.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38539 (GCVE-0-2025-38539)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-11-03 17:39

Title

tracing: Add down_write(trace_event_sem) when adding trace event

Summary

In the Linux kernel, the following vulnerability has been resolved: tracing: Add down_write(trace_event_sem) when adding trace event When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the adding of the event to the ftrace_events list can corrupt the walking of the list in the code that is modifying the printk format strings and crash the kernel. The addition of the event should take the trace_event_sem for write while it adds the new event. Also add a lockdep_assert_held() on that semaphore in __trace_add_event_dirs() as it iterates the list.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e70f5ee4c88247363…
	https://git.kernel.org/stable/c/db45632479ceecb66…
	https://git.kernel.org/stable/c/ca60064ea03f14e06…
	https://git.kernel.org/stable/c/7803b28c9aa8d8bd4…
	https://git.kernel.org/stable/c/6bc94f20a4c304997…
	https://git.kernel.org/stable/c/33e20747b47ddc035…
	https://git.kernel.org/stable/c/70fecd519caad0c17…
	https://git.kernel.org/stable/c/b5e8acc14dcb314a9…

Impacted products

Vendor

Product

Version

Linux

Affected: 110bf2b764eb6026b868d84499263cb24b1bcc8d , < e70f5ee4c8824736332351b703c46f9469ed7f6c (git)
Affected: 110bf2b764eb6026b868d84499263cb24b1bcc8d , < db45632479ceecb669612ed8dbce927e3c6279fc (git)
Affected: 110bf2b764eb6026b868d84499263cb24b1bcc8d , < ca60064ea03f14e06c763de018403cb56ba3207d (git)
Affected: 110bf2b764eb6026b868d84499263cb24b1bcc8d , < 7803b28c9aa8d8bd4e19ebcf5f0db9612b0f333b (git)
Affected: 110bf2b764eb6026b868d84499263cb24b1bcc8d , < 6bc94f20a4c304997288f9a45278c9d0c06987d3 (git)
Affected: 110bf2b764eb6026b868d84499263cb24b1bcc8d , < 33e20747b47ddc03569b6bc27a2d6894c1428182 (git)
Affected: 110bf2b764eb6026b868d84499263cb24b1bcc8d , < 70fecd519caad0c1741c3379d5348c9000a5b29d (git)
Affected: 110bf2b764eb6026b868d84499263cb24b1bcc8d , < b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df (git)

Linux

Affected: 2.6.31
Unaffected: 0 , < 2.6.31 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:34.419Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_events.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e70f5ee4c8824736332351b703c46f9469ed7f6c",
              "status": "affected",
              "version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
              "versionType": "git"
            },
            {
              "lessThan": "db45632479ceecb669612ed8dbce927e3c6279fc",
              "status": "affected",
              "version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
              "versionType": "git"
            },
            {
              "lessThan": "ca60064ea03f14e06c763de018403cb56ba3207d",
              "status": "affected",
              "version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
              "versionType": "git"
            },
            {
              "lessThan": "7803b28c9aa8d8bd4e19ebcf5f0db9612b0f333b",
              "status": "affected",
              "version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
              "versionType": "git"
            },
            {
              "lessThan": "6bc94f20a4c304997288f9a45278c9d0c06987d3",
              "status": "affected",
              "version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
              "versionType": "git"
            },
            {
              "lessThan": "33e20747b47ddc03569b6bc27a2d6894c1428182",
              "status": "affected",
              "version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
              "versionType": "git"
            },
            {
              "lessThan": "70fecd519caad0c1741c3379d5348c9000a5b29d",
              "status": "affected",
              "version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
              "versionType": "git"
            },
            {
              "lessThan": "b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df",
              "status": "affected",
              "version": "110bf2b764eb6026b868d84499263cb24b1bcc8d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_events.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.31"
            },
            {
              "lessThan": "2.6.31",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add down_write(trace_event_sem) when adding trace event\n\nWhen a module is loaded, it adds trace events defined by the module. It\nmay also need to modify the modules trace printk formats to replace enum\nnames with their values.\n\nIf two modules are loaded at the same time, the adding of the event to the\nftrace_events list can corrupt the walking of the list in the code that is\nmodifying the printk format strings and crash the kernel.\n\nThe addition of the event should take the trace_event_sem for write while\nit adds the new event.\n\nAlso add a lockdep_assert_held() on that semaphore in\n__trace_add_event_dirs() as it iterates the list."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:41.142Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e70f5ee4c8824736332351b703c46f9469ed7f6c"
        },
        {
          "url": "https://git.kernel.org/stable/c/db45632479ceecb669612ed8dbce927e3c6279fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca60064ea03f14e06c763de018403cb56ba3207d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7803b28c9aa8d8bd4e19ebcf5f0db9612b0f333b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bc94f20a4c304997288f9a45278c9d0c06987d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/33e20747b47ddc03569b6bc27a2d6894c1428182"
        },
        {
          "url": "https://git.kernel.org/stable/c/70fecd519caad0c1741c3379d5348c9000a5b29d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df"
        }
      ],
      "title": "tracing: Add down_write(trace_event_sem) when adding trace event",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38539",
    "datePublished": "2025-08-16T11:12:31.678Z",
    "dateReserved": "2025-04-16T04:51:24.024Z",
    "dateUpdated": "2025-11-03T17:39:34.419Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38509 (GCVE-0-2025-38509)

Vulnerability from cvelistv5 – Published: 2025-08-16 10:54 – Updated: 2025-08-16 10:54

Title

wifi: mac80211: reject VHT opmode for unsupported channel widths

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: reject VHT opmode for unsupported channel widths VHT operating mode notifications are not defined for channel widths below 20 MHz. In particular, 5 MHz and 10 MHz are not valid under the VHT specification and must be rejected. Without this check, malformed notifications using these widths may reach ieee80211_chan_width_to_rx_bw(), leading to a WARN_ON due to invalid input. This issue was reported by syzbot. Reject these unsupported widths early in sta_link_apply_parameters() when opmode_notif is used. The accepted set includes 20, 40, 80, 160, and 80+80 MHz, which are valid for VHT. While 320 MHz is not defined for VHT, it is allowed to avoid rejecting HE or EHT clients that may still send a VHT opmode notification.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/18eca59a04500b68a…
	https://git.kernel.org/stable/c/58fcb1b4287ce3885…

Impacted products

Vendor

Product

Version

Linux

Affected: 751e7489c1d74b94ffffbed619d8fd724eeff4ee , < 18eca59a04500b68a90e0c5c873f97c9d1ea2bfa (git)
Affected: 751e7489c1d74b94ffffbed619d8fd724eeff4ee , < 58fcb1b4287ce38850402bb2bb16d09bf77b91d9 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/cfg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18eca59a04500b68a90e0c5c873f97c9d1ea2bfa",
              "status": "affected",
              "version": "751e7489c1d74b94ffffbed619d8fd724eeff4ee",
              "versionType": "git"
            },
            {
              "lessThan": "58fcb1b4287ce38850402bb2bb16d09bf77b91d9",
              "status": "affected",
              "version": "751e7489c1d74b94ffffbed619d8fd724eeff4ee",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/cfg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject VHT opmode for unsupported channel widths\n\nVHT operating mode notifications are not defined for channel widths\nbelow 20 MHz. In particular, 5 MHz and 10 MHz are not valid under the\nVHT specification and must be rejected.\n\nWithout this check, malformed notifications using these widths may\nreach ieee80211_chan_width_to_rx_bw(), leading to a WARN_ON due to\ninvalid input. This issue was reported by syzbot.\n\nReject these unsupported widths early in sta_link_apply_parameters()\nwhen opmode_notif is used. The accepted set includes 20, 40, 80, 160,\nand 80+80 MHz, which are valid for VHT. While 320 MHz is not defined\nfor VHT, it is allowed to avoid rejecting HE or EHT clients that may\nstill send a VHT opmode notification."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T10:54:46.493Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18eca59a04500b68a90e0c5c873f97c9d1ea2bfa"
        },
        {
          "url": "https://git.kernel.org/stable/c/58fcb1b4287ce38850402bb2bb16d09bf77b91d9"
        }
      ],
      "title": "wifi: mac80211: reject VHT opmode for unsupported channel widths",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38509",
    "datePublished": "2025-08-16T10:54:46.493Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2025-08-16T10:54:46.493Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38459 (GCVE-0-2025-38459)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

atm: clip: Fix infinite recursive call of clip_push().

Summary

In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc. Note also that we use lock_sock() to prevent racy calls. [0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: <TASK> clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 </TASK> Modules linked in:

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f493f31a63847624f…
	https://git.kernel.org/stable/c/125166347d5676466…
	https://git.kernel.org/stable/c/5641019dfbaee5e85…
	https://git.kernel.org/stable/c/1579a2777cb914a24…
	https://git.kernel.org/stable/c/3f61b997fe014bbfc…
	https://git.kernel.org/stable/c/024876b247a882972…
	https://git.kernel.org/stable/c/df0312d8859763aa1…
	https://git.kernel.org/stable/c/c489f3283dbfc0f3c…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f493f31a63847624fd3199ac836a8bd8828e50e2 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 125166347d5676466d368aadc0bbc31ee7714352 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5641019dfbaee5e85fe093b590f0451c9dd4d6f8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1579a2777cb914a249de22c789ba4d41b154509f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 024876b247a882972095b22087734dcd23396a4e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < df0312d8859763aa15b8b56ac151a1ea4a4e5b88 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c489f3283dbfc0f3c00c312149cae90d27552c45 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:17.937Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/atm/clip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f493f31a63847624fd3199ac836a8bd8828e50e2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "125166347d5676466d368aadc0bbc31ee7714352",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5641019dfbaee5e85fe093b590f0451c9dd4d6f8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1579a2777cb914a249de22c789ba4d41b154509f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "024876b247a882972095b22087734dcd23396a4e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "df0312d8859763aa15b8b56ac151a1ea4a4e5b88",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c489f3283dbfc0f3c00c312149cae90d27552c45",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/atm/clip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix infinite recursive call of clip_push().\n\nsyzbot reported the splat below. [0]\n\nThis happens if we call ioctl(ATMARP_MKIP) more than once.\n\nDuring the first call, clip_mkip() sets clip_push() to vcc-\u003epush(),\nand the second call copies it to clip_vcc-\u003eold_push().\n\nLater, when the socket is close()d, vcc_destroy_socket() passes\nNULL skb to clip_push(), which calls clip_vcc-\u003eold_push(),\ntriggering the infinite recursion.\n\nLet\u0027s prevent the second ioctl(ATMARP_MKIP) by checking\nvcc-\u003euser_back, which is allocated by the first call as clip_vcc.\n\nNote also that we use lock_sock() to prevent racy calls.\n\n[0]:\nBUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)\nOops: stack guard page: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191\nCode: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 \u003c41\u003e 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00\nRSP: 0018:ffffc9000d670000 EFLAGS: 00010246\nRAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000\nRBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e\nR10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300\nR13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578\nFS:  000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n...\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n vcc_destroy_socket net/atm/common.c:183 [inline]\n vcc_release+0x157/0x460 net/atm/common.c:205\n __sock_release net/socket.c:647 [inline]\n sock_close+0xc0/0x240 net/socket.c:1391\n __fput+0x449/0xa70 fs/file_table.c:465\n task_work_run+0x1d1/0x260 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114\n exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]\n do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff31c98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f\nR10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c\nR13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090\n \u003c/TASK\u003e\nModules linked in:"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:59.776Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f493f31a63847624fd3199ac836a8bd8828e50e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/125166347d5676466d368aadc0bbc31ee7714352"
        },
        {
          "url": "https://git.kernel.org/stable/c/5641019dfbaee5e85fe093b590f0451c9dd4d6f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1579a2777cb914a249de22c789ba4d41b154509f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31"
        },
        {
          "url": "https://git.kernel.org/stable/c/024876b247a882972095b22087734dcd23396a4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/df0312d8859763aa15b8b56ac151a1ea4a4e5b88"
        },
        {
          "url": "https://git.kernel.org/stable/c/c489f3283dbfc0f3c00c312149cae90d27552c45"
        }
      ],
      "title": "atm: clip: Fix infinite recursive call of clip_push().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38459",
    "datePublished": "2025-07-25T15:27:37.893Z",
    "dateReserved": "2025-04-16T04:51:24.019Z",
    "dateUpdated": "2025-11-03T17:38:17.937Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37838 (GCVE-0-2025-37838)

Vulnerability from cvelistv5 – Published: 2025-04-18 14:20 – Updated: 2026-01-02 15:29

Title

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

Summary

In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d03abc1c2b2132455…
	https://git.kernel.org/stable/c/4a8c29beb8a02b5a0…
	https://git.kernel.org/stable/c/72972552d0d0bfeb2…
	https://git.kernel.org/stable/c/d58493832e284f066…
	https://git.kernel.org/stable/c/58eb29dba712ab0f1…
	https://git.kernel.org/stable/c/ae5a6a0b425e8f76a…
	https://git.kernel.org/stable/c/834e602d0cc7c743b…
	https://git.kernel.org/stable/c/4b4194c9a7a8f92db…
	https://git.kernel.org/stable/c/e3f88665a78045fe3…

Impacted products

Vendor

Product

Version

Linux

Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < d03abc1c2b21324550fa71e12d53e7d3498e0af6 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 72972552d0d0bfeb2dec5daf343a19018db36ffa (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < d58493832e284f066e559b8da5ab20c15a2801d3 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 58eb29dba712ab0f13af59ca2fe545f5ce360e78 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < ae5a6a0b425e8f76a9f0677e50796e494e89b088 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 834e602d0cc7c743bfce734fad4a46cefc0f9ab1 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < e3f88665a78045fe35c7669d2926b8d97b892c11 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-37838",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T14:38:43.871416Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-21T14:41:43.037Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:09.541Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hsi/clients/ssi_protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d03abc1c2b21324550fa71e12d53e7d3498e0af6",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "72972552d0d0bfeb2dec5daf343a19018db36ffa",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "d58493832e284f066e559b8da5ab20c15a2801d3",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "58eb29dba712ab0f13af59ca2fe545f5ce360e78",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "ae5a6a0b425e8f76a9f0677e50796e494e89b088",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "834e602d0cc7c743bfce734fad4a46cefc0f9ab1",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "e3f88665a78045fe35c7669d2926b8d97b892c11",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hsi/clients/ssi_protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, \u0026ssi-\u003ework is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0                                    CPU1\n\n                        | ssip_xmit_work\nssi_protocol_remove     |\nkfree(ssi);             |\n                        | struct hsi_client *cl = ssi-\u003ecl;\n                        | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:12.021Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"
        },
        {
          "url": "https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa"
        },
        {
          "url": "https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088"
        },
        {
          "url": "https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11"
        }
      ],
      "title": "HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37838",
    "datePublished": "2025-04-18T14:20:55.389Z",
    "dateReserved": "2025-04-16T04:51:23.952Z",
    "dateUpdated": "2026-01-02T15:29:12.021Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38468 (GCVE-0-2025-38468)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:12 – Updated: 2025-11-03 17:38

Title

net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1 The root cause is the following: 1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on the selected leaf qdisc 2. netem_dequeue calls enqueue on the child qdisc 3. blackhole_enqueue drops the packet and returns a value that is not just NET_XMIT_SUCCESS 4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase 5. As this is the only class in the selected hprio rbtree, __rb_change_child in __rb_erase_augmented sets the rb_root pointer to NULL 6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL, which causes htb_dequeue_tree to call htb_lookup_leaf with the same hprio rbtree, and fail the BUG_ON The function graph for this scenario is shown here: 0) | htb_enqueue() { 0) + 13.635 us | netem_enqueue(); 0) 4.719 us | htb_activate_prios(); 0) # 2249.199 us | } 0) | htb_dequeue() { 0) 2.355 us | htb_lookup_leaf(); 0) | netem_dequeue() { 0) + 11.061 us | blackhole_enqueue(); 0) | qdisc_tree_reduce_backlog() { 0) | qdisc_lookup_rcu() { 0) 1.873 us | qdisc_match_from_root(); 0) 6.292 us | } 0) 1.894 us | htb_search(); 0) | htb_qlen_notify() { 0) 2.655 us | htb_deactivate_prios(); 0) 6.933 us | } 0) + 25.227 us | } 0) 1.983 us | blackhole_dequeue(); 0) + 86.553 us | } 0) # 2932.761 us | qdisc_warn_nonwc(); 0) | htb_lookup_leaf() { 0) | BUG_ON(); ------------------------------------------ The full original bug report can be seen here [1]. We can fix this just by returning NULL instead of the BUG_ON, as htb_dequeue_tree returns NULL when htb_lookup_leaf returns NULL. [1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fed3570e548a6c9f9…
	https://git.kernel.org/stable/c/5c0506cd1b1a3b145…
	https://git.kernel.org/stable/c/850226aef8d28a00c…
	https://git.kernel.org/stable/c/890a5d423ef0a7bd1…
	https://git.kernel.org/stable/c/7ff2d83ecf2619060…
	https://git.kernel.org/stable/c/e5c480dc62a3025b8…
	https://git.kernel.org/stable/c/3691f84269a23f7ed…
	https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e…

Impacted products

Vendor

Product

Version

Linux

Affected: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 , < fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d (git)
Affected: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 , < 5c0506cd1b1a3b145bda2612bbf7fe78d186c355 (git)
Affected: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 , < 850226aef8d28a00cf966ef26d2f8f2bff344535 (git)
Affected: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 , < 890a5d423ef0a7bd13447ceaffad21189f557301 (git)
Affected: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 , < 7ff2d83ecf2619060f30ecf9fad4f2a700fca344 (git)
Affected: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 , < e5c480dc62a3025b8428d4818e722da30ad6804f (git)
Affected: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 , < 3691f84269a23f7edd263e9b6edbc27b7ae332f4 (git)
Affected: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 , < 0e1d5d9b5c5966e2e42e298670808590db5ed628 (git)

Linux

Affected: 2.6.29
Unaffected: 0 , < 2.6.29 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:33.418Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_htb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "5c0506cd1b1a3b145bda2612bbf7fe78d186c355",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "850226aef8d28a00cf966ef26d2f8f2bff344535",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "890a5d423ef0a7bd13447ceaffad21189f557301",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "7ff2d83ecf2619060f30ecf9fad4f2a700fca344",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "e5c480dc62a3025b8428d4818e722da30ad6804f",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "3691f84269a23f7edd263e9b6edbc27b7ae332f4",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            },
            {
              "lessThan": "0e1d5d9b5c5966e2e42e298670808590db5ed628",
              "status": "affected",
              "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_htb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree\n\nhtb_lookup_leaf has a BUG_ON that can trigger with the following:\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle 2: netem\ntc qdisc add dev lo parent 2:1 handle 3: blackhole\nping -I lo -c1 -W0.001 127.0.0.1\n\nThe root cause is the following:\n\n1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on\n   the selected leaf qdisc\n2. netem_dequeue calls enqueue on the child qdisc\n3. blackhole_enqueue drops the packet and returns a value that is not\n   just NET_XMIT_SUCCESS\n4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and\n   since qlen is now 0, it calls htb_qlen_notify -\u003e htb_deactivate -\u003e\n   htb_deactiviate_prios -\u003e htb_remove_class_from_row -\u003e htb_safe_rb_erase\n5. As this is the only class in the selected hprio rbtree,\n   __rb_change_child in __rb_erase_augmented sets the rb_root pointer to\n   NULL\n6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,\n   which causes htb_dequeue_tree to call htb_lookup_leaf with the same\n   hprio rbtree, and fail the BUG_ON\n\nThe function graph for this scenario is shown here:\n 0)               |  htb_enqueue() {\n 0) + 13.635 us   |    netem_enqueue();\n 0)   4.719 us    |    htb_activate_prios();\n 0) # 2249.199 us |  }\n 0)               |  htb_dequeue() {\n 0)   2.355 us    |    htb_lookup_leaf();\n 0)               |    netem_dequeue() {\n 0) + 11.061 us   |      blackhole_enqueue();\n 0)               |      qdisc_tree_reduce_backlog() {\n 0)               |        qdisc_lookup_rcu() {\n 0)   1.873 us    |          qdisc_match_from_root();\n 0)   6.292 us    |        }\n 0)   1.894 us    |        htb_search();\n 0)               |        htb_qlen_notify() {\n 0)   2.655 us    |          htb_deactivate_prios();\n 0)   6.933 us    |        }\n 0) + 25.227 us   |      }\n 0)   1.983 us    |      blackhole_dequeue();\n 0) + 86.553 us   |    }\n 0) # 2932.761 us |    qdisc_warn_nonwc();\n 0)               |    htb_lookup_leaf() {\n 0)               |      BUG_ON();\n ------------------------------------------\n\nThe full original bug report can be seen here [1].\n\nWe can fix this just by returning NULL instead of the BUG_ON,\nas htb_dequeue_tree returns NULL when htb_lookup_leaf returns\nNULL.\n\n[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:07.848Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c0506cd1b1a3b145bda2612bbf7fe78d186c355"
        },
        {
          "url": "https://git.kernel.org/stable/c/850226aef8d28a00cf966ef26d2f8f2bff344535"
        },
        {
          "url": "https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628"
        }
      ],
      "title": "net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38468",
    "datePublished": "2025-07-28T11:12:20.188Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:33.418Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38540 (GCVE-0-2025-38540)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:22 – Updated: 2026-01-02 15:30

Title

HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C) report a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. Add these 2 devices to the HID ignore list since the sensor interface is non-functional by design and should not be exposed to userspace.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/35f1a5360ac68d962…
	https://git.kernel.org/stable/c/7ac00f019698f614a…
	https://git.kernel.org/stable/c/1b297ab6f38ca60a4…
	https://git.kernel.org/stable/c/2b0931eee48208c25…
	https://git.kernel.org/stable/c/3ce1d87d1f5d80322…
	https://git.kernel.org/stable/c/c72536350e82b53a1…
	https://git.kernel.org/stable/c/a2a91abd19c574b59…
	https://git.kernel.org/stable/c/54bae4c17c1168833…

Impacted products

Vendor

Product

Version

Linux

Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 35f1a5360ac68d9629abbb3930a0a07901cba296 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 7ac00f019698f614a49cce34c198d0568ab0e1c2 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 1b297ab6f38ca60a4ca7298b297944ec6043b2f4 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 2b0931eee48208c25bb77486946dea8e96aa6a36 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 3ce1d87d1f5d80322757aa917182deb7370963b9 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < c72536350e82b53a1be0f3bfdf1511bba2827102 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < a2a91abd19c574b598b1c69ad76ad9c7eedaf062 (git)
Affected: 83499b52c61f50292f0aae36499de8a8fc3e37c3 , < 54bae4c17c11688339eb73a04fd24203bb6e7494 (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:36.320Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-ids.h",
            "drivers/hid/hid-quirks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "35f1a5360ac68d9629abbb3930a0a07901cba296",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "7ac00f019698f614a49cce34c198d0568ab0e1c2",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "1b297ab6f38ca60a4ca7298b297944ec6043b2f4",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "2b0931eee48208c25bb77486946dea8e96aa6a36",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "3ce1d87d1f5d80322757aa917182deb7370963b9",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "c72536350e82b53a1be0f3bfdf1511bba2827102",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "a2a91abd19c574b598b1c69ad76ad9c7eedaf062",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            },
            {
              "lessThan": "54bae4c17c11688339eb73a04fd24203bb6e7494",
              "status": "affected",
              "version": "83499b52c61f50292f0aae36499de8a8fc3e37c3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-ids.h",
            "drivers/hid/hid-quirks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras\n\nThe Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 \u0026 04F2:B82C)\nreport a HID sensor interface that is not actually implemented.\nAttempting to access this non-functional sensor via iio_info causes\nsystem hangs as runtime PM tries to wake up an unresponsive sensor.\n\nAdd these 2 devices to the HID ignore list since the sensor interface is\nnon-functional by design and should not be exposed to userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:49.767Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/35f1a5360ac68d9629abbb3930a0a07901cba296"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ac00f019698f614a49cce34c198d0568ab0e1c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b297ab6f38ca60a4ca7298b297944ec6043b2f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b0931eee48208c25bb77486946dea8e96aa6a36"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ce1d87d1f5d80322757aa917182deb7370963b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c72536350e82b53a1be0f3bfdf1511bba2827102"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2a91abd19c574b598b1c69ad76ad9c7eedaf062"
        },
        {
          "url": "https://git.kernel.org/stable/c/54bae4c17c11688339eb73a04fd24203bb6e7494"
        }
      ],
      "title": "HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38540",
    "datePublished": "2025-08-16T11:22:14.773Z",
    "dateReserved": "2025-04-16T04:51:24.024Z",
    "dateUpdated": "2026-01-02T15:30:49.767Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38684 (GCVE-0-2025-38684)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2025-11-03 17:41

Title

net/sched: ets: use old 'nbands' while purging unused classes

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup should be done with the old one. The problem is here since my first attempts to fix ets_qdisc_change(), but it surfaced again after the recent qdisc len accounting fixes. Fix it purging idle DWRR queues before assigning a new value of 'q->nbands', so that all purge operations find a consistent configuration: - old 'q->nbands' because it's needed by ets_class_find() - old 'q->nstrict' because it's needed by ets_class_is_strict() BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab RSP: 0018:ffffba186009f400 EFLAGS: 00010202 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ets_class_qlen_notify+0x65/0x90 [sch_ets] qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets] __tc_modify_qdisc.constprop.0+0x216/0x7f0 tc_modify_qdisc+0x7c/0x120 rtnetlink_rcv_msg+0x145/0x3f0 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x245/0x390 netlink_sendmsg+0x21b/0x470 ____sys_sendmsg+0x39d/0x3d0 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x7d/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f2155114084 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 </TASK> [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/ [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bdfddcde86e8b9245…
	https://git.kernel.org/stable/c/be9692dafdfb36d9c…
	https://git.kernel.org/stable/c/97ec167cd2e8a81a2…
	https://git.kernel.org/stable/c/84a24fb446ee07b22…
	https://git.kernel.org/stable/c/5b3b346bc4c2aa2c4…
	https://git.kernel.org/stable/c/d69f4a258cd91b3bc…
	https://git.kernel.org/stable/c/970c1c731c4ede46d…
	https://git.kernel.org/stable/c/87c6efc5ce9c126ae…

Impacted products

Vendor

Product

Version

Linux

Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < bdfddcde86e8b9245d9c0c2efe2b6fe8dcf6bf41 (git)
Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < be9692dafdfb36d9c43afd9d4e1d9d9ba8e7b51b (git)
Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 97ec167cd2e8a81a2d87331a2ed92daf007542c8 (git)
Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 84a24fb446ee07b22b64aae6f0e3f4a38266310a (git)
Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 5b3b346bc4c2aa2c428735438a11989d251f32f1 (git)
Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < d69f4a258cd91b3bcef7089eb0401005aae2aed5 (git)
Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 970c1c731c4ede46d05f5b0355724d1e400cfbca (git)
Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 87c6efc5ce9c126ae4a781bc04504b83780e3650 (git)
Affected: 3b290923ad2b23596208c1e29520badef4356a43 (git)

Linux

Affected: 5.6
Unaffected: 0 , < 5.6 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:11.527Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_ets.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bdfddcde86e8b9245d9c0c2efe2b6fe8dcf6bf41",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "be9692dafdfb36d9c43afd9d4e1d9d9ba8e7b51b",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "97ec167cd2e8a81a2d87331a2ed92daf007542c8",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "84a24fb446ee07b22b64aae6f0e3f4a38266310a",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "5b3b346bc4c2aa2c428735438a11989d251f32f1",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "d69f4a258cd91b3bcef7089eb0401005aae2aed5",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "970c1c731c4ede46d05f5b0355724d1e400cfbca",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "87c6efc5ce9c126ae4a781bc04504b83780e3650",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3b290923ad2b23596208c1e29520badef4356a43",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_ets.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.296",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: use old \u0027nbands\u0027 while purging unused classes\n\nShuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()\nafter recent changes from Lion [2]. The problem is: in ets_qdisc_change()\nwe purge unused DWRR queues; the value of \u0027q-\u003enbands\u0027 is the new one, and\nthe cleanup should be done with the old one. The problem is here since my\nfirst attempts to fix ets_qdisc_change(), but it surfaced again after the\nrecent qdisc len accounting fixes. Fix it purging idle DWRR queues before\nassigning a new value of \u0027q-\u003enbands\u0027, so that all purge operations find a\nconsistent configuration:\n\n - old \u0027q-\u003enbands\u0027 because it\u0027s needed by ets_class_find()\n - old \u0027q-\u003enstrict\u0027 because it\u0027s needed by ets_class_is_strict()\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)\n Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021\n RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80\n Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa \u003c48\u003e 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab\n RSP: 0018:ffffba186009f400 EFLAGS: 00010202\n RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004\n RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004\n R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000\n R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000\n FS:  00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n  \u003cTASK\u003e\n  ets_class_qlen_notify+0x65/0x90 [sch_ets]\n  qdisc_tree_reduce_backlog+0x74/0x110\n  ets_qdisc_change+0x630/0xa40 [sch_ets]\n  __tc_modify_qdisc.constprop.0+0x216/0x7f0\n  tc_modify_qdisc+0x7c/0x120\n  rtnetlink_rcv_msg+0x145/0x3f0\n  netlink_rcv_skb+0x53/0x100\n  netlink_unicast+0x245/0x390\n  netlink_sendmsg+0x21b/0x470\n  ____sys_sendmsg+0x39d/0x3d0\n  ___sys_sendmsg+0x9a/0xe0\n  __sys_sendmsg+0x7a/0xd0\n  do_syscall_64+0x7d/0x160\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f2155114084\n Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084\n RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003\n RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f\n R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0\n R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0\n  \u003c/TASK\u003e\n\n [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/\n [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:56.243Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bdfddcde86e8b9245d9c0c2efe2b6fe8dcf6bf41"
        },
        {
          "url": "https://git.kernel.org/stable/c/be9692dafdfb36d9c43afd9d4e1d9d9ba8e7b51b"
        },
        {
          "url": "https://git.kernel.org/stable/c/97ec167cd2e8a81a2d87331a2ed92daf007542c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/84a24fb446ee07b22b64aae6f0e3f4a38266310a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b3b346bc4c2aa2c428735438a11989d251f32f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/d69f4a258cd91b3bcef7089eb0401005aae2aed5"
        },
        {
          "url": "https://git.kernel.org/stable/c/970c1c731c4ede46d05f5b0355724d1e400cfbca"
        },
        {
          "url": "https://git.kernel.org/stable/c/87c6efc5ce9c126ae4a781bc04504b83780e3650"
        }
      ],
      "title": "net/sched: ets: use old \u0027nbands\u0027 while purging unused classes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38684",
    "datePublished": "2025-09-04T15:32:38.927Z",
    "dateReserved": "2025-04-16T04:51:24.032Z",
    "dateUpdated": "2025-11-03T17:41:11.527Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38513 (GCVE-0-2025-38513)

Vulnerability from cvelistv5 – Published: 2025-08-16 10:55 – Updated: 2025-11-03 17:39

Title

wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lock_irqsave(&q->lock, flags); /* position == skb_queue_len(q) */ for (i=1; i<position; i++) skb = __skb_dequeue(q) if (mac->type == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&q->lock, flags); skb_dequeue() -> NULL Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced. In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status(). Found by Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c1958270de947604c…
	https://git.kernel.org/stable/c/014c34dc132015c4f…
	https://git.kernel.org/stable/c/b24f65c184540dfb9…
	https://git.kernel.org/stable/c/adf08c96b963c7cd7…
	https://git.kernel.org/stable/c/5420de65efbeb6503…
	https://git.kernel.org/stable/c/fcd9c923b58e86501…
	https://git.kernel.org/stable/c/602b4eb2f25668de1…
	https://git.kernel.org/stable/c/74b1ec9f5d627d2bd…

Impacted products

Vendor

Product

Version

Linux

Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < c1958270de947604cc6de05fc96dbba256b49cf0 (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < 014c34dc132015c4f918ada4982e952947ac1047 (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < b24f65c184540dfb967479320ecf7e8c2e9220dc (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < adf08c96b963c7cd7ec1ee1c0c556228d9bedaae (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < 5420de65efbeb6503bcf1d43451c9df67ad60298 (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < fcd9c923b58e86501450b9b442ccc7ce4a8d0fda (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < 602b4eb2f25668de15de69860ec99caf65b3684d (git)
Affected: 459c51ad6e1fc19e91a53798358433d3c08cd09d , < 74b1ec9f5d627d2bdd5e5b6f3f81c23317657023 (git)

Linux

Affected: 2.6.25
Unaffected: 0 , < 2.6.25 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:16.277Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/zydas/zd1211rw/zd_mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c1958270de947604cc6de05fc96dbba256b49cf0",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "014c34dc132015c4f918ada4982e952947ac1047",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "b24f65c184540dfb967479320ecf7e8c2e9220dc",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "adf08c96b963c7cd7ec1ee1c0c556228d9bedaae",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "5420de65efbeb6503bcf1d43451c9df67ad60298",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "fcd9c923b58e86501450b9b442ccc7ce4a8d0fda",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "602b4eb2f25668de15de69860ec99caf65b3684d",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            },
            {
              "lessThan": "74b1ec9f5d627d2bdd5e5b6f3f81c23317657023",
              "status": "affected",
              "version": "459c51ad6e1fc19e91a53798358433d3c08cd09d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/zydas/zd1211rw/zd_mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()\n\nThere is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For\nexample, the following is possible:\n\n    \tT0\t\t\t    \t\tT1\nzd_mac_tx_to_dev()\n  /* len == skb_queue_len(q) */\n  while (len \u003e ZD_MAC_MAX_ACK_WAITERS) {\n\n\t\t\t\t\t  filter_ack()\n\t\t\t\t\t    spin_lock_irqsave(\u0026q-\u003elock, flags);\n\t\t\t\t\t    /* position == skb_queue_len(q) */\n\t\t\t\t\t    for (i=1; i\u003cposition; i++)\n\t\t\t\t    \t      skb = __skb_dequeue(q)\n\n\t\t\t\t\t    if (mac-\u003etype == NL80211_IFTYPE_AP)\n\t\t\t\t\t      skb = __skb_dequeue(q);\n\t\t\t\t\t    spin_unlock_irqrestore(\u0026q-\u003elock, flags);\n\n    skb_dequeue() -\u003e NULL\n\nSince there is a small gap between checking skb queue length and skb being\nunconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.\nThen the pointer is passed to zd_mac_tx_status() where it is dereferenced.\n\nIn order to avoid potential NULL pointer dereference due to situations like\nabove, check if skb is not NULL before passing it to zd_mac_tx_status().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T10:55:00.254Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c1958270de947604cc6de05fc96dbba256b49cf0"
        },
        {
          "url": "https://git.kernel.org/stable/c/014c34dc132015c4f918ada4982e952947ac1047"
        },
        {
          "url": "https://git.kernel.org/stable/c/b24f65c184540dfb967479320ecf7e8c2e9220dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae"
        },
        {
          "url": "https://git.kernel.org/stable/c/5420de65efbeb6503bcf1d43451c9df67ad60298"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda"
        },
        {
          "url": "https://git.kernel.org/stable/c/602b4eb2f25668de15de69860ec99caf65b3684d"
        },
        {
          "url": "https://git.kernel.org/stable/c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023"
        }
      ],
      "title": "wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38513",
    "datePublished": "2025-08-16T10:55:00.254Z",
    "dateReserved": "2025-04-16T04:51:24.023Z",
    "dateUpdated": "2025-11-03T17:39:16.277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38595 (GCVE-0-2025-38595)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-09-29 05:54

Title

xen: fix UAF in dmabuf_exp_from_pages()

Summary

In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through - up to xen folks] As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with any kind of access to objects that would be destroyed on close (be it the struct file itself or anything destroyed by its ->release()), we have a UAF. dma_buf_fd() is a combination of reserving a descriptor and fd_install(). gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the objects destroyed on close - starting with gntdev_dmabuf itself. Fix that by doing reserving descriptor before anything else and do fd_install() only when everything had been set up.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e5907885260401bba…
	https://git.kernel.org/stable/c/3edfd2353f301bfff…
	https://git.kernel.org/stable/c/d59d49af4aeed9a81…
	https://git.kernel.org/stable/c/532c8b51b3a8676cb…

Impacted products

Vendor

Product

Version

Linux

Affected: a240d6e42e28c34fdc34b3a98ca838a31c939901 , < e5907885260401bba300d4d18d79875c05b82651 (git)
Affected: a240d6e42e28c34fdc34b3a98ca838a31c939901 , < 3edfd2353f301bfffd5ee41066e37320a59ccc2d (git)
Affected: a240d6e42e28c34fdc34b3a98ca838a31c939901 , < d59d49af4aeed9a81e673e37c26c6a3bacf1a181 (git)
Affected: a240d6e42e28c34fdc34b3a98ca838a31c939901 , < 532c8b51b3a8676cbf533a291f8156774f30ea87 (git)

Linux

Affected: 4.19
Unaffected: 0 , < 4.19 (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/xen/gntdev-dmabuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e5907885260401bba300d4d18d79875c05b82651",
              "status": "affected",
              "version": "a240d6e42e28c34fdc34b3a98ca838a31c939901",
              "versionType": "git"
            },
            {
              "lessThan": "3edfd2353f301bfffd5ee41066e37320a59ccc2d",
              "status": "affected",
              "version": "a240d6e42e28c34fdc34b3a98ca838a31c939901",
              "versionType": "git"
            },
            {
              "lessThan": "d59d49af4aeed9a81e673e37c26c6a3bacf1a181",
              "status": "affected",
              "version": "a240d6e42e28c34fdc34b3a98ca838a31c939901",
              "versionType": "git"
            },
            {
              "lessThan": "532c8b51b3a8676cbf533a291f8156774f30ea87",
              "status": "affected",
              "version": "a240d6e42e28c34fdc34b3a98ca838a31c939901",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/xen/gntdev-dmabuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: fix UAF in dmabuf_exp_from_pages()\n\n[dma_buf_fd() fixes; no preferences regarding the tree it goes through -\nup to xen folks]\n\nAs soon as we\u0027d inserted a file reference into descriptor table, another\nthread could close it.  That\u0027s fine for the case when all we are doing is\nreturning that descriptor to userland (it\u0027s a race, but it\u0027s a userland\nrace and there\u0027s nothing the kernel can do about it).  However, if we\nfollow fd_install() with any kind of access to objects that would be\ndestroyed on close (be it the struct file itself or anything destroyed\nby its -\u003erelease()), we have a UAF.\n\ndma_buf_fd() is a combination of reserving a descriptor and fd_install().\ngntdev dmabuf_exp_from_pages() calls it and then proceeds to access the\nobjects destroyed on close - starting with gntdev_dmabuf itself.\n\nFix that by doing reserving descriptor before anything else and do\nfd_install() only when everything had been set up."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:28.767Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e5907885260401bba300d4d18d79875c05b82651"
        },
        {
          "url": "https://git.kernel.org/stable/c/3edfd2353f301bfffd5ee41066e37320a59ccc2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d59d49af4aeed9a81e673e37c26c6a3bacf1a181"
        },
        {
          "url": "https://git.kernel.org/stable/c/532c8b51b3a8676cbf533a291f8156774f30ea87"
        }
      ],
      "title": "xen: fix UAF in dmabuf_exp_from_pages()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38595",
    "datePublished": "2025-08-19T17:03:25.527Z",
    "dateReserved": "2025-04-16T04:51:24.028Z",
    "dateUpdated": "2025-09-29T05:54:28.767Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38644 (GCVE-0-2025-38644)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-11-03 17:40

Title

wifi: mac80211: reject TDLS operations when station is not associated

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: reject TDLS operations when station is not associated syzbot triggered a WARN in ieee80211_tdls_oper() by sending NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT, before association completed and without prior TDLS setup. This left internal state like sdata->u.mgd.tdls_peer uninitialized, leading to a WARN_ON() in code paths that assumed it was valid. Reject the operation early if not in station mode or not associated.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0c84204cf0bbe89e4…
	https://git.kernel.org/stable/c/378ae9ccaea3f4458…
	https://git.kernel.org/stable/c/af72badd5ee423eb1…
	https://git.kernel.org/stable/c/4df663d4c1ca386dc…
	https://git.kernel.org/stable/c/31af06b574394530f…
	https://git.kernel.org/stable/c/16ecdab5446f15a61…

Impacted products

Vendor

Product

Version

Linux

Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < 0c84204cf0bbe89e454a5caccc6a908bc7db1542 (git)
Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < 378ae9ccaea3f445838a087962a067b5cb2e8577 (git)
Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < af72badd5ee423eb16f6ad7fe0a62f1b4252d848 (git)
Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < 4df663d4c1ca386dcab2f743dfc9f0cc07aef73c (git)
Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < 31af06b574394530f68a4310c45ecbe2f68853c4 (git)
Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < 16ecdab5446f15a61ec88eb0d23d25d009821db0 (git)

Linux

Affected: 3.17
Unaffected: 0 , < 3.17 (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:40.962Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/tdls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c84204cf0bbe89e454a5caccc6a908bc7db1542",
              "status": "affected",
              "version": "81dd2b8822410e56048b927be779d95a2b6dc186",
              "versionType": "git"
            },
            {
              "lessThan": "378ae9ccaea3f445838a087962a067b5cb2e8577",
              "status": "affected",
              "version": "81dd2b8822410e56048b927be779d95a2b6dc186",
              "versionType": "git"
            },
            {
              "lessThan": "af72badd5ee423eb16f6ad7fe0a62f1b4252d848",
              "status": "affected",
              "version": "81dd2b8822410e56048b927be779d95a2b6dc186",
              "versionType": "git"
            },
            {
              "lessThan": "4df663d4c1ca386dcab2f743dfc9f0cc07aef73c",
              "status": "affected",
              "version": "81dd2b8822410e56048b927be779d95a2b6dc186",
              "versionType": "git"
            },
            {
              "lessThan": "31af06b574394530f68a4310c45ecbe2f68853c4",
              "status": "affected",
              "version": "81dd2b8822410e56048b927be779d95a2b6dc186",
              "versionType": "git"
            },
            {
              "lessThan": "16ecdab5446f15a61ec88eb0d23d25d009821db0",
              "status": "affected",
              "version": "81dd2b8822410e56048b927be779d95a2b6dc186",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/tdls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:24.140Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c84204cf0bbe89e454a5caccc6a908bc7db1542"
        },
        {
          "url": "https://git.kernel.org/stable/c/378ae9ccaea3f445838a087962a067b5cb2e8577"
        },
        {
          "url": "https://git.kernel.org/stable/c/af72badd5ee423eb16f6ad7fe0a62f1b4252d848"
        },
        {
          "url": "https://git.kernel.org/stable/c/4df663d4c1ca386dcab2f743dfc9f0cc07aef73c"
        },
        {
          "url": "https://git.kernel.org/stable/c/31af06b574394530f68a4310c45ecbe2f68853c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/16ecdab5446f15a61ec88eb0d23d25d009821db0"
        }
      ],
      "title": "wifi: mac80211: reject TDLS operations when station is not associated",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38644",
    "datePublished": "2025-08-22T16:00:49.899Z",
    "dateReserved": "2025-04-16T04:51:24.030Z",
    "dateUpdated": "2025-11-03T17:40:40.962Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38634 (GCVE-0-2025-38634)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-11-03 17:40

Title

power: supply: cpcap-charger: Fix null check for power_supply_get_by_name

Summary

In the Linux kernel, the following vulnerability has been resolved: power: supply: cpcap-charger: Fix null check for power_supply_get_by_name In the cpcap_usb_detect() function, the power_supply_get_by_name() function may return `NULL` instead of an error pointer. To prevent potential null pointer dereferences, Added a null check.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4ebbb9106aaa2fd58…
	https://git.kernel.org/stable/c/a2436263144980cc9…
	https://git.kernel.org/stable/c/8e9bdb563916287ba…
	https://git.kernel.org/stable/c/f642500aa7ed93d26…
	https://git.kernel.org/stable/c/9784d832d7c103539…
	https://git.kernel.org/stable/c/27001e4f146624c4b…
	https://git.kernel.org/stable/c/d9fa3aae08f99493e…

Impacted products

Vendor

Product

Version

Linux

Affected: eab4e6d953c1059a30ac0f15826abc7dd2374d3c , < 4ebbb9106aaa2fd58e0359bc3a2490953db2ef0c (git)
Affected: eab4e6d953c1059a30ac0f15826abc7dd2374d3c , < a2436263144980cc99a9860c7b43335847afbe53 (git)
Affected: eab4e6d953c1059a30ac0f15826abc7dd2374d3c , < 8e9bdb563916287ba1b4258812434e0585ac6d00 (git)
Affected: eab4e6d953c1059a30ac0f15826abc7dd2374d3c , < f642500aa7ed93d2606e4f929244cce9c7467b3a (git)
Affected: eab4e6d953c1059a30ac0f15826abc7dd2374d3c , < 9784d832d7c103539cd9afb376534eaa35815d3d (git)
Affected: eab4e6d953c1059a30ac0f15826abc7dd2374d3c , < 27001e4f146624c4b3389b029bdc0f8049819560 (git)
Affected: eab4e6d953c1059a30ac0f15826abc7dd2374d3c , < d9fa3aae08f99493e67fb79413c0e95d30fca5e9 (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:36.216Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/power/supply/cpcap-charger.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4ebbb9106aaa2fd58e0359bc3a2490953db2ef0c",
              "status": "affected",
              "version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
              "versionType": "git"
            },
            {
              "lessThan": "a2436263144980cc99a9860c7b43335847afbe53",
              "status": "affected",
              "version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
              "versionType": "git"
            },
            {
              "lessThan": "8e9bdb563916287ba1b4258812434e0585ac6d00",
              "status": "affected",
              "version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
              "versionType": "git"
            },
            {
              "lessThan": "f642500aa7ed93d2606e4f929244cce9c7467b3a",
              "status": "affected",
              "version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
              "versionType": "git"
            },
            {
              "lessThan": "9784d832d7c103539cd9afb376534eaa35815d3d",
              "status": "affected",
              "version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
              "versionType": "git"
            },
            {
              "lessThan": "27001e4f146624c4b3389b029bdc0f8049819560",
              "status": "affected",
              "version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
              "versionType": "git"
            },
            {
              "lessThan": "d9fa3aae08f99493e67fb79413c0e95d30fca5e9",
              "status": "affected",
              "version": "eab4e6d953c1059a30ac0f15826abc7dd2374d3c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/power/supply/cpcap-charger.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: cpcap-charger: Fix null check for power_supply_get_by_name\n\nIn the cpcap_usb_detect() function, the power_supply_get_by_name()\nfunction may return `NULL` instead of an error pointer.\nTo prevent potential null pointer dereferences, Added a null check."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:13.375Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4ebbb9106aaa2fd58e0359bc3a2490953db2ef0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2436263144980cc99a9860c7b43335847afbe53"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e9bdb563916287ba1b4258812434e0585ac6d00"
        },
        {
          "url": "https://git.kernel.org/stable/c/f642500aa7ed93d2606e4f929244cce9c7467b3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/9784d832d7c103539cd9afb376534eaa35815d3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/27001e4f146624c4b3389b029bdc0f8049819560"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9fa3aae08f99493e67fb79413c0e95d30fca5e9"
        }
      ],
      "title": "power: supply: cpcap-charger: Fix null check for power_supply_get_by_name",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38634",
    "datePublished": "2025-08-22T16:00:42.376Z",
    "dateReserved": "2025-04-16T04:51:24.030Z",
    "dateUpdated": "2025-11-03T17:40:36.216Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39818 (GCVE-0-2025-39818)

Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2026-01-14 18:22

Title

HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save Improper use of secondary pointer (&dev->i2c_subip_regs) caused kernel crash and out-of-bounds error: BUG: KASAN: slab-out-of-bounds in _regmap_bulk_read+0x449/0x510 Write of size 4 at addr ffff888136005dc0 by task kworker/u33:5/5107 CPU: 3 UID: 0 PID: 5107 Comm: kworker/u33:5 Not tainted 6.16.0+ #3 PREEMPT(voluntary) Workqueue: async async_run_entry_fn Call Trace: <TASK> dump_stack_lvl+0x76/0xa0 print_report+0xd1/0x660 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? kasan_complete_mode_report_info+0x26/0x200 kasan_report+0xe1/0x120 ? _regmap_bulk_read+0x449/0x510 ? _regmap_bulk_read+0x449/0x510 __asan_report_store4_noabort+0x17/0x30 _regmap_bulk_read+0x449/0x510 ? __pfx__regmap_bulk_read+0x10/0x10 regmap_bulk_read+0x270/0x3d0 pio_complete+0x1ee/0x2c0 [intel_thc] ? __pfx_pio_complete+0x10/0x10 [intel_thc] ? __pfx_pio_wait+0x10/0x10 [intel_thc] ? regmap_update_bits_base+0x13b/0x1f0 thc_i2c_subip_pio_read+0x117/0x270 [intel_thc] thc_i2c_subip_regs_save+0xc2/0x140 [intel_thc] ? __pfx_thc_i2c_subip_regs_save+0x10/0x10 [intel_thc] [...] The buggy address belongs to the object at ffff888136005d00 which belongs to the cache kmalloc-rnd-12-192 of size 192 The buggy address is located 0 bytes to the right of allocated 192-byte region [ffff888136005d00, ffff888136005dc0) Replaced with direct array indexing (&dev->i2c_subip_regs[i]) to ensure safe memory access.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/78d4cf0466c79452e…
	https://git.kernel.org/stable/c/a7fc15ed629be89e5…

Impacted products

Vendor

Product

Version

Linux

Affected: 4228966def884c6e34b85cdc7118c5d013e1718f , < 78d4cf0466c79452e47aa6f720afbde63e709ccc (git)
Affected: 4228966def884c6e34b85cdc7118c5d013e1718f , < a7fc15ed629be89e51e09b743277c53e0a0168f5 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.16.5 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-39818",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T18:16:14.710756Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T18:22:55.882Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "78d4cf0466c79452e47aa6f720afbde63e709ccc",
              "status": "affected",
              "version": "4228966def884c6e34b85cdc7118c5d013e1718f",
              "versionType": "git"
            },
            {
              "lessThan": "a7fc15ed629be89e51e09b743277c53e0a0168f5",
              "status": "affected",
              "version": "4228966def884c6e34b85cdc7118c5d013e1718f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.5",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save\n\nImproper use of secondary pointer (\u0026dev-\u003ei2c_subip_regs) caused\nkernel crash and out-of-bounds error:\n\n BUG: KASAN: slab-out-of-bounds in _regmap_bulk_read+0x449/0x510\n Write of size 4 at addr ffff888136005dc0 by task kworker/u33:5/5107\n\n CPU: 3 UID: 0 PID: 5107 Comm: kworker/u33:5 Not tainted 6.16.0+ #3 PREEMPT(voluntary)\n Workqueue: async async_run_entry_fn\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x76/0xa0\n  print_report+0xd1/0x660\n  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n  ? kasan_complete_mode_report_info+0x26/0x200\n  kasan_report+0xe1/0x120\n  ? _regmap_bulk_read+0x449/0x510\n  ? _regmap_bulk_read+0x449/0x510\n  __asan_report_store4_noabort+0x17/0x30\n  _regmap_bulk_read+0x449/0x510\n  ? __pfx__regmap_bulk_read+0x10/0x10\n  regmap_bulk_read+0x270/0x3d0\n  pio_complete+0x1ee/0x2c0 [intel_thc]\n  ? __pfx_pio_complete+0x10/0x10 [intel_thc]\n  ? __pfx_pio_wait+0x10/0x10 [intel_thc]\n  ? regmap_update_bits_base+0x13b/0x1f0\n  thc_i2c_subip_pio_read+0x117/0x270 [intel_thc]\n  thc_i2c_subip_regs_save+0xc2/0x140 [intel_thc]\n  ? __pfx_thc_i2c_subip_regs_save+0x10/0x10 [intel_thc]\n[...]\n The buggy address belongs to the object at ffff888136005d00\n  which belongs to the cache kmalloc-rnd-12-192 of size 192\n The buggy address is located 0 bytes to the right of\n  allocated 192-byte region [ffff888136005d00, ffff888136005dc0)\n\nReplaced with direct array indexing (\u0026dev-\u003ei2c_subip_regs[i]) to ensure\nsafe memory access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T06:00:16.826Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/78d4cf0466c79452e47aa6f720afbde63e709ccc"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7fc15ed629be89e51e09b743277c53e0a0168f5"
        }
      ],
      "title": "HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39818",
    "datePublished": "2025-09-16T13:00:18.490Z",
    "dateReserved": "2025-04-16T07:20:57.138Z",
    "dateUpdated": "2026-01-14T18:22:55.882Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38095 (GCVE-0-2025-38095)

Vulnerability from cvelistv5 – Published: 2025-07-03 07:44 – Updated: 2025-11-03 19:58

Title

dma-buf: insert memory barrier before updating num_fences

Summary

In the Linux kernel, the following vulnerability has been resolved: dma-buf: insert memory barrier before updating num_fences smp_store_mb() inserts memory barrier after storing operation. It is different with what the comment is originally aiming so Null pointer dereference can be happened if memory update is reordered.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/90eb79c4ed98a4e24…
	https://git.kernel.org/stable/c/d0b7f11dd68b593bd…
	https://git.kernel.org/stable/c/3becc659f9cb76b48…
	https://git.kernel.org/stable/c/c9d2b9a80d06a58f3…
	https://git.kernel.org/stable/c/fe1bebd0edb22e353…
	https://git.kernel.org/stable/c/08680c4dadc6e736c…
	https://git.kernel.org/stable/c/72c7d62583ebce7ba…

Impacted products

Vendor

Product

Version

Linux

Affected: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 , < 90eb79c4ed98a4e24a62ccf61c199ab0f680fa8f (git)
Affected: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 , < d0b7f11dd68b593bd970e5735be00e8d89bace30 (git)
Affected: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 , < 3becc659f9cb76b481ad1fb71f54d5c8d6332d3f (git)
Affected: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 , < c9d2b9a80d06a58f37e0dc8c827075639b443927 (git)
Affected: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 , < fe1bebd0edb22e3536cbc920ec713331d1367ad4 (git)
Affected: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 , < 08680c4dadc6e736c75bc2409d833f03f9003c51 (git)
Affected: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 , < 72c7d62583ebce7baeb61acce6057c361f73be4a (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.140 , ≤ 6.1.* (semver)
Unaffected: 6.6.92 , ≤ 6.6.* (semver)
Unaffected: 6.12.30 , ≤ 6.12.* (semver)
Unaffected: 6.14.8 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:58:27.686Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma-buf/dma-resv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "90eb79c4ed98a4e24a62ccf61c199ab0f680fa8f",
              "status": "affected",
              "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63",
              "versionType": "git"
            },
            {
              "lessThan": "d0b7f11dd68b593bd970e5735be00e8d89bace30",
              "status": "affected",
              "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63",
              "versionType": "git"
            },
            {
              "lessThan": "3becc659f9cb76b481ad1fb71f54d5c8d6332d3f",
              "status": "affected",
              "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63",
              "versionType": "git"
            },
            {
              "lessThan": "c9d2b9a80d06a58f37e0dc8c827075639b443927",
              "status": "affected",
              "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63",
              "versionType": "git"
            },
            {
              "lessThan": "fe1bebd0edb22e3536cbc920ec713331d1367ad4",
              "status": "affected",
              "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63",
              "versionType": "git"
            },
            {
              "lessThan": "08680c4dadc6e736c75bc2409d833f03f9003c51",
              "status": "affected",
              "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63",
              "versionType": "git"
            },
            {
              "lessThan": "72c7d62583ebce7baeb61acce6057c361f73be4a",
              "status": "affected",
              "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma-buf/dma-resv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.92",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.140",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.92",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: insert memory barrier before updating num_fences\n\nsmp_store_mb() inserts memory barrier after storing operation.\nIt is different with what the comment is originally aiming so Null\npointer dereference can be happened if memory update is reordered."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T17:06:06.983Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/90eb79c4ed98a4e24a62ccf61c199ab0f680fa8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0b7f11dd68b593bd970e5735be00e8d89bace30"
        },
        {
          "url": "https://git.kernel.org/stable/c/3becc659f9cb76b481ad1fb71f54d5c8d6332d3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9d2b9a80d06a58f37e0dc8c827075639b443927"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe1bebd0edb22e3536cbc920ec713331d1367ad4"
        },
        {
          "url": "https://git.kernel.org/stable/c/08680c4dadc6e736c75bc2409d833f03f9003c51"
        },
        {
          "url": "https://git.kernel.org/stable/c/72c7d62583ebce7baeb61acce6057c361f73be4a"
        }
      ],
      "title": "dma-buf: insert memory barrier before updating num_fences",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38095",
    "datePublished": "2025-07-03T07:44:18.214Z",
    "dateReserved": "2025-04-16T04:51:23.984Z",
    "dateUpdated": "2025-11-03T19:58:27.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38680 (GCVE-0-2025-38680)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2025-11-03 17:41

Title

media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()

Summary

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes. This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. Fix it by checking that the buffer has at least 4 bytes in uvc_parse_format().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9ad554217c9b94503…
	https://git.kernel.org/stable/c/1e269581b3aa5962f…
	https://git.kernel.org/stable/c/8343f3fe0b755925f…
	https://git.kernel.org/stable/c/ffdd82182953df643…
	https://git.kernel.org/stable/c/a97e062e4ff3dab84…
	https://git.kernel.org/stable/c/cac702a439050df65…
	https://git.kernel.org/stable/c/424980d33b3f81648…
	https://git.kernel.org/stable/c/6d4a7c0b296162354…
	https://git.kernel.org/stable/c/782b6a718651eda34…

Impacted products

Vendor

Product

Version

Linux

Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 9ad554217c9b945031c73df4e8176a475e2dea57 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 1e269581b3aa5962fdc52757ab40da286168c087 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 8343f3fe0b755925f83d60b05e92bf4396879758 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < ffdd82182953df643aa63d999b6f1653d0c93778 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < a97e062e4ff3dab84a2f1eb811e9eddc6699e2a9 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < cac702a439050df65272c49184aef7975fe3eff2 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 424980d33b3f816485513e538610168b03fab9f1 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 6d4a7c0b296162354b6fc759a1475b9d57ddfaa6 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 782b6a718651eda3478b1824b37a8b3185d2740c (git)

Linux

Affected: 2.6.26
Unaffected: 0 , < 2.6.26 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:05.708Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_driver.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9ad554217c9b945031c73df4e8176a475e2dea57",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "1e269581b3aa5962fdc52757ab40da286168c087",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "8343f3fe0b755925f83d60b05e92bf4396879758",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "ffdd82182953df643aa63d999b6f1653d0c93778",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "a97e062e4ff3dab84a2f1eb811e9eddc6699e2a9",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "cac702a439050df65272c49184aef7975fe3eff2",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "424980d33b3f816485513e538610168b03fab9f1",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "6d4a7c0b296162354b6fc759a1475b9d57ddfaa6",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "782b6a718651eda3478b1824b37a8b3185d2740c",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_driver.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.26"
            },
            {
              "lessThan": "2.6.26",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()\n\nThe buffer length check before calling uvc_parse_format() only ensured\nthat the buffer has at least 3 bytes (buflen \u003e 2), buf the function\naccesses buffer[3], requiring at least 4 bytes.\n\nThis can lead to an out-of-bounds read if the buffer has exactly 3 bytes.\n\nFix it by checking that the buffer has at least 4 bytes in\nuvc_parse_format()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:51.163Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9ad554217c9b945031c73df4e8176a475e2dea57"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e269581b3aa5962fdc52757ab40da286168c087"
        },
        {
          "url": "https://git.kernel.org/stable/c/8343f3fe0b755925f83d60b05e92bf4396879758"
        },
        {
          "url": "https://git.kernel.org/stable/c/ffdd82182953df643aa63d999b6f1653d0c93778"
        },
        {
          "url": "https://git.kernel.org/stable/c/a97e062e4ff3dab84a2f1eb811e9eddc6699e2a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/cac702a439050df65272c49184aef7975fe3eff2"
        },
        {
          "url": "https://git.kernel.org/stable/c/424980d33b3f816485513e538610168b03fab9f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d4a7c0b296162354b6fc759a1475b9d57ddfaa6"
        },
        {
          "url": "https://git.kernel.org/stable/c/782b6a718651eda3478b1824b37a8b3185d2740c"
        }
      ],
      "title": "media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38680",
    "datePublished": "2025-09-04T15:32:35.963Z",
    "dateReserved": "2025-04-16T04:51:24.031Z",
    "dateUpdated": "2025-11-03T17:41:05.708Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38670 (GCVE-0-2025-38670)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:03 – Updated: 2025-12-23 16:40

Title

arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack leading to clobbered stacks. In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, but x18 stills points to the old task's SCS. When the interrupt handler tries to save the task's SCS pointer, it will save the old task SCS pointer (x18) into the new task struct (pointed to by SP_EL0), clobbering it. In `call_on_irq_stack()`, it can happen when switching from the task stack to the IRQ stack and when switching back. In both cases, we can be interrupted when the SCS pointer points to the IRQ SCS, but SP points to the task stack. The nested interrupt handler pushes its return addresses on the IRQ SCS. It then detects that SP points to the task stack, calls `call_on_irq_stack()` and clobbers the task SCS pointer with the IRQ SCS pointer, which it will also use ! This leads to tasks returning to addresses on the wrong SCS, or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK or FPAC if enabled. This is possible on a default config, but unlikely. However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and instead the GIC is responsible for filtering what interrupts the CPU should receive based on priority. Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* frequently depending on the system configuration and workload, leading to unpredictable kernel panics. Completely mask DAIF in `cpu_switch_to()` and restore it when returning. Do the same in `call_on_irq_stack()`, but restore and mask around the branch. Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency of behaviour between all configurations. Introduce and use an assembly macro for saving and masking DAIF, as the existing one saves but only masks IF.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f7e0231eeaa33245c…
	https://git.kernel.org/stable/c/407047893a64399f2…
	https://git.kernel.org/stable/c/a6b0cb523eaa01efe…
	https://git.kernel.org/stable/c/9433a5f437b0948d6…
	https://git.kernel.org/stable/c/708fd522b86d2a954…
	https://git.kernel.org/stable/c/0f67015d72627bad7…
	https://git.kernel.org/stable/c/d42e6c20de6192f8e…

Impacted products

Vendor

Product

Version

Linux

Affected: 3f225f29c69c13ce1cbdb1d607a42efeef080056 , < f7e0231eeaa33245c649fac0303cf97209605446 (git)
Affected: 402d2b1d54b7085d0c3bfd01fd50c2701dde64b3 , < 407047893a64399f2d2390ff35cc6061107d805d (git)
Affected: 4403c7b7e5e1ad09a266b6e399fd7bf97931508e , < a6b0cb523eaa01efe8a3f76ced493ba60674c6e6 (git)
Affected: 59b37fe52f49955791a460752c37145f1afdcad1 , < 9433a5f437b0948d6a2d8a02ad7a42ab7ca27a61 (git)
Affected: 59b37fe52f49955791a460752c37145f1afdcad1 , < 708fd522b86d2a9544c34ec6a86fa3fc23336525 (git)
Affected: 59b37fe52f49955791a460752c37145f1afdcad1 , < 0f67015d72627bad72da3c2084352e0aa134416b (git)
Affected: 59b37fe52f49955791a460752c37145f1afdcad1 , < d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb (git)
Affected: e47ce4f11e26fa3ea99b09521da8b3ac3a7b578d (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 5.10.210 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.101 , ≤ 6.6.* (semver)
Unaffected: 6.12.41 , ≤ 6.12.* (semver)
Unaffected: 6.15.9 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:56.025Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/include/asm/assembler.h",
            "arch/arm64/kernel/entry.S"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f7e0231eeaa33245c649fac0303cf97209605446",
              "status": "affected",
              "version": "3f225f29c69c13ce1cbdb1d607a42efeef080056",
              "versionType": "git"
            },
            {
              "lessThan": "407047893a64399f2d2390ff35cc6061107d805d",
              "status": "affected",
              "version": "402d2b1d54b7085d0c3bfd01fd50c2701dde64b3",
              "versionType": "git"
            },
            {
              "lessThan": "a6b0cb523eaa01efe8a3f76ced493ba60674c6e6",
              "status": "affected",
              "version": "4403c7b7e5e1ad09a266b6e399fd7bf97931508e",
              "versionType": "git"
            },
            {
              "lessThan": "9433a5f437b0948d6a2d8a02ad7a42ab7ca27a61",
              "status": "affected",
              "version": "59b37fe52f49955791a460752c37145f1afdcad1",
              "versionType": "git"
            },
            {
              "lessThan": "708fd522b86d2a9544c34ec6a86fa3fc23336525",
              "status": "affected",
              "version": "59b37fe52f49955791a460752c37145f1afdcad1",
              "versionType": "git"
            },
            {
              "lessThan": "0f67015d72627bad72da3c2084352e0aa134416b",
              "status": "affected",
              "version": "59b37fe52f49955791a460752c37145f1afdcad1",
              "versionType": "git"
            },
            {
              "lessThan": "d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb",
              "status": "affected",
              "version": "59b37fe52f49955791a460752c37145f1afdcad1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e47ce4f11e26fa3ea99b09521da8b3ac3a7b578d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/include/asm/assembler.h",
            "arch/arm64/kernel/entry.S"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.210",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.101",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.210",
                  "versionStartIncluding": "5.10.180",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.15.111",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "6.1.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.101",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.41",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.9",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.2.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()\n\n`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change\nto different stacks along with the Shadow Call Stack if it is enabled.\nThose two stack changes cannot be done atomically and both functions\ncan be interrupted by SErrors or Debug Exceptions which, though unlikely,\nis very much broken : if interrupted, we can end up with mismatched stacks\nand Shadow Call Stack leading to clobbered stacks.\n\nIn `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,\nbut x18 stills points to the old task\u0027s SCS. When the interrupt handler\ntries to save the task\u0027s SCS pointer, it will save the old task\nSCS pointer (x18) into the new task struct (pointed to by SP_EL0),\nclobbering it.\n\nIn `call_on_irq_stack()`, it can happen when switching from the task stack\nto the IRQ stack and when switching back. In both cases, we can be\ninterrupted when the SCS pointer points to the IRQ SCS, but SP points to\nthe task stack. The nested interrupt handler pushes its return addresses\non the IRQ SCS. It then detects that SP points to the task stack,\ncalls `call_on_irq_stack()` and clobbers the task SCS pointer with\nthe IRQ SCS pointer, which it will also use !\n\nThis leads to tasks returning to addresses on the wrong SCS,\nor even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK\nor FPAC if enabled.\n\nThis is possible on a default config, but unlikely.\nHowever, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and\ninstead the GIC is responsible for filtering what interrupts the CPU\nshould receive based on priority.\nGiven the goal of emulating NMIs, pseudo-NMIs can be received by the CPU\neven in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*\nfrequently depending on the system configuration and workload, leading\nto unpredictable kernel panics.\n\nCompletely mask DAIF in `cpu_switch_to()` and restore it when returning.\nDo the same in `call_on_irq_stack()`, but restore and mask around\nthe branch.\nMask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency\nof behaviour between all configurations.\n\nIntroduce and use an assembly macro for saving and masking DAIF,\nas the existing one saves but only masks IF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T16:40:12.773Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f7e0231eeaa33245c649fac0303cf97209605446"
        },
        {
          "url": "https://git.kernel.org/stable/c/407047893a64399f2d2390ff35cc6061107d805d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6b0cb523eaa01efe8a3f76ced493ba60674c6e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/9433a5f437b0948d6a2d8a02ad7a42ab7ca27a61"
        },
        {
          "url": "https://git.kernel.org/stable/c/708fd522b86d2a9544c34ec6a86fa3fc23336525"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f67015d72627bad72da3c2084352e0aa134416b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb"
        }
      ],
      "title": "arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38670",
    "datePublished": "2025-08-22T16:03:01.242Z",
    "dateReserved": "2025-04-16T04:51:24.031Z",
    "dateUpdated": "2025-12-23T16:40:12.773Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38448 (GCVE-0-2025-38448)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

usb: gadget: u_serial: Fix race condition in TTY wakeup

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1: CPU2: gserial_connect() // lock gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/18d58a467ccf01107…
	https://git.kernel.org/stable/c/d43657b59f36e8828…
	https://git.kernel.org/stable/c/a5012673d49788f16…
	https://git.kernel.org/stable/c/ee8d688e2ba558f3b…
	https://git.kernel.org/stable/c/c6eb4a05af3d0ba3b…
	https://git.kernel.org/stable/c/abf3620cba68e0e51…
	https://git.kernel.org/stable/c/c8c80a3a35c2e3488…
	https://git.kernel.org/stable/c/c529c3730bd091156…

Impacted products

Vendor

Product

Version

Linux

Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < 18d58a467ccf011078352d91b4d6a0108c7318e8 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < d43657b59f36e88289a6066f15bc9a80df5014eb (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < a5012673d49788f16bb4e375b002d7743eb642d9 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < ee8d688e2ba558f3bb8ac225113740be5f335417 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < c6eb4a05af3d0ba3bc4e8159287722fb9abc6359 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < abf3620cba68e0e51e5c21054ce4f925f75b3661 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < c8c80a3a35c2e3488409de2d5376ef7e662a2bf5 (git)
Affected: 35f95fd7f234d2b58803bab6f6ebd6bb988050a2 , < c529c3730bd09115684644e26bf01ecbd7e2c2c9 (git)

Linux

Affected: 3.5
Unaffected: 0 , < 3.5 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:09.442Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/u_serial.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18d58a467ccf011078352d91b4d6a0108c7318e8",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "d43657b59f36e88289a6066f15bc9a80df5014eb",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "a5012673d49788f16bb4e375b002d7743eb642d9",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "ee8d688e2ba558f3bb8ac225113740be5f335417",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "c6eb4a05af3d0ba3bc4e8159287722fb9abc6359",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "abf3620cba68e0e51e5c21054ce4f925f75b3661",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "c8c80a3a35c2e3488409de2d5376ef7e662a2bf5",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            },
            {
              "lessThan": "c529c3730bd09115684644e26bf01ecbd7e2c2c9",
              "status": "affected",
              "version": "35f95fd7f234d2b58803bab6f6ebd6bb988050a2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/u_serial.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Fix race condition in TTY wakeup\n\nA race condition occurs when gs_start_io() calls either gs_start_rx() or\ngs_start_tx(), as those functions briefly drop the port_lock for\nusb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear\nport.tty and port_usb, respectively.\n\nUse the null-safe TTY Port helper function to wake up TTY.\n\nExample\n  CPU1:\t\t\t      CPU2:\n  gserial_connect() // lock\n  \t\t\t      gs_close() // await lock\n  gs_start_rx()     // unlock\n  usb_ep_queue()\n  \t\t\t      gs_close() // lock, reset port.tty and unlock\n  gs_start_rx()     // lock\n  tty_wakeup()      // NPE"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:33.351Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18d58a467ccf011078352d91b4d6a0108c7318e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d43657b59f36e88289a6066f15bc9a80df5014eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5012673d49788f16bb4e375b002d7743eb642d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee8d688e2ba558f3bb8ac225113740be5f335417"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6eb4a05af3d0ba3bc4e8159287722fb9abc6359"
        },
        {
          "url": "https://git.kernel.org/stable/c/abf3620cba68e0e51e5c21054ce4f925f75b3661"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8c80a3a35c2e3488409de2d5376ef7e662a2bf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c529c3730bd09115684644e26bf01ecbd7e2c2c9"
        }
      ],
      "title": "usb: gadget: u_serial: Fix race condition in TTY wakeup",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38448",
    "datePublished": "2025-07-25T15:27:30.040Z",
    "dateReserved": "2025-04-16T04:51:24.018Z",
    "dateUpdated": "2025-11-03T17:38:09.442Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38646 (GCVE-0-2025-38646)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-09-29 05:55

Title

wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band With a quite rare chance, RX report might be problematic to make SW think a packet is received on 6 GHz band even if the chip does not support 6 GHz band actually. Since SW won't initialize stuffs for unsupported bands, NULL dereference will happen then in the sequence, rtw89_vif_rx_stats_iter() -> rtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it. The following is a crash log for this case. BUG: kernel NULL pointer dereference, address: 0000000000000032 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4) Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024 RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core] Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85 RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246 RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011 RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6 RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000 R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4 R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <IRQ> ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x4f/0xa0 ? asm_exc_page_fault+0x22/0x30 ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)] __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)] ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)] rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)] rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/892b29eab44b1803d…
	https://git.kernel.org/stable/c/77a7a48f87d673a68…
	https://git.kernel.org/stable/c/f3527ac15a00916e6…
	https://git.kernel.org/stable/c/4b525630729082f02…
	https://git.kernel.org/stable/c/7e04f01bb94fe61c7…

Impacted products

Vendor

Product

Version

Linux

Affected: c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0 , < 892b29eab44b1803d2cad8e50f1bc2144ef478cb (git)
Affected: c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0 , < 77a7a48f87d673a68664bebf044214821decbfda (git)
Affected: c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0 , < f3527ac15a00916e68ecb495b74dbe6a6c62a06f (git)
Affected: c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0 , < 4b525630729082f026e7030eafccf89e3add7eae (git)
Affected: c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0 , < 7e04f01bb94fe61c73cc59f0495c3b6c16a83231 (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw89/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "892b29eab44b1803d2cad8e50f1bc2144ef478cb",
              "status": "affected",
              "version": "c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0",
              "versionType": "git"
            },
            {
              "lessThan": "77a7a48f87d673a68664bebf044214821decbfda",
              "status": "affected",
              "version": "c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0",
              "versionType": "git"
            },
            {
              "lessThan": "f3527ac15a00916e68ecb495b74dbe6a6c62a06f",
              "status": "affected",
              "version": "c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0",
              "versionType": "git"
            },
            {
              "lessThan": "4b525630729082f026e7030eafccf89e3add7eae",
              "status": "affected",
              "version": "c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0",
              "versionType": "git"
            },
            {
              "lessThan": "7e04f01bb94fe61c73cc59f0495c3b6c16a83231",
              "status": "affected",
              "version": "c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw89/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band\n\nWith a quite rare chance, RX report might be problematic to make SW think\na packet is received on 6 GHz band even if the chip does not support 6 GHz\nband actually. Since SW won\u0027t initialize stuffs for unsupported bands, NULL\ndereference will happen then in the sequence, rtw89_vif_rx_stats_iter() -\u003e\nrtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it.\n\nThe following is a crash log for this case.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000032\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G     U             6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4)\n Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024\n RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core]\n Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11\n 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 \u003c41\u003e 33 45\n 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85\n RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246\n RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011\n RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6\n RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4\n R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000\n FS:  0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0\n PKRU: 55555554\n Call Trace:\n  \u003cIRQ\u003e\n  ? __die_body+0x68/0xb0\n  ? page_fault_oops+0x379/0x3e0\n  ? exc_page_fault+0x4f/0xa0\n  ? asm_exc_page_fault+0x22/0x30\n  ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]\n  ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)]\n  __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)]\n  ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]\n  ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]\n  ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)]\n  rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)]\n  rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:26.395Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/892b29eab44b1803d2cad8e50f1bc2144ef478cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/77a7a48f87d673a68664bebf044214821decbfda"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3527ac15a00916e68ecb495b74dbe6a6c62a06f"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b525630729082f026e7030eafccf89e3add7eae"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e04f01bb94fe61c73cc59f0495c3b6c16a83231"
        }
      ],
      "title": "wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38646",
    "datePublished": "2025-08-22T16:00:51.397Z",
    "dateReserved": "2025-04-16T04:51:24.030Z",
    "dateUpdated": "2025-09-29T05:55:26.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38502 (GCVE-0-2025-38502)

Vulnerability from cvelistv5 – Published: 2025-08-16 09:34 – Updated: 2025-11-03 17:39

Title

bpf: Fix oob access in cgroup local storage

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context: ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx->prog_item->cgroup_storage[stype]; if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf); For the second program which was called from the originally attached one, this means bpf_get_local_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access. To fix this issue, we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c1c74584b9b4043c5…
	https://git.kernel.org/stable/c/66da7cee78590259b…
	https://git.kernel.org/stable/c/7acfa07c585e3d7a6…
	https://git.kernel.org/stable/c/41688d1fc5d163a6c…
	https://git.kernel.org/stable/c/19341d5c59e8c7e85…
	https://git.kernel.org/stable/c/abad3d0bad72a5213…

Impacted products

Vendor

Product

Version

Linux

Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < c1c74584b9b4043c52e41fec415226e582d266a3 (git)
Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < 66da7cee78590259b400e51a70622ccd41da7bb2 (git)
Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < 7acfa07c585e3d7a64654d38f0a5c762877d0b9b (git)
Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < 41688d1fc5d163a6c2c0e95c0419e2cb31a44648 (git)
Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < 19341d5c59e8c7e8528e40f8663e99d67810473c (git)
Affected: 7d9c3427894fe70d1347b4820476bf37736d2ff0 , < abad3d0bad72a52137e0c350c59542d75ae4f513 (git)

Linux

Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:11.518Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c1c74584b9b4043c52e41fec415226e582d266a3",
              "status": "affected",
              "version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
              "versionType": "git"
            },
            {
              "lessThan": "66da7cee78590259b400e51a70622ccd41da7bb2",
              "status": "affected",
              "version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
              "versionType": "git"
            },
            {
              "lessThan": "7acfa07c585e3d7a64654d38f0a5c762877d0b9b",
              "status": "affected",
              "version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
              "versionType": "git"
            },
            {
              "lessThan": "41688d1fc5d163a6c2c0e95c0419e2cb31a44648",
              "status": "affected",
              "version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
              "versionType": "git"
            },
            {
              "lessThan": "19341d5c59e8c7e8528e40f8663e99d67810473c",
              "status": "affected",
              "version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
              "versionType": "git"
            },
            {
              "lessThan": "abad3d0bad72a52137e0c350c59542d75ae4f513",
              "status": "affected",
              "version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix oob access in cgroup local storage\n\nLonial reported that an out-of-bounds access in cgroup local storage\ncan be crafted via tail calls. Given two programs each utilizing a\ncgroup local storage with a different value size, and one program\ndoing a tail call into the other. The verifier will validate each of\nthe indivial programs just fine. However, in the runtime context\nthe bpf_cg_run_ctx holds an bpf_prog_array_item which contains the\nBPF program as well as any cgroup local storage flavor the program\nuses. Helpers such as bpf_get_local_storage() pick this up from the\nruntime context:\n\n  ctx = container_of(current-\u003ebpf_ctx, struct bpf_cg_run_ctx, run_ctx);\n  storage = ctx-\u003eprog_item-\u003ecgroup_storage[stype];\n\n  if (stype == BPF_CGROUP_STORAGE_SHARED)\n    ptr = \u0026READ_ONCE(storage-\u003ebuf)-\u003edata[0];\n  else\n    ptr = this_cpu_ptr(storage-\u003epercpu_buf);\n\nFor the second program which was called from the originally attached\none, this means bpf_get_local_storage() will pick up the former\nprogram\u0027s map, not its own. With mismatching sizes, this can result\nin an unintended out-of-bounds access.\n\nTo fix this issue, we need to extend bpf_map_owner with an array of\nstorage_cookie[] to match on i) the exact maps from the original\nprogram if the second program was using bpf_get_local_storage(), or\nii) allow the tail call combination if the second program was not\nusing any of the cgroup local storage maps."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:53:38.815Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c1c74584b9b4043c52e41fec415226e582d266a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/66da7cee78590259b400e51a70622ccd41da7bb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/7acfa07c585e3d7a64654d38f0a5c762877d0b9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/41688d1fc5d163a6c2c0e95c0419e2cb31a44648"
        },
        {
          "url": "https://git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473c"
        },
        {
          "url": "https://git.kernel.org/stable/c/abad3d0bad72a52137e0c350c59542d75ae4f513"
        }
      ],
      "title": "bpf: Fix oob access in cgroup local storage",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38502",
    "datePublished": "2025-08-16T09:34:25.135Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2025-11-03T17:39:11.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38465 (GCVE-0-2025-38465)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

netlink: Fix wraparounds of sk->sk_rmem_alloc.

Summary

In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc."). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9da025150b7c14a83…
	https://git.kernel.org/stable/c/c4ceaac5c5ba0b992…
	https://git.kernel.org/stable/c/fd69af06101090eaa…
	https://git.kernel.org/stable/c/76602d8e138645243…
	https://git.kernel.org/stable/c/55baecb9eb90238f6…
	https://git.kernel.org/stable/c/4b8e18af7bea92f8b…
	https://git.kernel.org/stable/c/cd7ff61bfffd70001…
	https://git.kernel.org/stable/c/ae8f160e7eb24240a…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9da025150b7c14a8390fc06aea314c0a4011e82c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd69af06101090eaa60b3d216ae715f9c0a58e5b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 76602d8e13864524382b0687dc32cd8f19164d5a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 55baecb9eb90238f60a8350660d6762046ebd3bd (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4b8e18af7bea92f8b7fb92d40aeae729209db250 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cd7ff61bfffd7000143c42bbffb85eeb792466d6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:27.585Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netlink/af_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9da025150b7c14a8390fc06aea314c0a4011e82c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fd69af06101090eaa60b3d216ae715f9c0a58e5b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "76602d8e13864524382b0687dc32cd8f19164d5a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "55baecb9eb90238f60a8350660d6762046ebd3bd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4b8e18af7bea92f8b7fb92d40aeae729209db250",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cd7ff61bfffd7000143c42bbffb85eeb792466d6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netlink/af_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix wraparounds of sk-\u003esk_rmem_alloc.\n\nNetlink has this pattern in some places\n\n  if (atomic_read(\u0026sk-\u003esk_rmem_alloc) \u003e sk-\u003esk_rcvbuf)\n  \tatomic_add(skb-\u003etruesize, \u0026sk-\u003esk_rmem_alloc);\n\n, which has the same problem fixed by commit 5a465a0da13e (\"udp:\nFix multiple wraparounds of sk-\u003esk_rmem_alloc.\").\n\nFor example, if we set INT_MAX to SO_RCVBUFFORCE, the condition\nis always false as the two operands are of int.\n\nThen, a single socket can eat as many skb as possible until OOM\nhappens, and we can see multiple wraparounds of sk-\u003esk_rmem_alloc.\n\nLet\u0027s fix it by using atomic_add_return() and comparing the two\nvariables as unsigned int.\n\nBefore:\n  [root@fedora ~]# ss -f netlink\n  Recv-Q      Send-Q Local Address:Port                Peer Address:Port\n  -1668710080 0               rtnl:nl_wraparound/293               *\n\nAfter:\n  [root@fedora ~]# ss -f netlink\n  Recv-Q     Send-Q Local Address:Port                Peer Address:Port\n  2147483072 0               rtnl:nl_wraparound/290               *\n  ^\n  `--- INT_MAX - 576"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:23:13.790Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd69af06101090eaa60b3d216ae715f9c0a58e5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/76602d8e13864524382b0687dc32cd8f19164d5a"
        },
        {
          "url": "https://git.kernel.org/stable/c/55baecb9eb90238f60a8350660d6762046ebd3bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b8e18af7bea92f8b7fb92d40aeae729209db250"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd7ff61bfffd7000143c42bbffb85eeb792466d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc"
        }
      ],
      "title": "netlink: Fix wraparounds of sk-\u003esk_rmem_alloc.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38465",
    "datePublished": "2025-07-25T15:27:47.510Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:27.585Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38652 (GCVE-0-2025-38652)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-11-03 17:40

Title

f2fs: fix to avoid out-of-boundary access in devs.path

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-boundary access in devs.path - touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123 - truncate -s $((1024*1024*1024)) \ /mnt/f2fs/012345678901234567890123456789012345678901234567890123 - touch /mnt/f2fs/file - truncate -s $((1024*1024*1024)) /mnt/f2fs/file - mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \ -c /mnt/f2fs/file - mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \ /mnt/f2fs/loop [16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff [16937.192268] F2FS-fs (loop0): Failed to find devices If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may not end up w/ null character due to path array is fully filled, So accidently, fields locate after path[] may be treated as part of device path, result in parsing wrong device path. struct f2fs_dev_info { ... char path[MAX_PATH_LEN]; ... }; Let's add one byte space for sbi->devs.path[] to store null character of device path string.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dc0172c74bd9edaee…
	https://git.kernel.org/stable/c/1cf1ff15f262e8baf…
	https://git.kernel.org/stable/c/666b7cf6ac9aa074b…
	https://git.kernel.org/stable/c/3466721f06edff834…
	https://git.kernel.org/stable/c/345fc8d1838f3f8be…
	https://git.kernel.org/stable/c/70849d33130a2cf1d…
	https://git.kernel.org/stable/c/755427093e4294ac1…
	https://git.kernel.org/stable/c/1b1efa5f0e878745e…
	https://git.kernel.org/stable/c/5661998536af52848…

Impacted products

Vendor

Product

Version

Linux

Affected: 3c62be17d4f562f43fe1d03b48194399caa35aa5 , < dc0172c74bd9edaee7bea2ebb35f3dbd37a8ae80 (git)
Affected: 3c62be17d4f562f43fe1d03b48194399caa35aa5 , < 1cf1ff15f262e8baf12201b270b6a79f9d119b2d (git)
Affected: 3c62be17d4f562f43fe1d03b48194399caa35aa5 , < 666b7cf6ac9aa074b8319a2b68cba7f2c30023f0 (git)
Affected: 3c62be17d4f562f43fe1d03b48194399caa35aa5 , < 3466721f06edff834f99d9f49f23eabc6b2cb78e (git)
Affected: 3c62be17d4f562f43fe1d03b48194399caa35aa5 , < 345fc8d1838f3f8be7c8ed08d86a13dedef67136 (git)
Affected: 3c62be17d4f562f43fe1d03b48194399caa35aa5 , < 70849d33130a2cf1d6010069ed200669c8651fbd (git)
Affected: 3c62be17d4f562f43fe1d03b48194399caa35aa5 , < 755427093e4294ac111c3f9e40d53f681a0fbdaa (git)
Affected: 3c62be17d4f562f43fe1d03b48194399caa35aa5 , < 1b1efa5f0e878745e94a98022e8edc675a87d78e (git)
Affected: 3c62be17d4f562f43fe1d03b48194399caa35aa5 , < 5661998536af52848cc4d52a377e90368196edea (git)

Linux

Affected: 4.10
Unaffected: 0 , < 4.10 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:45.643Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/f2fs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dc0172c74bd9edaee7bea2ebb35f3dbd37a8ae80",
              "status": "affected",
              "version": "3c62be17d4f562f43fe1d03b48194399caa35aa5",
              "versionType": "git"
            },
            {
              "lessThan": "1cf1ff15f262e8baf12201b270b6a79f9d119b2d",
              "status": "affected",
              "version": "3c62be17d4f562f43fe1d03b48194399caa35aa5",
              "versionType": "git"
            },
            {
              "lessThan": "666b7cf6ac9aa074b8319a2b68cba7f2c30023f0",
              "status": "affected",
              "version": "3c62be17d4f562f43fe1d03b48194399caa35aa5",
              "versionType": "git"
            },
            {
              "lessThan": "3466721f06edff834f99d9f49f23eabc6b2cb78e",
              "status": "affected",
              "version": "3c62be17d4f562f43fe1d03b48194399caa35aa5",
              "versionType": "git"
            },
            {
              "lessThan": "345fc8d1838f3f8be7c8ed08d86a13dedef67136",
              "status": "affected",
              "version": "3c62be17d4f562f43fe1d03b48194399caa35aa5",
              "versionType": "git"
            },
            {
              "lessThan": "70849d33130a2cf1d6010069ed200669c8651fbd",
              "status": "affected",
              "version": "3c62be17d4f562f43fe1d03b48194399caa35aa5",
              "versionType": "git"
            },
            {
              "lessThan": "755427093e4294ac111c3f9e40d53f681a0fbdaa",
              "status": "affected",
              "version": "3c62be17d4f562f43fe1d03b48194399caa35aa5",
              "versionType": "git"
            },
            {
              "lessThan": "1b1efa5f0e878745e94a98022e8edc675a87d78e",
              "status": "affected",
              "version": "3c62be17d4f562f43fe1d03b48194399caa35aa5",
              "versionType": "git"
            },
            {
              "lessThan": "5661998536af52848cc4d52a377e90368196edea",
              "status": "affected",
              "version": "3c62be17d4f562f43fe1d03b48194399caa35aa5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/f2fs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid out-of-boundary access in devs.path\n\n- touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123\n- truncate -s $((1024*1024*1024)) \\\n  /mnt/f2fs/012345678901234567890123456789012345678901234567890123\n- touch /mnt/f2fs/file\n- truncate -s $((1024*1024*1024)) /mnt/f2fs/file\n- mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \\\n  -c /mnt/f2fs/file\n- mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \\\n  /mnt/f2fs/loop\n\n[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\\xff\\x01,      511,        0 -    3ffff\n[16937.192268] F2FS-fs (loop0): Failed to find devices\n\nIf device path length equals to MAX_PATH_LEN, sbi-\u003edevs.path[] may\nnot end up w/ null character due to path array is fully filled, So\naccidently, fields locate after path[] may be treated as part of\ndevice path, result in parsing wrong device path.\n\nstruct f2fs_dev_info {\n...\n\tchar path[MAX_PATH_LEN];\n...\n};\n\nLet\u0027s add one byte space for sbi-\u003edevs.path[] to store null\ncharacter of device path string."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:33.342Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dc0172c74bd9edaee7bea2ebb35f3dbd37a8ae80"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cf1ff15f262e8baf12201b270b6a79f9d119b2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/666b7cf6ac9aa074b8319a2b68cba7f2c30023f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/3466721f06edff834f99d9f49f23eabc6b2cb78e"
        },
        {
          "url": "https://git.kernel.org/stable/c/345fc8d1838f3f8be7c8ed08d86a13dedef67136"
        },
        {
          "url": "https://git.kernel.org/stable/c/70849d33130a2cf1d6010069ed200669c8651fbd"
        },
        {
          "url": "https://git.kernel.org/stable/c/755427093e4294ac111c3f9e40d53f681a0fbdaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b1efa5f0e878745e94a98022e8edc675a87d78e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5661998536af52848cc4d52a377e90368196edea"
        }
      ],
      "title": "f2fs: fix to avoid out-of-boundary access in devs.path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38652",
    "datePublished": "2025-08-22T16:00:56.445Z",
    "dateReserved": "2025-04-16T04:51:24.030Z",
    "dateUpdated": "2025-11-03T17:40:45.643Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38578 (GCVE-0-2025-38578)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40

Title

f2fs: fix to avoid UAF in f2fs_sync_inode_meta()

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_sync_inode_meta() syzbot reported an UAF issue as below: [1] [2] [1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000 ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8 CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351 __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 __list_del_entry include/linux/list.h:134 [inline] list_del_init include/linux/list.h:206 [inline] f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553 f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588 f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706 f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734 write_inode fs/fs-writeback.c:1460 [inline] __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677 writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903 __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974 wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081 wb_check_background_flush fs/fs-writeback.c:2151 [inline] wb_do_writeback fs/fs-writeback.c:2239 [inline] wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266 process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299 worker_thread+0xa60/0x1260 kernel/workqueue.c:2446 kthread+0x26d/0x300 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Allocated by task 298: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333 kasan_slab_alloc include/linux/kasan.h:202 [inline] slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768 slab_alloc_node mm/slub.c:3421 [inline] slab_alloc mm/slub.c:3431 [inline] __kmem_cache_alloc_lru mm/slub.c:3438 [inline] kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454 alloc_inode_sb include/linux/fs.h:3255 [inline] f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437 alloc_inode fs/inode.c:261 [inline] iget_locked+0x18c/0x7e0 fs/inode.c:1373 f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486 f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484 __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689 lookup_slow+0x5a/0x80 fs/namei.c:1706 walk_component+0x2e7/0x410 fs/namei.c:1997 lookup_last fs/namei.c:2454 [inline] path_lookupat+0x16d/0x450 fs/namei.c:2478 filename_lookup+0x251/0x600 fs/namei.c:2507 vfs_statx+0x107/0x4b0 fs/stat.c:229 vfs_fstatat fs/stat.c:267 [inline] vfs_lstat include/linux/fs.h:3434 [inline] __do_sys_newlstat fs/stat.c:423 [inline] __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417 __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417 x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 0: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 kasan_slab_free include/linux/kasan.h:178 [inline] slab_free_hook mm/slub.c:1745 [inline] slab_free_freelist_hook mm/slub.c:1771 [inline] slab_free mm/slub.c:3686 [inline] kmem_cache_free+0x ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/37e78cad7e9e025e6…
	https://git.kernel.org/stable/c/4dcd830c420f2190a…
	https://git.kernel.org/stable/c/1edf68272b8cba2b2…
	https://git.kernel.org/stable/c/917ae5e280bc263f5…
	https://git.kernel.org/stable/c/3d37cadaac1a8e108…
	https://git.kernel.org/stable/c/dea243f58a8391e76…
	https://git.kernel.org/stable/c/a4b0cc9e0bba7525a…
	https://git.kernel.org/stable/c/6cac47af39b2b8edb…
	https://git.kernel.org/stable/c/7c30d79930132466f…

Impacted products

Vendor

Product

Version

Linux

Affected: 0f18b462b2e5aff64b8638e8a47284b907351ef3 , < 37e78cad7e9e025e63bb35bc200f44637b009bb1 (git)
Affected: 0f18b462b2e5aff64b8638e8a47284b907351ef3 , < 4dcd830c420f2190ae32f03626039fde7b57b2ad (git)
Affected: 0f18b462b2e5aff64b8638e8a47284b907351ef3 , < 1edf68272b8cba2b2817ef1488ecb9f0f84cb6a0 (git)
Affected: 0f18b462b2e5aff64b8638e8a47284b907351ef3 , < 917ae5e280bc263f56c83fba0d0f0be2c4828083 (git)
Affected: 0f18b462b2e5aff64b8638e8a47284b907351ef3 , < 3d37cadaac1a8e108e576297aab9125b24ea2dfe (git)
Affected: 0f18b462b2e5aff64b8638e8a47284b907351ef3 , < dea243f58a8391e76f42ad5eb59ff210519ee772 (git)
Affected: 0f18b462b2e5aff64b8638e8a47284b907351ef3 , < a4b0cc9e0bba7525a29f37714e88df12a47997a2 (git)
Affected: 0f18b462b2e5aff64b8638e8a47284b907351ef3 , < 6cac47af39b2b8edbb41d47c3bd9c332f83e9932 (git)
Affected: 0f18b462b2e5aff64b8638e8a47284b907351ef3 , < 7c30d79930132466f5be7d0b57add14d1a016bda (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:07.596Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "37e78cad7e9e025e63bb35bc200f44637b009bb1",
              "status": "affected",
              "version": "0f18b462b2e5aff64b8638e8a47284b907351ef3",
              "versionType": "git"
            },
            {
              "lessThan": "4dcd830c420f2190ae32f03626039fde7b57b2ad",
              "status": "affected",
              "version": "0f18b462b2e5aff64b8638e8a47284b907351ef3",
              "versionType": "git"
            },
            {
              "lessThan": "1edf68272b8cba2b2817ef1488ecb9f0f84cb6a0",
              "status": "affected",
              "version": "0f18b462b2e5aff64b8638e8a47284b907351ef3",
              "versionType": "git"
            },
            {
              "lessThan": "917ae5e280bc263f56c83fba0d0f0be2c4828083",
              "status": "affected",
              "version": "0f18b462b2e5aff64b8638e8a47284b907351ef3",
              "versionType": "git"
            },
            {
              "lessThan": "3d37cadaac1a8e108e576297aab9125b24ea2dfe",
              "status": "affected",
              "version": "0f18b462b2e5aff64b8638e8a47284b907351ef3",
              "versionType": "git"
            },
            {
              "lessThan": "dea243f58a8391e76f42ad5eb59ff210519ee772",
              "status": "affected",
              "version": "0f18b462b2e5aff64b8638e8a47284b907351ef3",
              "versionType": "git"
            },
            {
              "lessThan": "a4b0cc9e0bba7525a29f37714e88df12a47997a2",
              "status": "affected",
              "version": "0f18b462b2e5aff64b8638e8a47284b907351ef3",
              "versionType": "git"
            },
            {
              "lessThan": "6cac47af39b2b8edbb41d47c3bd9c332f83e9932",
              "status": "affected",
              "version": "0f18b462b2e5aff64b8638e8a47284b907351ef3",
              "versionType": "git"
            },
            {
              "lessThan": "7c30d79930132466f5be7d0b57add14d1a016bda",
              "status": "affected",
              "version": "0f18b462b2e5aff64b8638e8a47284b907351ef3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_sync_inode_meta()\n\nsyzbot reported an UAF issue as below: [1] [2]\n\n[1] https://syzkaller.appspot.com/text?tag=CrashReport\u0026x=16594c60580000\n\n==================================================================\nBUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\nRead of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8\n\nCPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G        W          6.1.129-syzkaller-00017-g642656a36791 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nWorkqueue: writeback wb_workfn (flush-7:0)\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:316 [inline]\n print_report+0x158/0x4e0 mm/kasan/report.c:427\n kasan_report+0x13c/0x170 mm/kasan/report.c:531\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351\n __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\n __list_del_entry include/linux/list.h:134 [inline]\n list_del_init include/linux/list.h:206 [inline]\n f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553\n f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588\n f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706\n f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734\n write_inode fs/fs-writeback.c:1460 [inline]\n __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677\n writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903\n __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974\n wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081\n wb_check_background_flush fs/fs-writeback.c:2151 [inline]\n wb_do_writeback fs/fs-writeback.c:2239 [inline]\n wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266\n process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299\n worker_thread+0xa60/0x1260 kernel/workqueue.c:2446\n kthread+0x26d/0x300 kernel/kthread.c:386\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n \u003c/TASK\u003e\n\nAllocated by task 298:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333\n kasan_slab_alloc include/linux/kasan.h:202 [inline]\n slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768\n slab_alloc_node mm/slub.c:3421 [inline]\n slab_alloc mm/slub.c:3431 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3438 [inline]\n kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454\n alloc_inode_sb include/linux/fs.h:3255 [inline]\n f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437\n alloc_inode fs/inode.c:261 [inline]\n iget_locked+0x18c/0x7e0 fs/inode.c:1373\n f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486\n f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484\n __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689\n lookup_slow+0x5a/0x80 fs/namei.c:1706\n walk_component+0x2e7/0x410 fs/namei.c:1997\n lookup_last fs/namei.c:2454 [inline]\n path_lookupat+0x16d/0x450 fs/namei.c:2478\n filename_lookup+0x251/0x600 fs/namei.c:2507\n vfs_statx+0x107/0x4b0 fs/stat.c:229\n vfs_fstatat fs/stat.c:267 [inline]\n vfs_lstat include/linux/fs.h:3434 [inline]\n __do_sys_newlstat fs/stat.c:423 [inline]\n __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417\n __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417\n x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x68/0xd2\n\nFreed by task 0:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516\n ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241\n __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249\n kasan_slab_free include/linux/kasan.h:178 [inline]\n slab_free_hook mm/slub.c:1745 [inline]\n slab_free_freelist_hook mm/slub.c:1771 [inline]\n slab_free mm/slub.c:3686 [inline]\n kmem_cache_free+0x\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:09.083Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/37e78cad7e9e025e63bb35bc200f44637b009bb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/4dcd830c420f2190ae32f03626039fde7b57b2ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/1edf68272b8cba2b2817ef1488ecb9f0f84cb6a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/917ae5e280bc263f56c83fba0d0f0be2c4828083"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d37cadaac1a8e108e576297aab9125b24ea2dfe"
        },
        {
          "url": "https://git.kernel.org/stable/c/dea243f58a8391e76f42ad5eb59ff210519ee772"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4b0cc9e0bba7525a29f37714e88df12a47997a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cac47af39b2b8edbb41d47c3bd9c332f83e9932"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c30d79930132466f5be7d0b57add14d1a016bda"
        }
      ],
      "title": "f2fs: fix to avoid UAF in f2fs_sync_inode_meta()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38578",
    "datePublished": "2025-08-19T17:03:01.483Z",
    "dateReserved": "2025-04-16T04:51:24.026Z",
    "dateUpdated": "2025-11-03T17:40:07.596Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38630 (GCVE-0-2025-38630)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-11-03 17:40

Title

fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot allocate a struct fb_modelist. If that happens, the modelist stays empty but the driver continues to register. Add a check for its return value to prevent poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var").

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/69373502c2b5d3648…
	https://git.kernel.org/stable/c/f00c29e6755ead56b…
	https://git.kernel.org/stable/c/cca8f5a3991916729…
	https://git.kernel.org/stable/c/ac16154cccda8be10…
	https://git.kernel.org/stable/c/4b5d36cc3014986e6…
	https://git.kernel.org/stable/c/40f0a51f6c54d46a9…
	https://git.kernel.org/stable/c/49377bac9e3bec163…
	https://git.kernel.org/stable/c/f060441c153495750…
	https://git.kernel.org/stable/c/da11e6a30e0bb8e91…

Impacted products

Vendor

Product

Version

Linux

Affected: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c , < 69373502c2b5d364842c702c941d1171e4f35a7c (git)
Affected: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c , < f00c29e6755ead56baf2a9c1d3c4c0bb40af3612 (git)
Affected: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c , < cca8f5a3991916729b39d797d01499c335137319 (git)
Affected: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c , < ac16154cccda8be10ee3ae188f10a06f3890bc5d (git)
Affected: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c , < 4b5d36cc3014986e6fac12eaa8433fe56801d4ce (git)
Affected: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c , < 40f0a51f6c54d46a94b9f1180339ede7ca7ee190 (git)
Affected: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c , < 49377bac9e3bec1635065a033c9679214fe7593e (git)
Affected: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c , < f060441c153495750804133555cf0a211a856892 (git)
Affected: 1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c , < da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7 (git)

Linux

Affected: 3.11
Unaffected: 0 , < 3.11 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:35.268Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/imxfb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "69373502c2b5d364842c702c941d1171e4f35a7c",
              "status": "affected",
              "version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
              "versionType": "git"
            },
            {
              "lessThan": "f00c29e6755ead56baf2a9c1d3c4c0bb40af3612",
              "status": "affected",
              "version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
              "versionType": "git"
            },
            {
              "lessThan": "cca8f5a3991916729b39d797d01499c335137319",
              "status": "affected",
              "version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
              "versionType": "git"
            },
            {
              "lessThan": "ac16154cccda8be10ee3ae188f10a06f3890bc5d",
              "status": "affected",
              "version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
              "versionType": "git"
            },
            {
              "lessThan": "4b5d36cc3014986e6fac12eaa8433fe56801d4ce",
              "status": "affected",
              "version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
              "versionType": "git"
            },
            {
              "lessThan": "40f0a51f6c54d46a94b9f1180339ede7ca7ee190",
              "status": "affected",
              "version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
              "versionType": "git"
            },
            {
              "lessThan": "49377bac9e3bec1635065a033c9679214fe7593e",
              "status": "affected",
              "version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
              "versionType": "git"
            },
            {
              "lessThan": "f060441c153495750804133555cf0a211a856892",
              "status": "affected",
              "version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
              "versionType": "git"
            },
            {
              "lessThan": "da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7",
              "status": "affected",
              "version": "1b6c79361ba5ce30b40f0f7d6fc2421dc5fcbe0c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/imxfb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.11"
            },
            {
              "lessThan": "3.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref\n\nfb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot\nallocate a struct fb_modelist.  If that happens, the modelist stays empty but\nthe driver continues to register.  Add a check for its return value to prevent\npoteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 (\"fbdev:\nFix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:08.558Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/69373502c2b5d364842c702c941d1171e4f35a7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f00c29e6755ead56baf2a9c1d3c4c0bb40af3612"
        },
        {
          "url": "https://git.kernel.org/stable/c/cca8f5a3991916729b39d797d01499c335137319"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac16154cccda8be10ee3ae188f10a06f3890bc5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b5d36cc3014986e6fac12eaa8433fe56801d4ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/40f0a51f6c54d46a94b9f1180339ede7ca7ee190"
        },
        {
          "url": "https://git.kernel.org/stable/c/49377bac9e3bec1635065a033c9679214fe7593e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f060441c153495750804133555cf0a211a856892"
        },
        {
          "url": "https://git.kernel.org/stable/c/da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7"
        }
      ],
      "title": "fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38630",
    "datePublished": "2025-08-22T16:00:38.678Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-11-03T17:40:35.268Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21811 (GCVE-0-2025-21811)

Vulnerability from cvelistv5 – Published: 2025-02-27 20:01 – Updated: 2025-11-03 20:59

Title

nilfs2: protect access to buffers with no active references

Summary

In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect access to buffers with no active references nilfs_lookup_dirty_data_buffers(), which iterates through the buffers attached to dirty data folios/pages, accesses the attached buffers without locking the folios/pages. For data cache, nilfs_clear_folio_dirty() may be called asynchronously when the file system degenerates to read only, so nilfs_lookup_dirty_data_buffers() still has the potential to cause use after free issues when buffers lose the protection of their dirty state midway due to this asynchronous clearing and are unintentionally freed by try_to_free_buffers(). Eliminate this race issue by adjusting the lock section in this function.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e1fc4a90a90ea8514…
	https://git.kernel.org/stable/c/72cf688d0ce7e642b…
	https://git.kernel.org/stable/c/d8ff250e085a4c4cd…
	https://git.kernel.org/stable/c/58c27fa7a610b6e8d…
	https://git.kernel.org/stable/c/8e1b9201c9a24638c…
	https://git.kernel.org/stable/c/4b08d23d7d1917bef…
	https://git.kernel.org/stable/c/c437dfac9f7a5a46a…
	https://git.kernel.org/stable/c/367a9bffabe08c04f…

Impacted products

Vendor

Product

Version

Linux

Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < e1fc4a90a90ea8514246c45435662531975937d9 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 72cf688d0ce7e642b12ddc9b2a42524737ec1b4a (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < d8ff250e085a4c4cdda4ad1cdd234ed110393143 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 58c27fa7a610b6e8d44e6220e7dbddfbaccaf439 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 8e1b9201c9a24638cf09c6e1c9f224157328010b (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 4b08d23d7d1917bef4fbee8ad81372f49b006656 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < c437dfac9f7a5a46ac2a5e6d6acd3059e9f68188 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 367a9bffabe08c04f6d725032cce3d891b2b9e1a (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21811",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T18:01:20.629324Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T18:07:17.439Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:59:47.268Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/segment.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e1fc4a90a90ea8514246c45435662531975937d9",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "72cf688d0ce7e642b12ddc9b2a42524737ec1b4a",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "d8ff250e085a4c4cdda4ad1cdd234ed110393143",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "58c27fa7a610b6e8d44e6220e7dbddfbaccaf439",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "8e1b9201c9a24638cf09c6e1c9f224157328010b",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "4b08d23d7d1917bef4fbee8ad81372f49b006656",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "c437dfac9f7a5a46ac2a5e6d6acd3059e9f68188",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "367a9bffabe08c04f6d725032cce3d891b2b9e1a",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/segment.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: protect access to buffers with no active references\n\nnilfs_lookup_dirty_data_buffers(), which iterates through the buffers\nattached to dirty data folios/pages, accesses the attached buffers without\nlocking the folios/pages.\n\nFor data cache, nilfs_clear_folio_dirty() may be called asynchronously\nwhen the file system degenerates to read only, so\nnilfs_lookup_dirty_data_buffers() still has the potential to cause use\nafter free issues when buffers lose the protection of their dirty state\nmidway due to this asynchronous clearing and are unintentionally freed by\ntry_to_free_buffers().\n\nEliminate this race issue by adjusting the lock section in this function."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:41.820Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e1fc4a90a90ea8514246c45435662531975937d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/72cf688d0ce7e642b12ddc9b2a42524737ec1b4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8ff250e085a4c4cdda4ad1cdd234ed110393143"
        },
        {
          "url": "https://git.kernel.org/stable/c/58c27fa7a610b6e8d44e6220e7dbddfbaccaf439"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e1b9201c9a24638cf09c6e1c9f224157328010b"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b08d23d7d1917bef4fbee8ad81372f49b006656"
        },
        {
          "url": "https://git.kernel.org/stable/c/c437dfac9f7a5a46ac2a5e6d6acd3059e9f68188"
        },
        {
          "url": "https://git.kernel.org/stable/c/367a9bffabe08c04f6d725032cce3d891b2b9e1a"
        }
      ],
      "title": "nilfs2: protect access to buffers with no active references",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21811",
    "datePublished": "2025-02-27T20:01:02.256Z",
    "dateReserved": "2024-12-29T08:45:45.772Z",
    "dateUpdated": "2025-11-03T20:59:47.268Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39693 (GCVE-0-2025-39693)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42

Title

drm/amd/display: Avoid a NULL pointer dereference

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL pointer dereference [WHY] Although unlikely drm_atomic_get_new_connector_state() or drm_atomic_get_old_connector_state() can return NULL. [HOW] Check returns before dereference. (cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9c92d12b5cb9d9d88…
	https://git.kernel.org/stable/c/6f860abff89417c03…
	https://git.kernel.org/stable/c/36a6b43573d152736…
	https://git.kernel.org/stable/c/f653dd30839eb4f57…
	https://git.kernel.org/stable/c/0c1a486cbe6f9cb19…
	https://git.kernel.org/stable/c/07b93a5704b0b7200…

Impacted products

Vendor

Product

Version

Linux

Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 9c92d12b5cb9d9d88c12ae71794d3a7382fcdec0 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 6f860abff89417c0354b6ee5bbca188a233c5762 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 36a6b43573d152736eaf2557fe60580dd73e9350 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < f653dd30839eb4f573a7539e90b8a58ff9bedf2f (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 0c1a486cbe6f9cb194e3c4a8ade4af2a642ba165 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 07b93a5704b0b72002f0c4bd1076214af67dc661 (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:25.934Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9c92d12b5cb9d9d88c12ae71794d3a7382fcdec0",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "6f860abff89417c0354b6ee5bbca188a233c5762",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "36a6b43573d152736eaf2557fe60580dd73e9350",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "f653dd30839eb4f573a7539e90b8a58ff9bedf2f",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "0c1a486cbe6f9cb194e3c4a8ade4af2a642ba165",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "07b93a5704b0b72002f0c4bd1076214af67dc661",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid a NULL pointer dereference\n\n[WHY]\nAlthough unlikely drm_atomic_get_new_connector_state() or\ndrm_atomic_get_old_connector_state() can return NULL.\n\n[HOW]\nCheck returns before dereference.\n\n(cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:57:32.491Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9c92d12b5cb9d9d88c12ae71794d3a7382fcdec0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f860abff89417c0354b6ee5bbca188a233c5762"
        },
        {
          "url": "https://git.kernel.org/stable/c/36a6b43573d152736eaf2557fe60580dd73e9350"
        },
        {
          "url": "https://git.kernel.org/stable/c/f653dd30839eb4f573a7539e90b8a58ff9bedf2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c1a486cbe6f9cb194e3c4a8ade4af2a642ba165"
        },
        {
          "url": "https://git.kernel.org/stable/c/07b93a5704b0b72002f0c4bd1076214af67dc661"
        }
      ],
      "title": "drm/amd/display: Avoid a NULL pointer dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39693",
    "datePublished": "2025-09-05T17:20:59.287Z",
    "dateReserved": "2025-04-16T07:20:57.114Z",
    "dateUpdated": "2025-11-03T17:42:25.934Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38466 (GCVE-0-2025-38466)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

perf: Revert to requiring CAP_SYS_ADMIN for uprobes

Summary

In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream. Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction. As such, require CAP_SYS_ADMIN for uprobes.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d7ef1afd5b3f43f49…
	https://git.kernel.org/stable/c/c0aec35f861fa746c…
	https://git.kernel.org/stable/c/8e8bf7bc6aa6f5833…
	https://git.kernel.org/stable/c/183bdb89af1b5193b…
	https://git.kernel.org/stable/c/a0a8009083e569b55…
	https://git.kernel.org/stable/c/d5074256b642cdeb4…
	https://git.kernel.org/stable/c/ba677dbe77af5ffe6…

Impacted products

Vendor

Product

Version

Linux

Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < d7ef1afd5b3f43f4924326164cee5397b66abd9c (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < c0aec35f861fa746ca45aa816161c74352e6ada8 (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < 8e8bf7bc6aa6f583336c2fda280b6cea0aed5612 (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < 183bdb89af1b5193b1d1d9316986053b15ca6fa4 (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < a0a8009083e569b5526c64f7d3f2a62baca95164 (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < d5074256b642cdeb46a70ce2f15193e766edca68 (git)
Affected: c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 , < ba677dbe77af5ffe6204e0f3f547f3ba059c6302 (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:29.560Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d7ef1afd5b3f43f4924326164cee5397b66abd9c",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "c0aec35f861fa746ca45aa816161c74352e6ada8",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "8e8bf7bc6aa6f583336c2fda280b6cea0aed5612",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "183bdb89af1b5193b1d1d9316986053b15ca6fa4",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "a0a8009083e569b5526c64f7d3f2a62baca95164",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "d5074256b642cdeb46a70ce2f15193e766edca68",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            },
            {
              "lessThan": "ba677dbe77af5ffe6204e0f3f547f3ba059c6302",
              "status": "affected",
              "version": "c9e0924e5c2b59365f9c0d43ff8722e79ecf4088",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Revert to requiring CAP_SYS_ADMIN for uprobes\n\nJann reports that uprobes can be used destructively when used in the\nmiddle of an instruction. The kernel only verifies there is a valid\ninstruction at the requested offset, but due to variable instruction\nlength cannot determine if this is an instruction as seen by the\nintended execution stream.\n\nAdditionally, Mark Rutland notes that on architectures that mix data\nin the text segment (like arm64), a similar things can be done if the\ndata word is \u0027mistaken\u0027 for an instruction.\n\nAs such, require CAP_SYS_ADMIN for uprobes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:23:15.427Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d7ef1afd5b3f43f4924326164cee5397b66abd9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0aec35f861fa746ca45aa816161c74352e6ada8"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e8bf7bc6aa6f583336c2fda280b6cea0aed5612"
        },
        {
          "url": "https://git.kernel.org/stable/c/183bdb89af1b5193b1d1d9316986053b15ca6fa4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0a8009083e569b5526c64f7d3f2a62baca95164"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5074256b642cdeb46a70ce2f15193e766edca68"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba677dbe77af5ffe6204e0f3f547f3ba059c6302"
        }
      ],
      "title": "perf: Revert to requiring CAP_SYS_ADMIN for uprobes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38466",
    "datePublished": "2025-07-25T15:27:48.235Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:29.560Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39847 (GCVE-0-2025-39847)

Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2025-11-03 17:44

Title

ppp: fix memory leak in pad_compress_skb

Summary

In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference to the old skb is lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. Align pad_compress_skb() semantics with realloc(): only free the old skb if allocation and compression succeed. At the call site, use the new_skb variable so the original skb is not lost when pad_compress_skb() fails.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9ca6a040f76c0b149…
	https://git.kernel.org/stable/c/87a35a36742df328d…
	https://git.kernel.org/stable/c/0b21e9cd4559102da…
	https://git.kernel.org/stable/c/1d8b354eafb8876d8…
	https://git.kernel.org/stable/c/85c1c86a67e09143a…
	https://git.kernel.org/stable/c/631fc8ab5beb9e0ec…
	https://git.kernel.org/stable/c/33a5bac5f14772730…
	https://git.kernel.org/stable/c/4844123fe0b853a49…

Impacted products

Vendor

Product

Version

Linux

Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 9ca6a040f76c0b149293e430dabab446f3fc8ab7 (git)
Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 87a35a36742df328d0badf4fbc2e56061c15846c (git)
Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 0b21e9cd4559102da798bdcba453b64ecd7be7ee (git)
Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8 (git)
Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 85c1c86a67e09143aa464e9bf09c397816772348 (git)
Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4 (git)
Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 33a5bac5f14772730d2caf632ae97b6c2ee95044 (git)
Affected: b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c , < 4844123fe0b853a4982c02666cb3fd863d701d50 (git)

Linux

Affected: 2.6.15
Unaffected: 0 , < 2.6.15 (semver)
Unaffected: 5.4.299 , ≤ 5.4.* (semver)
Unaffected: 5.10.243 , ≤ 5.10.* (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.16.6 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:44:04.958Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ppp/ppp_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9ca6a040f76c0b149293e430dabab446f3fc8ab7",
              "status": "affected",
              "version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
              "versionType": "git"
            },
            {
              "lessThan": "87a35a36742df328d0badf4fbc2e56061c15846c",
              "status": "affected",
              "version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
              "versionType": "git"
            },
            {
              "lessThan": "0b21e9cd4559102da798bdcba453b64ecd7be7ee",
              "status": "affected",
              "version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
              "versionType": "git"
            },
            {
              "lessThan": "1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8",
              "status": "affected",
              "version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
              "versionType": "git"
            },
            {
              "lessThan": "85c1c86a67e09143aa464e9bf09c397816772348",
              "status": "affected",
              "version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
              "versionType": "git"
            },
            {
              "lessThan": "631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4",
              "status": "affected",
              "version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
              "versionType": "git"
            },
            {
              "lessThan": "33a5bac5f14772730d2caf632ae97b6c2ee95044",
              "status": "affected",
              "version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
              "versionType": "git"
            },
            {
              "lessThan": "4844123fe0b853a4982c02666cb3fd863d701d50",
              "status": "affected",
              "version": "b3f9b92a6ec1a9a5e4b4b36e484f2f62cc73277c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ppp/ppp_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.15"
            },
            {
              "lessThan": "2.6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.299",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.299",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.243",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.6",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix memory leak in pad_compress_skb\n\nIf alloc_skb() fails in pad_compress_skb(), it returns NULL without\nreleasing the old skb. The caller does:\n\n    skb = pad_compress_skb(ppp, skb);\n    if (!skb)\n        goto drop;\n\ndrop:\n    kfree_skb(skb);\n\nWhen pad_compress_skb() returns NULL, the reference to the old skb is\nlost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.\n\nAlign pad_compress_skb() semantics with realloc(): only free the old\nskb if allocation and compression succeed.  At the call site, use the\nnew_skb variable so the original skb is not lost when pad_compress_skb()\nfails."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T06:00:57.392Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9ca6a040f76c0b149293e430dabab446f3fc8ab7"
        },
        {
          "url": "https://git.kernel.org/stable/c/87a35a36742df328d0badf4fbc2e56061c15846c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b21e9cd4559102da798bdcba453b64ecd7be7ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8"
        },
        {
          "url": "https://git.kernel.org/stable/c/85c1c86a67e09143aa464e9bf09c397816772348"
        },
        {
          "url": "https://git.kernel.org/stable/c/631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4"
        },
        {
          "url": "https://git.kernel.org/stable/c/33a5bac5f14772730d2caf632ae97b6c2ee95044"
        },
        {
          "url": "https://git.kernel.org/stable/c/4844123fe0b853a4982c02666cb3fd863d701d50"
        }
      ],
      "title": "ppp: fix memory leak in pad_compress_skb",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39847",
    "datePublished": "2025-09-19T15:26:20.648Z",
    "dateReserved": "2025-04-16T07:20:57.141Z",
    "dateUpdated": "2025-11-03T17:44:04.958Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38606 (GCVE-0-2025-38606)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-09-29 05:54

Title

wifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss During beacon miss handling, ath12k driver iterates over active virtual interfaces (vifs) and attempts to access the radio object (ar) via arvif->deflink->ar. However, after commit aa80f12f3bed ("wifi: ath12k: defer vdev creation for MLO"), arvif is linked to a radio only after vdev creation, typically when a channel is assigned or a scan is requested. For P2P capable devices, a default P2P interface is created by wpa_supplicant along with regular station interfaces, these serve as dummy interfaces for P2P-capable stations, lack an associated netdev and initiate frequent scans to discover neighbor p2p devices. When a scan is initiated on such P2P vifs, driver selects destination radio (ar) based on scan frequency, creates a scan vdev, and attaches arvif to the radio. Once the scan completes or is aborted, the scan vdev is deleted, detaching arvif from the radio and leaving arvif->ar uninitialized. While handling beacon miss for station interfaces, P2P interface is also encountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter() tries to dereference the uninitialized arvif->deflink->ar. Fix this by verifying that vdev is created for the arvif before accessing its ar during beacon miss handling and similar vif iterator callbacks. ========================================================================== wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full) RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k] Call Trace: __iterate_interfaces+0x11a/0x410 [mac80211] ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211] ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k] ath12k_roam_event+0x393/0x560 [ath12k] ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k] ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k] ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k] ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k] ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k] ath12k_pci_ce_workqueue+0x69/0x120 [ath12k] process_one_work+0xe3a/0x1430 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9b861dfc5c07defd0…
	https://git.kernel.org/stable/c/1259b6da8303f70fe…
	https://git.kernel.org/stable/c/36670b67de18f1e5d…

Impacted products

Vendor

Product

Version

Linux

Affected: aa80f12f3bedc2d73e4cc43554aee44c277cc938 , < 9b861dfc5c07defd0191fd3e7288a3179cd9a02e (git)
Affected: aa80f12f3bedc2d73e4cc43554aee44c277cc938 , < 1259b6da8303f70fef6ed4aef8ae3dedfecb0f27 (git)
Affected: aa80f12f3bedc2d73e4cc43554aee44c277cc938 , < 36670b67de18f1e5d34900c5d2ac60a8970c293c (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/mac.c",
            "drivers/net/wireless/ath/ath12k/p2p.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9b861dfc5c07defd0191fd3e7288a3179cd9a02e",
              "status": "affected",
              "version": "aa80f12f3bedc2d73e4cc43554aee44c277cc938",
              "versionType": "git"
            },
            {
              "lessThan": "1259b6da8303f70fef6ed4aef8ae3dedfecb0f27",
              "status": "affected",
              "version": "aa80f12f3bedc2d73e4cc43554aee44c277cc938",
              "versionType": "git"
            },
            {
              "lessThan": "36670b67de18f1e5d34900c5d2ac60a8970c293c",
              "status": "affected",
              "version": "aa80f12f3bedc2d73e4cc43554aee44c277cc938",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/mac.c",
            "drivers/net/wireless/ath/ath12k/p2p.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Avoid accessing uninitialized arvif-\u003ear during beacon miss\n\nDuring beacon miss handling, ath12k driver iterates over active virtual\ninterfaces (vifs) and attempts to access the radio object (ar) via\narvif-\u003edeflink-\u003ear.\n\nHowever, after commit aa80f12f3bed (\"wifi: ath12k: defer vdev creation for\nMLO\"), arvif is linked to a radio only after vdev creation, typically when\na channel is assigned or a scan is requested.\nFor P2P capable devices, a default P2P interface is created by\nwpa_supplicant along with regular station interfaces, these serve as dummy\ninterfaces for P2P-capable stations, lack an associated netdev and initiate\nfrequent scans to discover neighbor p2p devices. When a scan is initiated\non such P2P vifs, driver selects destination radio (ar) based on scan\nfrequency, creates a scan vdev, and attaches arvif to the radio. Once the\nscan completes or is aborted, the scan vdev is deleted, detaching arvif\nfrom the radio and leaving arvif-\u003ear uninitialized.\n\nWhile handling beacon miss for station interfaces, P2P interface is also\nencountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter()\ntries to dereference the uninitialized arvif-\u003edeflink-\u003ear.\n\nFix this by verifying that vdev is created for the arvif before accessing\nits ar during beacon miss handling and similar vif iterator callbacks.\n\n==========================================================================\n wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n\n CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full)\n RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k]\n Call Trace:\n  __iterate_interfaces+0x11a/0x410 [mac80211]\n  ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211]\n  ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k]\n  ath12k_roam_event+0x393/0x560 [ath12k]\n  ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k]\n  ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k]\n  ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k]\n  ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k]\n  ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k]\n  ath12k_pci_ce_workqueue+0x69/0x120 [ath12k]\n  process_one_work+0xe3a/0x1430\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:40.540Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9b861dfc5c07defd0191fd3e7288a3179cd9a02e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1259b6da8303f70fef6ed4aef8ae3dedfecb0f27"
        },
        {
          "url": "https://git.kernel.org/stable/c/36670b67de18f1e5d34900c5d2ac60a8970c293c"
        }
      ],
      "title": "wifi: ath12k: Avoid accessing uninitialized arvif-\u003ear during beacon miss",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38606",
    "datePublished": "2025-08-19T17:03:50.189Z",
    "dateReserved": "2025-04-16T04:51:24.028Z",
    "dateUpdated": "2025-09-29T05:54:40.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38687 (GCVE-0-2025-38687)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2025-11-03 17:41

Title

comedi: fix race between polling and detaching

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: fix race between polling and detaching syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of the subdevices' wait queues before allowing the device to be detached by the `COMEDI_DEVCONFIG` ioctl. Tasks will read-lock `dev->attach_lock` before adding themselves to the subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl handler by write-locking `dev->attach_lock` before checking that all of the subdevices are safe to be deleted. This includes testing for any sleepers on the subdevices' wait queues. It remains locked until the device has been detached. This requires the `comedi_device_detach()` function to be refactored slightly, moving the bulk of it into new function `comedi_device_detach_locked()`. Note that the refactor of `comedi_device_detach()` results in `comedi_device_cancel_all()` now being called while `dev->attach_lock` is write-locked, which wasn't the case previously, but that does not matter. Thanks to Jens Axboe for diagnosing the problem and co-developing this patch.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fe67122ba781df44a…
	https://git.kernel.org/stable/c/cd4286123d6948ff6…
	https://git.kernel.org/stable/c/d85fac8729c9acfd7…
	https://git.kernel.org/stable/c/0f989f9d05492028a…
	https://git.kernel.org/stable/c/5c4a2ffcbd052c69b…
	https://git.kernel.org/stable/c/017198079551a2a5c…
	https://git.kernel.org/stable/c/71ca60d2e631cf9c6…
	https://git.kernel.org/stable/c/5724e82df4f9a4be6…
	https://git.kernel.org/stable/c/35b6fc51c666fc963…

Impacted products

Vendor

Product

Version

Linux

Affected: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 , < fe67122ba781df44a1a9716eb1dfd751321ab512 (git)
Affected: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 , < cd4286123d6948ff638ea9cd5818ae4796d5d252 (git)
Affected: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 , < d85fac8729c9acfd72368faff1d576ec585e5c8f (git)
Affected: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 , < 0f989f9d05492028afd2bded4b42023c57d8a76e (git)
Affected: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 , < 5c4a2ffcbd052c69bbf4680677d4c4eaa5a252d4 (git)
Affected: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 , < 017198079551a2a5cf61eae966af3c4b145e1f3b (git)
Affected: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 , < 71ca60d2e631cf9c63bcbc7017961c61ff04e419 (git)
Affected: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 , < 5724e82df4f9a4be62908362c97d522d25de75dd (git)
Affected: 2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 , < 35b6fc51c666fc96355be5cd633ed0fe4ccf68b2 (git)

Linux

Affected: 3.14
Unaffected: 0 , < 3.14 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:14.570Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/comedi_fops.c",
            "drivers/comedi/comedi_internal.h",
            "drivers/comedi/drivers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fe67122ba781df44a1a9716eb1dfd751321ab512",
              "status": "affected",
              "version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
              "versionType": "git"
            },
            {
              "lessThan": "cd4286123d6948ff638ea9cd5818ae4796d5d252",
              "status": "affected",
              "version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
              "versionType": "git"
            },
            {
              "lessThan": "d85fac8729c9acfd72368faff1d576ec585e5c8f",
              "status": "affected",
              "version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
              "versionType": "git"
            },
            {
              "lessThan": "0f989f9d05492028afd2bded4b42023c57d8a76e",
              "status": "affected",
              "version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
              "versionType": "git"
            },
            {
              "lessThan": "5c4a2ffcbd052c69bbf4680677d4c4eaa5a252d4",
              "status": "affected",
              "version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
              "versionType": "git"
            },
            {
              "lessThan": "017198079551a2a5cf61eae966af3c4b145e1f3b",
              "status": "affected",
              "version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
              "versionType": "git"
            },
            {
              "lessThan": "71ca60d2e631cf9c63bcbc7017961c61ff04e419",
              "status": "affected",
              "version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
              "versionType": "git"
            },
            {
              "lessThan": "5724e82df4f9a4be62908362c97d522d25de75dd",
              "status": "affected",
              "version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
              "versionType": "git"
            },
            {
              "lessThan": "35b6fc51c666fc96355be5cd633ed0fe4ccf68b2",
              "status": "affected",
              "version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/comedi_fops.c",
            "drivers/comedi/comedi_internal.h",
            "drivers/comedi/drivers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.14"
            },
            {
              "lessThan": "3.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: fix race between polling and detaching\n\nsyzbot reports a use-after-free in comedi in the below link, which is\ndue to comedi gladly removing the allocated async area even though poll\nrequests are still active on the wait_queue_head inside of it. This can\ncause a use-after-free when the poll entries are later triggered or\nremoved, as the memory for the wait_queue_head has been freed.  We need\nto check there are no tasks queued on any of the subdevices\u0027 wait queues\nbefore allowing the device to be detached by the `COMEDI_DEVCONFIG`\nioctl.\n\nTasks will read-lock `dev-\u003eattach_lock` before adding themselves to the\nsubdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl\nhandler by write-locking `dev-\u003eattach_lock` before checking that all of\nthe subdevices are safe to be deleted.  This includes testing for any\nsleepers on the subdevices\u0027 wait queues.  It remains locked until the\ndevice has been detached.  This requires the `comedi_device_detach()`\nfunction to be refactored slightly, moving the bulk of it into new\nfunction `comedi_device_detach_locked()`.\n\nNote that the refactor of `comedi_device_detach()` results in\n`comedi_device_cancel_all()` now being called while `dev-\u003eattach_lock`\nis write-locked, which wasn\u0027t the case previously, but that does not\nmatter.\n\nThanks to Jens Axboe for diagnosing the problem and co-developing this\npatch."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:56:00.621Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fe67122ba781df44a1a9716eb1dfd751321ab512"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd4286123d6948ff638ea9cd5818ae4796d5d252"
        },
        {
          "url": "https://git.kernel.org/stable/c/d85fac8729c9acfd72368faff1d576ec585e5c8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f989f9d05492028afd2bded4b42023c57d8a76e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c4a2ffcbd052c69bbf4680677d4c4eaa5a252d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/017198079551a2a5cf61eae966af3c4b145e1f3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/71ca60d2e631cf9c63bcbc7017961c61ff04e419"
        },
        {
          "url": "https://git.kernel.org/stable/c/5724e82df4f9a4be62908362c97d522d25de75dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/35b6fc51c666fc96355be5cd633ed0fe4ccf68b2"
        }
      ],
      "title": "comedi: fix race between polling and detaching",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38687",
    "datePublished": "2025-09-04T15:32:41.702Z",
    "dateReserved": "2025-04-16T04:51:24.032Z",
    "dateUpdated": "2025-11-03T17:41:14.570Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38450 (GCVE-0-2025-38450)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-07-28 04:22

Title

wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Add a NULL check for msta->vif before accessing its members to prevent a kernel panic in AP mode deployment. This also fix the issue reported in [1]. The crash occurs when this function is triggered before the station is fully initialized. The call trace shows a page fault at mt7925_sta_set_decap_offload() due to accessing resources when msta->vif is NULL. Fix this by adding an early return if msta->vif is NULL and also check wcid.sta is ready. This ensures we only proceed with decap offload configuration when the station's state is properly initialized. [14739.655703] Unable to handle kernel paging request at virtual address ffffffffffffffa0 [14739.811820] CPU: 0 UID: 0 PID: 895854 Comm: hostapd Tainted: G [14739.821394] Tainted: [C]=CRAP, [O]=OOT_MODULE [14739.825746] Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) [14739.831577] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [14739.838538] pc : mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common] [14739.845271] lr : mt7925_sta_set_decap_offload+0x58/0x1b8 [mt7925_common] [14739.851985] sp : ffffffc085efb500 [14739.855295] x29: ffffffc085efb500 x28: 0000000000000000 x27: ffffff807803a158 [14739.862436] x26: ffffff8041ececb8 x25: 0000000000000001 x24: 0000000000000001 [14739.869577] x23: 0000000000000001 x22: 0000000000000008 x21: ffffff8041ecea88 [14739.876715] x20: ffffff8041c19ca0 x19: ffffff8078031fe0 x18: 0000000000000000 [14739.883853] x17: 0000000000000000 x16: ffffffe2aeac1110 x15: 000000559da48080 [14739.890991] x14: 0000000000000001 x13: 0000000000000000 x12: 0000000000000000 [14739.898130] x11: 0a10020001008e88 x10: 0000000000001a50 x9 : ffffffe26457bfa0 [14739.905269] x8 : ffffff8042013bb0 x7 : ffffff807fb6cbf8 x6 : dead000000000100 [14739.912407] x5 : dead000000000122 x4 : ffffff80780326c8 x3 : 0000000000000000 [14739.919546] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff8041ececb8 [14739.926686] Call trace: [14739.929130] mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common] [14739.935505] ieee80211_check_fast_rx+0x19c/0x510 [mac80211] [14739.941344] _sta_info_move_state+0xe4/0x510 [mac80211] [14739.946860] sta_info_move_state+0x1c/0x30 [mac80211] [14739.952116] sta_apply_auth_flags.constprop.0+0x90/0x1b0 [mac80211] [14739.958708] sta_apply_parameters+0x234/0x5e0 [mac80211] [14739.964332] ieee80211_add_station+0xdc/0x190 [mac80211] [14739.969950] nl80211_new_station+0x46c/0x670 [cfg80211] [14739.975516] genl_family_rcv_msg_doit+0xdc/0x150 [14739.980158] genl_rcv_msg+0x218/0x298 [14739.983830] netlink_rcv_skb+0x64/0x138 [14739.987670] genl_rcv+0x40/0x60 [14739.990816] netlink_unicast+0x314/0x380 [14739.994742] netlink_sendmsg+0x198/0x3f0 [14739.998664] __sock_sendmsg+0x64/0xc0 [14740.002324] ____sys_sendmsg+0x260/0x298 [14740.006242] ___sys_sendmsg+0xb4/0x110

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9b50874f297fcc62a…
	https://git.kernel.org/stable/c/91c3dec2453b3742e…
	https://git.kernel.org/stable/c/35ad47c0b3da04b00…

Impacted products

Vendor

Product

Version

Linux

Affected: b859ad65309a5f1654e8b284de582831fc88e2d8 , < 9b50874f297fcc62adc7396f35209878e51010b0 (git)
Affected: b859ad65309a5f1654e8b284de582831fc88e2d8 , < 91c3dec2453b3742e8f666957b99945edc30577f (git)
Affected: b859ad65309a5f1654e8b284de582831fc88e2d8 , < 35ad47c0b3da04b00b19a8b9ed5632e2f2520472 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7925/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9b50874f297fcc62adc7396f35209878e51010b0",
              "status": "affected",
              "version": "b859ad65309a5f1654e8b284de582831fc88e2d8",
              "versionType": "git"
            },
            {
              "lessThan": "91c3dec2453b3742e8f666957b99945edc30577f",
              "status": "affected",
              "version": "b859ad65309a5f1654e8b284de582831fc88e2d8",
              "versionType": "git"
            },
            {
              "lessThan": "35ad47c0b3da04b00b19a8b9ed5632e2f2520472",
              "status": "affected",
              "version": "b859ad65309a5f1654e8b284de582831fc88e2d8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7925/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload()\n\nAdd a NULL check for msta-\u003evif before accessing its members to prevent\na kernel panic in AP mode deployment. This also fix the issue reported\nin [1].\n\nThe crash occurs when this function is triggered before the station is\nfully initialized. The call trace shows a page fault at\nmt7925_sta_set_decap_offload() due to accessing resources when msta-\u003evif\nis NULL.\n\nFix this by adding an early return if msta-\u003evif is NULL and also check\nwcid.sta is ready. This ensures we only proceed with decap offload\nconfiguration when the station\u0027s state is properly initialized.\n\n[14739.655703] Unable to handle kernel paging request at virtual address ffffffffffffffa0\n[14739.811820] CPU: 0 UID: 0 PID: 895854 Comm: hostapd Tainted: G\n[14739.821394] Tainted: [C]=CRAP, [O]=OOT_MODULE\n[14739.825746] Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\n[14739.831577] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[14739.838538] pc : mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common]\n[14739.845271] lr : mt7925_sta_set_decap_offload+0x58/0x1b8 [mt7925_common]\n[14739.851985] sp : ffffffc085efb500\n[14739.855295] x29: ffffffc085efb500 x28: 0000000000000000 x27: ffffff807803a158\n[14739.862436] x26: ffffff8041ececb8 x25: 0000000000000001 x24: 0000000000000001\n[14739.869577] x23: 0000000000000001 x22: 0000000000000008 x21: ffffff8041ecea88\n[14739.876715] x20: ffffff8041c19ca0 x19: ffffff8078031fe0 x18: 0000000000000000\n[14739.883853] x17: 0000000000000000 x16: ffffffe2aeac1110 x15: 000000559da48080\n[14739.890991] x14: 0000000000000001 x13: 0000000000000000 x12: 0000000000000000\n[14739.898130] x11: 0a10020001008e88 x10: 0000000000001a50 x9 : ffffffe26457bfa0\n[14739.905269] x8 : ffffff8042013bb0 x7 : ffffff807fb6cbf8 x6 : dead000000000100\n[14739.912407] x5 : dead000000000122 x4 : ffffff80780326c8 x3 : 0000000000000000\n[14739.919546] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff8041ececb8\n[14739.926686] Call trace:\n[14739.929130]  mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common]\n[14739.935505]  ieee80211_check_fast_rx+0x19c/0x510 [mac80211]\n[14739.941344]  _sta_info_move_state+0xe4/0x510 [mac80211]\n[14739.946860]  sta_info_move_state+0x1c/0x30 [mac80211]\n[14739.952116]  sta_apply_auth_flags.constprop.0+0x90/0x1b0 [mac80211]\n[14739.958708]  sta_apply_parameters+0x234/0x5e0 [mac80211]\n[14739.964332]  ieee80211_add_station+0xdc/0x190 [mac80211]\n[14739.969950]  nl80211_new_station+0x46c/0x670 [cfg80211]\n[14739.975516]  genl_family_rcv_msg_doit+0xdc/0x150\n[14739.980158]  genl_rcv_msg+0x218/0x298\n[14739.983830]  netlink_rcv_skb+0x64/0x138\n[14739.987670]  genl_rcv+0x40/0x60\n[14739.990816]  netlink_unicast+0x314/0x380\n[14739.994742]  netlink_sendmsg+0x198/0x3f0\n[14739.998664]  __sock_sendmsg+0x64/0xc0\n[14740.002324]  ____sys_sendmsg+0x260/0x298\n[14740.006242]  ___sys_sendmsg+0xb4/0x110"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:41.338Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9b50874f297fcc62adc7396f35209878e51010b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/91c3dec2453b3742e8f666957b99945edc30577f"
        },
        {
          "url": "https://git.kernel.org/stable/c/35ad47c0b3da04b00b19a8b9ed5632e2f2520472"
        }
      ],
      "title": "wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38450",
    "datePublished": "2025-07-25T15:27:31.372Z",
    "dateReserved": "2025-04-16T04:51:24.018Z",
    "dateUpdated": "2025-07-28T04:22:41.338Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38538 (GCVE-0-2025-38538)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-11-03 17:39

Title

dmaengine: nbpfaxi: Fix memory corruption in probe()

Summary

In the Linux kernel, the following vulnerability has been resolved: dmaengine: nbpfaxi: Fix memory corruption in probe() The nbpf->chan[] array is allocated earlier in the nbpf_probe() function and it has "num_channels" elements. These three loops iterate one element farther than they should and corrupt memory. The changes to the second loop are more involved. In this case, we're copying data from the irqbuf[] array into the nbpf->chan[] array. If the data in irqbuf[i] is the error IRQ then we skip it, so the iterators are not in sync. I added a check to ensure that we don't go beyond the end of the irqbuf[] array. I'm pretty sure this can't happen, but it seemed harmless to add a check. On the other hand, after the loop has ended there is a check to ensure that the "chan" iterator is where we expect it to be. In the original code we went one element beyond the end of the array so the iterator wasn't in the correct place and it would always return -EINVAL. However, now it will always be in the correct place. I deleted the check since we know the result.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/84fff8e6f11b9af14…
	https://git.kernel.org/stable/c/aec396b4f736f3f8d…
	https://git.kernel.org/stable/c/24861ef8b517a309a…
	https://git.kernel.org/stable/c/f366b36c5e3ce29c9…
	https://git.kernel.org/stable/c/4bb016438335ec02b…
	https://git.kernel.org/stable/c/122160289adf8ebf1…
	https://git.kernel.org/stable/c/d6bbd67ab5de37a74…
	https://git.kernel.org/stable/c/188c6ba1dd925849c…

Impacted products

Vendor

Product

Version

Linux

Affected: b45b262cefd5b8eb2ba88d20e5bd295881293894 , < 84fff8e6f11b9af1407e273995b5257d99ff0cff (git)
Affected: b45b262cefd5b8eb2ba88d20e5bd295881293894 , < aec396b4f736f3f8d2c28a9cd2924a4ada57ae87 (git)
Affected: b45b262cefd5b8eb2ba88d20e5bd295881293894 , < 24861ef8b517a309a4225f2793be0cd8fa0bec9e (git)
Affected: b45b262cefd5b8eb2ba88d20e5bd295881293894 , < f366b36c5e3ce29c9a3c8eed3d1631908e4fc8bb (git)
Affected: b45b262cefd5b8eb2ba88d20e5bd295881293894 , < 4bb016438335ec02b01f96bf1367378c2bfe03e5 (git)
Affected: b45b262cefd5b8eb2ba88d20e5bd295881293894 , < 122160289adf8ebf15060f1cbf6265b55a914948 (git)
Affected: b45b262cefd5b8eb2ba88d20e5bd295881293894 , < d6bbd67ab5de37a74ac85c83c5a26664b62034dd (git)
Affected: b45b262cefd5b8eb2ba88d20e5bd295881293894 , < 188c6ba1dd925849c5d94885c8bbdeb0b3dcf510 (git)

Linux

Affected: 3.17
Unaffected: 0 , < 3.17 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:32.538Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma/nbpfaxi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "84fff8e6f11b9af1407e273995b5257d99ff0cff",
              "status": "affected",
              "version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
              "versionType": "git"
            },
            {
              "lessThan": "aec396b4f736f3f8d2c28a9cd2924a4ada57ae87",
              "status": "affected",
              "version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
              "versionType": "git"
            },
            {
              "lessThan": "24861ef8b517a309a4225f2793be0cd8fa0bec9e",
              "status": "affected",
              "version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
              "versionType": "git"
            },
            {
              "lessThan": "f366b36c5e3ce29c9a3c8eed3d1631908e4fc8bb",
              "status": "affected",
              "version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
              "versionType": "git"
            },
            {
              "lessThan": "4bb016438335ec02b01f96bf1367378c2bfe03e5",
              "status": "affected",
              "version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
              "versionType": "git"
            },
            {
              "lessThan": "122160289adf8ebf15060f1cbf6265b55a914948",
              "status": "affected",
              "version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
              "versionType": "git"
            },
            {
              "lessThan": "d6bbd67ab5de37a74ac85c83c5a26664b62034dd",
              "status": "affected",
              "version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
              "versionType": "git"
            },
            {
              "lessThan": "188c6ba1dd925849c5d94885c8bbdeb0b3dcf510",
              "status": "affected",
              "version": "b45b262cefd5b8eb2ba88d20e5bd295881293894",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma/nbpfaxi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: nbpfaxi: Fix memory corruption in probe()\n\nThe nbpf-\u003echan[] array is allocated earlier in the nbpf_probe() function\nand it has \"num_channels\" elements.  These three loops iterate one\nelement farther than they should and corrupt memory.\n\nThe changes to the second loop are more involved.  In this case, we\u0027re\ncopying data from the irqbuf[] array into the nbpf-\u003echan[] array.  If\nthe data in irqbuf[i] is the error IRQ then we skip it, so the iterators\nare not in sync.  I added a check to ensure that we don\u0027t go beyond the\nend of the irqbuf[] array.  I\u0027m pretty sure this can\u0027t happen, but it\nseemed harmless to add a check.\n\nOn the other hand, after the loop has ended there is a check to ensure\nthat the \"chan\" iterator is where we expect it to be.  In the original\ncode we went one element beyond the end of the array so the iterator\nwasn\u0027t in the correct place and it would always return -EINVAL.  However,\nnow it will always be in the correct place.  I deleted the check since\nwe know the result."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:39.887Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/84fff8e6f11b9af1407e273995b5257d99ff0cff"
        },
        {
          "url": "https://git.kernel.org/stable/c/aec396b4f736f3f8d2c28a9cd2924a4ada57ae87"
        },
        {
          "url": "https://git.kernel.org/stable/c/24861ef8b517a309a4225f2793be0cd8fa0bec9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f366b36c5e3ce29c9a3c8eed3d1631908e4fc8bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/4bb016438335ec02b01f96bf1367378c2bfe03e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/122160289adf8ebf15060f1cbf6265b55a914948"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6bbd67ab5de37a74ac85c83c5a26664b62034dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/188c6ba1dd925849c5d94885c8bbdeb0b3dcf510"
        }
      ],
      "title": "dmaengine: nbpfaxi: Fix memory corruption in probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38538",
    "datePublished": "2025-08-16T11:12:30.878Z",
    "dateReserved": "2025-04-16T04:51:24.024Z",
    "dateUpdated": "2025-11-03T17:39:32.538Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38457 (GCVE-0-2025-38457)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

net/sched: Abort __tc_modify_qdisc if parent class does not exist

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/923a276c74e25073a…
	https://git.kernel.org/stable/c/90436e72c9622c2f7…
	https://git.kernel.org/stable/c/25452638f133ac19d…
	https://git.kernel.org/stable/c/23c165dde88eac405…
	https://git.kernel.org/stable/c/4c691d1b6b6dbd73f…
	https://git.kernel.org/stable/c/8ecd651ef24ab5012…
	https://git.kernel.org/stable/c/e28a383d6485c3bb5…
	https://git.kernel.org/stable/c/ffdde7bf5a439aaa1…

Impacted products

Vendor

Product

Version

Linux

Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 923a276c74e25073ae391e930792ac86a9f77f1e (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 90436e72c9622c2f70389070088325a3232d339f (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 25452638f133ac19d75af3f928327d8016952c8e (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 23c165dde88eac405eebb59051ea1fe139a45803 (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < 8ecd651ef24ab50123692a4e3e25db93cb11602a (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < e28a383d6485c3bb51dc5953552f76c4dea33eea (git)
Affected: 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 , < ffdde7bf5a439aaa1955ebd581f5c64ab1533963 (git)

Linux

Affected: 2.6.20
Unaffected: 0 , < 2.6.20 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:14.193Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "923a276c74e25073ae391e930792ac86a9f77f1e",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "90436e72c9622c2f70389070088325a3232d339f",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "25452638f133ac19d75af3f928327d8016952c8e",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "23c165dde88eac405eebb59051ea1fe139a45803",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "8ecd651ef24ab50123692a4e3e25db93cb11602a",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "e28a383d6485c3bb51dc5953552f76c4dea33eea",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            },
            {
              "lessThan": "ffdde7bf5a439aaa1955ebd581f5c64ab1533963",
              "status": "affected",
              "version": "5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.20"
            },
            {
              "lessThan": "2.6.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Abort __tc_modify_qdisc if parent class does not exist\n\nLion\u0027s patch [1] revealed an ancient bug in the qdisc API.\nWhenever a user creates/modifies a qdisc specifying as a parent another\nqdisc, the qdisc API will, during grafting, detect that the user is\nnot trying to attach to a class and reject. However grafting is\nperformed after qdisc_create (and thus the qdiscs\u0027 init callback) is\nexecuted. In qdiscs that eventually call qdisc_tree_reduce_backlog\nduring init or change (such as fq, hhf, choke, etc), an issue\narises. For example, executing the following commands:\n\nsudo tc qdisc add dev lo root handle a: htb default 2\nsudo tc qdisc add dev lo parent a: handle beef fq\n\nQdiscs such as fq, hhf, choke, etc unconditionally invoke\nqdisc_tree_reduce_backlog() in their control path init() or change() which\nthen causes a failure to find the child class; however, that does not stop\nthe unconditional invocation of the assumed child qdisc\u0027s qlen_notify with\na null class. All these qdiscs make the assumption that class is non-null.\n\nThe solution is ensure that qdisc_leaf() which looks up the parent\nclass, and is invoked prior to qdisc_create(), should return failure on\nnot finding the class.\nIn this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the\nparentid doesn\u0027t correspond to a class, so that we can detect it\nearlier on and abort before qdisc_create is called.\n\n[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:51.557Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f"
        },
        {
          "url": "https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea"
        },
        {
          "url": "https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963"
        }
      ],
      "title": "net/sched: Abort __tc_modify_qdisc if parent class does not exist",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38457",
    "datePublished": "2025-07-25T15:27:36.226Z",
    "dateReserved": "2025-04-16T04:51:24.019Z",
    "dateUpdated": "2025-11-03T17:38:14.193Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38706 (GCVE-0-2025-38706)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2026-01-02 15:31

Title

ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will leads to null pointer dereference. This was reproduced with topology loading and marking a link as ignore due to missing hardware component on the system. On module removal the soc_tplg_remove_link() would call snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored, no runtime was created.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8b465bedc2b417fd2…
	https://git.kernel.org/stable/c/82ba7b8cf9f6e3bf3…
	https://git.kernel.org/stable/c/7f8fc03712194fd4e…
	https://git.kernel.org/stable/c/41f53afe53a57a7c5…
	https://git.kernel.org/stable/c/2fce20decc6a83f16…
	https://git.kernel.org/stable/c/cecc65827ef3df975…
	https://git.kernel.org/stable/c/7ce0a7255ce97ed7c…
	https://git.kernel.org/stable/c/2d91cb261cac6d885…

Impacted products

Vendor

Product

Version

Linux

Affected: 50cd9b5317d5593d0a33f4227f56ddcc1bf66604 , < 8b465bedc2b417fd27c1d1ab7122882b4b60b1a0 (git)
Affected: 50cd9b5317d5593d0a33f4227f56ddcc1bf66604 , < 82ba7b8cf9f6e3bf392a9f08ba3d1c0b200ccb94 (git)
Affected: 50cd9b5317d5593d0a33f4227f56ddcc1bf66604 , < 7f8fc03712194fd4e2df28af7f7f7a38205934ef (git)
Affected: 50cd9b5317d5593d0a33f4227f56ddcc1bf66604 , < 41f53afe53a57a7c50323f99424b598190acf192 (git)
Affected: 50cd9b5317d5593d0a33f4227f56ddcc1bf66604 , < 2fce20decc6a83f16dd73744150c4e7ea6c97c21 (git)
Affected: 50cd9b5317d5593d0a33f4227f56ddcc1bf66604 , < cecc65827ef3df9754e097582d89569139e6cd1e (git)
Affected: 50cd9b5317d5593d0a33f4227f56ddcc1bf66604 , < 7ce0a7255ce97ed7c54afae83fdbce712a1f0c9e (git)
Affected: 50cd9b5317d5593d0a33f4227f56ddcc1bf66604 , < 2d91cb261cac6d885954b8f5da28b5c176c18131 (git)

Linux

Affected: 5.6
Unaffected: 0 , < 5.6 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:36.437Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/soc-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8b465bedc2b417fd27c1d1ab7122882b4b60b1a0",
              "status": "affected",
              "version": "50cd9b5317d5593d0a33f4227f56ddcc1bf66604",
              "versionType": "git"
            },
            {
              "lessThan": "82ba7b8cf9f6e3bf392a9f08ba3d1c0b200ccb94",
              "status": "affected",
              "version": "50cd9b5317d5593d0a33f4227f56ddcc1bf66604",
              "versionType": "git"
            },
            {
              "lessThan": "7f8fc03712194fd4e2df28af7f7f7a38205934ef",
              "status": "affected",
              "version": "50cd9b5317d5593d0a33f4227f56ddcc1bf66604",
              "versionType": "git"
            },
            {
              "lessThan": "41f53afe53a57a7c50323f99424b598190acf192",
              "status": "affected",
              "version": "50cd9b5317d5593d0a33f4227f56ddcc1bf66604",
              "versionType": "git"
            },
            {
              "lessThan": "2fce20decc6a83f16dd73744150c4e7ea6c97c21",
              "status": "affected",
              "version": "50cd9b5317d5593d0a33f4227f56ddcc1bf66604",
              "versionType": "git"
            },
            {
              "lessThan": "cecc65827ef3df9754e097582d89569139e6cd1e",
              "status": "affected",
              "version": "50cd9b5317d5593d0a33f4227f56ddcc1bf66604",
              "versionType": "git"
            },
            {
              "lessThan": "7ce0a7255ce97ed7c54afae83fdbce712a1f0c9e",
              "status": "affected",
              "version": "50cd9b5317d5593d0a33f4227f56ddcc1bf66604",
              "versionType": "git"
            },
            {
              "lessThan": "2d91cb261cac6d885954b8f5da28b5c176c18131",
              "status": "affected",
              "version": "50cd9b5317d5593d0a33f4227f56ddcc1bf66604",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/soc-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()\n\nsnd_soc_remove_pcm_runtime() might be called with rtd == NULL which will\nleads to null pointer dereference.\nThis was reproduced with topology loading and marking a link as ignore\ndue to missing hardware component on the system.\nOn module removal the soc_tplg_remove_link() would call\nsnd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,\nno runtime was created."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:31:28.995Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8b465bedc2b417fd27c1d1ab7122882b4b60b1a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/82ba7b8cf9f6e3bf392a9f08ba3d1c0b200ccb94"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f8fc03712194fd4e2df28af7f7f7a38205934ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/41f53afe53a57a7c50323f99424b598190acf192"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fce20decc6a83f16dd73744150c4e7ea6c97c21"
        },
        {
          "url": "https://git.kernel.org/stable/c/cecc65827ef3df9754e097582d89569139e6cd1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ce0a7255ce97ed7c54afae83fdbce712a1f0c9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d91cb261cac6d885954b8f5da28b5c176c18131"
        }
      ],
      "title": "ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38706",
    "datePublished": "2025-09-04T15:32:57.456Z",
    "dateReserved": "2025-04-16T04:51:24.032Z",
    "dateUpdated": "2026-01-02T15:31:28.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38585 (GCVE-0-2025-38585)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-09-29 05:54

Title

staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()

Summary

In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() When gmin_get_config_var() calls efi.get_variable() and the EFI variable is larger than the expected buffer size, two behaviors combine to create a stack buffer overflow: 1. gmin_get_config_var() does not return the proper error code when efi.get_variable() fails. It returns the stale 'ret' value from earlier operations instead of indicating the EFI failure. 2. When efi.get_variable() returns EFI_BUFFER_TOO_SMALL, it updates *out_len to the required buffer size but writes no data to the output buffer. However, due to bug #1, gmin_get_var_int() believes the call succeeded. The caller gmin_get_var_int() then performs: - Allocates val[CFG_VAR_NAME_MAX + 1] (65 bytes) on stack - Calls gmin_get_config_var(dev, is_gmin, var, val, &len) with len=64 - If EFI variable is >64 bytes, efi.get_variable() sets len=required_size - Due to bug #1, thinks call succeeded with len=required_size - Executes val[len] = 0, writing past end of 65-byte stack buffer This creates a stack buffer overflow when EFI variables are larger than 64 bytes. Since EFI variables can be controlled by firmware or system configuration, this could potentially be exploited for code execution. Fix the bug by returning proper error codes from gmin_get_config_var() based on EFI status instead of stale 'ret' value. The gmin_get_var_int() function is called during device initialization for camera sensor configuration on Intel Bay Trail and Cherry Trail platforms using the atomisp camera stack.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3d672fe065aa00f4d…
	https://git.kernel.org/stable/c/e6d3453a002e89537…
	https://git.kernel.org/stable/c/1a7a2f59fb2eb0718…
	https://git.kernel.org/stable/c/ee4cf798202d285dc…

Impacted products

Vendor

Product

Version

Linux

Affected: 38d4f74bc14847491d07bd745dc4a2c274f4987d , < 3d672fe065aa00f4d66f42e3c9720f69a3ed43e7 (git)
Affected: 38d4f74bc14847491d07bd745dc4a2c274f4987d , < e6d3453a002e89537e6136f6c774659b297a549b (git)
Affected: 38d4f74bc14847491d07bd745dc4a2c274f4987d , < 1a7a2f59fb2eb0718a0cff1e5822500cefe50ed9 (git)
Affected: 38d4f74bc14847491d07bd745dc4a2c274f4987d , < ee4cf798202d285dcbe85e4467a094c44f5ed8e6 (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3d672fe065aa00f4d66f42e3c9720f69a3ed43e7",
              "status": "affected",
              "version": "38d4f74bc14847491d07bd745dc4a2c274f4987d",
              "versionType": "git"
            },
            {
              "lessThan": "e6d3453a002e89537e6136f6c774659b297a549b",
              "status": "affected",
              "version": "38d4f74bc14847491d07bd745dc4a2c274f4987d",
              "versionType": "git"
            },
            {
              "lessThan": "1a7a2f59fb2eb0718a0cff1e5822500cefe50ed9",
              "status": "affected",
              "version": "38d4f74bc14847491d07bd745dc4a2c274f4987d",
              "versionType": "git"
            },
            {
              "lessThan": "ee4cf798202d285dcbe85e4467a094c44f5ed8e6",
              "status": "affected",
              "version": "38d4f74bc14847491d07bd745dc4a2c274f4987d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()\n\nWhen gmin_get_config_var() calls efi.get_variable() and the EFI variable\nis larger than the expected buffer size, two behaviors combine to create\na stack buffer overflow:\n\n1. gmin_get_config_var() does not return the proper error code when\n   efi.get_variable() fails. It returns the stale \u0027ret\u0027 value from\n   earlier operations instead of indicating the EFI failure.\n\n2. When efi.get_variable() returns EFI_BUFFER_TOO_SMALL, it updates\n   *out_len to the required buffer size but writes no data to the output\n   buffer. However, due to bug #1, gmin_get_var_int() believes the call\n   succeeded.\n\nThe caller gmin_get_var_int() then performs:\n- Allocates val[CFG_VAR_NAME_MAX + 1] (65 bytes) on stack\n- Calls gmin_get_config_var(dev, is_gmin, var, val, \u0026len) with len=64\n- If EFI variable is \u003e64 bytes, efi.get_variable() sets len=required_size\n- Due to bug #1, thinks call succeeded with len=required_size\n- Executes val[len] = 0, writing past end of 65-byte stack buffer\n\nThis creates a stack buffer overflow when EFI variables are larger than\n64 bytes. Since EFI variables can be controlled by firmware or system\nconfiguration, this could potentially be exploited for code execution.\n\nFix the bug by returning proper error codes from gmin_get_config_var()\nbased on EFI status instead of stale \u0027ret\u0027 value.\n\nThe gmin_get_var_int() function is called during device initialization\nfor camera sensor configuration on Intel Bay Trail and Cherry Trail\nplatforms using the atomisp camera stack."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:17.156Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3d672fe065aa00f4d66f42e3c9720f69a3ed43e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6d3453a002e89537e6136f6c774659b297a549b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a7a2f59fb2eb0718a0cff1e5822500cefe50ed9"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee4cf798202d285dcbe85e4467a094c44f5ed8e6"
        }
      ],
      "title": "staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38585",
    "datePublished": "2025-08-19T17:03:07.084Z",
    "dateReserved": "2025-04-16T04:51:24.026Z",
    "dateUpdated": "2025-09-29T05:54:17.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38604 (GCVE-0-2025-38604)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40

Title

wifi: rtl818x: Kill URBs before clearing tx status queue

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Kill URBs before clearing tx status queue In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing b_tx_status.queue. This change prevents callbacks from using already freed skb due to anchor was not killed before freeing such skb. BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211] Call Trace: <IRQ> rtl8187_tx_cb+0x116/0x150 [rtl8187] __usb_hcd_giveback_urb+0x9d/0x120 usb_giveback_urb_bh+0xbb/0x140 process_one_work+0x19b/0x3c0 bh_worker+0x1a7/0x210 tasklet_action+0x10/0x30 handle_softirqs+0xf0/0x340 __irq_exit_rcu+0xcd/0xf0 common_interrupt+0x85/0xa0 </IRQ> Tested on RTL8187BvE device. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e64732ebff9e24258…
	https://git.kernel.org/stable/c/789415771422f4fb9…
	https://git.kernel.org/stable/c/c73c773b09e313278…
	https://git.kernel.org/stable/c/8c767727f331fb945…
	https://git.kernel.org/stable/c/14ca6952691fa8cc9…
	https://git.kernel.org/stable/c/7858a95566f4ebf59…
	https://git.kernel.org/stable/c/c51a45ad9070a6d29…
	https://git.kernel.org/stable/c/81cfe34d0630de4e2…
	https://git.kernel.org/stable/c/16d8fd74dbfca0ea5…

Impacted products

Vendor

Product

Version

Linux

Affected: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f , < e64732ebff9e24258e7326f07adbe2f2b990daf8 (git)
Affected: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f , < 789415771422f4fb9f444044f86ecfaec55df1bd (git)
Affected: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f , < c73c773b09e313278f9b960303a2809b8440bac6 (git)
Affected: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f , < 8c767727f331fb9455b0f81daad832b5925688cb (git)
Affected: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f , < 14ca6952691fa8cc91e7644512e6ff24a595283f (git)
Affected: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f , < 7858a95566f4ebf59524666683d2dcdba3fca968 (git)
Affected: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f , < c51a45ad9070a6d296174fcbe5c466352836c12b (git)
Affected: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f , < 81cfe34d0630de4e23ae804dcc08fb6f861dc37d (git)
Affected: c1db52b9d27ee6e15a7136e67e4a21dc916cd07f , < 16d8fd74dbfca0ea58645cd2fca13be10cae3cdd (git)

Linux

Affected: 2.6.29
Unaffected: 0 , < 2.6.29 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:19.561Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e64732ebff9e24258e7326f07adbe2f2b990daf8",
              "status": "affected",
              "version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
              "versionType": "git"
            },
            {
              "lessThan": "789415771422f4fb9f444044f86ecfaec55df1bd",
              "status": "affected",
              "version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
              "versionType": "git"
            },
            {
              "lessThan": "c73c773b09e313278f9b960303a2809b8440bac6",
              "status": "affected",
              "version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
              "versionType": "git"
            },
            {
              "lessThan": "8c767727f331fb9455b0f81daad832b5925688cb",
              "status": "affected",
              "version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
              "versionType": "git"
            },
            {
              "lessThan": "14ca6952691fa8cc91e7644512e6ff24a595283f",
              "status": "affected",
              "version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
              "versionType": "git"
            },
            {
              "lessThan": "7858a95566f4ebf59524666683d2dcdba3fca968",
              "status": "affected",
              "version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
              "versionType": "git"
            },
            {
              "lessThan": "c51a45ad9070a6d296174fcbe5c466352836c12b",
              "status": "affected",
              "version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
              "versionType": "git"
            },
            {
              "lessThan": "81cfe34d0630de4e23ae804dcc08fb6f861dc37d",
              "status": "affected",
              "version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
              "versionType": "git"
            },
            {
              "lessThan": "16d8fd74dbfca0ea58645cd2fca13be10cae3cdd",
              "status": "affected",
              "version": "c1db52b9d27ee6e15a7136e67e4a21dc916cd07f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Kill URBs before clearing tx status queue\n\nIn rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing\nb_tx_status.queue. This change prevents callbacks from using already freed\nskb due to anchor was not killed before freeing such skb.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]\n Call Trace:\n  \u003cIRQ\u003e\n  rtl8187_tx_cb+0x116/0x150 [rtl8187]\n  __usb_hcd_giveback_urb+0x9d/0x120\n  usb_giveback_urb_bh+0xbb/0x140\n  process_one_work+0x19b/0x3c0\n  bh_worker+0x1a7/0x210\n  tasklet_action+0x10/0x30\n  handle_softirqs+0xf0/0x340\n  __irq_exit_rcu+0xcd/0xf0\n  common_interrupt+0x85/0xa0\n  \u003c/IRQ\u003e\n\nTested on RTL8187BvE device.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:38.215Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e64732ebff9e24258e7326f07adbe2f2b990daf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/789415771422f4fb9f444044f86ecfaec55df1bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c73c773b09e313278f9b960303a2809b8440bac6"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c767727f331fb9455b0f81daad832b5925688cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/14ca6952691fa8cc91e7644512e6ff24a595283f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7858a95566f4ebf59524666683d2dcdba3fca968"
        },
        {
          "url": "https://git.kernel.org/stable/c/c51a45ad9070a6d296174fcbe5c466352836c12b"
        },
        {
          "url": "https://git.kernel.org/stable/c/81cfe34d0630de4e23ae804dcc08fb6f861dc37d"
        },
        {
          "url": "https://git.kernel.org/stable/c/16d8fd74dbfca0ea58645cd2fca13be10cae3cdd"
        }
      ],
      "title": "wifi: rtl818x: Kill URBs before clearing tx status queue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38604",
    "datePublished": "2025-08-19T17:03:43.358Z",
    "dateReserved": "2025-04-16T04:51:24.028Z",
    "dateUpdated": "2025-11-03T17:40:19.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38347 (GCVE-0-2025-38347)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2025-11-03 17:36

Title

f2fs: fix to do sanity check on ino and xnid

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 Call Trace: <TASK> context_switch kernel/sched/core.c:5378 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 __schedule_loop kernel/sched/core.c:6842 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6857 io_schedule+0x8d/0x110 kernel/sched/core.c:7690 folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 __folio_lock mm/filemap.c:1664 [inline] folio_lock include/linux/pagemap.h:1163 [inline] __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 find_get_page_flags include/linux/pagemap.h:842 [inline] f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:375 [inline] f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 unix_bind_bsd net/unix/af_unix.c:1286 [inline] unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 __sys_bind_socket net/socket.c:1817 [inline] __sys_bind+0x1e4/0x290 net/socket.c:1848 __do_sys_bind net/socket.c:1853 [inline] __se_sys_bind net/socket.c:1851 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1851 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Let's dump and check metadata of corrupted inode, it shows its xattr_nid is the same to its i_ino. dump.f2fs -i 3 chaseyu.img.raw i_xattr_nid [0x 3 : 3] So that, during mknod in the corrupted directory, it tries to get and lock inode page twice, result in deadlock. - f2fs_mknod - f2fs_add_inline_entry - f2fs_get_inode_page --- lock dir's inode page - f2fs_init_acl - f2fs_acl_create(dir,..) - __f2fs_get_acl - f2fs_getxattr - lookup_all_xattrs - __get_node_page --- try to lock dir's inode page In order to fix this, let's add sanity check on ino and xnid.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/44e904a1ad09e8403…
	https://git.kernel.org/stable/c/ecff54aa20b5b21db…
	https://git.kernel.org/stable/c/c4029044cc408b149…
	https://git.kernel.org/stable/c/e98dc1909f3d5bc07…
	https://git.kernel.org/stable/c/aaddc6c696bd1bff2…
	https://git.kernel.org/stable/c/fed611bd8c7b76b07…
	https://git.kernel.org/stable/c/5a06d97d5340c0051…
	https://git.kernel.org/stable/c/061cf3a84bde03870…

Impacted products

Vendor

Product

Version

Linux

Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 44e904a1ad09e84039058dcbbb1b9ea5b8d7d75d (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < ecff54aa20b5b21db82e63e46066b55e43d72e78 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < c4029044cc408b149e63db7dc8617a0783a3f10d (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < e98dc1909f3d5bc078ec7a605524f1e3f4c0eb14 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < aaddc6c696bd1bff20eaacfa88579d6eae64d541 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < fed611bd8c7b76b070aa407d0c7558e20d9e1f68 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 5a06d97d5340c00510f24e80e8de821bd3bd9285 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 061cf3a84bde038708eb0f1d065b31b7c2456533 (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:57.091Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "44e904a1ad09e84039058dcbbb1b9ea5b8d7d75d",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "ecff54aa20b5b21db82e63e46066b55e43d72e78",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "c4029044cc408b149e63db7dc8617a0783a3f10d",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "e98dc1909f3d5bc078ec7a605524f1e3f4c0eb14",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "aaddc6c696bd1bff20eaacfa88579d6eae64d541",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "fed611bd8c7b76b070aa407d0c7558e20d9e1f68",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "5a06d97d5340c00510f24e80e8de821bd3bd9285",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "061cf3a84bde038708eb0f1d065b31b7c2456533",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on ino and xnid\n\nsyzbot reported a f2fs bug as below:\n\nINFO: task syz-executor140:5308 blocked for more than 143 seconds.\n      Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz-executor140 state:D stack:24016 pid:5308  tgid:5308  ppid:5306   task_flags:0x400140 flags:0x00000006\nCall Trace:\n \u003cTASK\u003e\n context_switch kernel/sched/core.c:5378 [inline]\n __schedule+0x190e/0x4c90 kernel/sched/core.c:6765\n __schedule_loop kernel/sched/core.c:6842 [inline]\n schedule+0x14b/0x320 kernel/sched/core.c:6857\n io_schedule+0x8d/0x110 kernel/sched/core.c:7690\n folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317\n __folio_lock mm/filemap.c:1664 [inline]\n folio_lock include/linux/pagemap.h:1163 [inline]\n __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917\n pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87\n find_get_page_flags include/linux/pagemap.h:842 [inline]\n f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776\n __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463\n read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306\n lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]\n f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533\n __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179\n f2fs_acl_create fs/f2fs/acl.c:375 [inline]\n f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418\n f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539\n f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666\n f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765\n f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808\n f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]\n f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766\n vfs_mknod+0x36d/0x3b0 fs/namei.c:4191\n unix_bind_bsd net/unix/af_unix.c:1286 [inline]\n unix_bind+0x563/0xe30 net/unix/af_unix.c:1379\n __sys_bind_socket net/socket.c:1817 [inline]\n __sys_bind+0x1e4/0x290 net/socket.c:1848\n __do_sys_bind net/socket.c:1853 [inline]\n __se_sys_bind net/socket.c:1851 [inline]\n __x64_sys_bind+0x7a/0x90 net/socket.c:1851\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLet\u0027s dump and check metadata of corrupted inode, it shows its xattr_nid\nis the same to its i_ino.\n\ndump.f2fs -i 3 chaseyu.img.raw\ni_xattr_nid                             [0x       3 : 3]\n\nSo that, during mknod in the corrupted directory, it tries to get and\nlock inode page twice, result in deadlock.\n\n- f2fs_mknod\n - f2fs_add_inline_entry\n  - f2fs_get_inode_page --- lock dir\u0027s inode page\n   - f2fs_init_acl\n    - f2fs_acl_create(dir,..)\n     - __f2fs_get_acl\n      - f2fs_getxattr\n       - lookup_all_xattrs\n        - __get_node_page --- try to lock dir\u0027s inode page\n\nIn order to fix this, let\u0027s add sanity check on ino and xnid."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:04.137Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/44e904a1ad09e84039058dcbbb1b9ea5b8d7d75d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecff54aa20b5b21db82e63e46066b55e43d72e78"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4029044cc408b149e63db7dc8617a0783a3f10d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e98dc1909f3d5bc078ec7a605524f1e3f4c0eb14"
        },
        {
          "url": "https://git.kernel.org/stable/c/aaddc6c696bd1bff20eaacfa88579d6eae64d541"
        },
        {
          "url": "https://git.kernel.org/stable/c/fed611bd8c7b76b070aa407d0c7558e20d9e1f68"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a06d97d5340c00510f24e80e8de821bd3bd9285"
        },
        {
          "url": "https://git.kernel.org/stable/c/061cf3a84bde038708eb0f1d065b31b7c2456533"
        }
      ],
      "title": "f2fs: fix to do sanity check on ino and xnid",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38347",
    "datePublished": "2025-07-10T08:15:14.907Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2025-11-03T17:36:57.091Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38118 (GCVE-0-2025-38118)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-11-03 17:34

Title

Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3c9aba9cbdf163e26…
	https://git.kernel.org/stable/c/9f66b6531c2b4e996…
	https://git.kernel.org/stable/c/9df3e5e7f7e4653fd…
	https://git.kernel.org/stable/c/32aa2fbe319f33b03…
	https://git.kernel.org/stable/c/e6ed54e86aae9e4f7…

Impacted products

Vendor

Product

Version

Linux

Affected: 66bd095ab5d408af106808cce302406542f70f65 , < 3c9aba9cbdf163e2654be9f82d43ff8a04273962 (git)
Affected: 66bd095ab5d408af106808cce302406542f70f65 , < 9f66b6531c2b4e996bb61720ee94adb4b2e8d1be (git)
Affected: 66bd095ab5d408af106808cce302406542f70f65 , < 9df3e5e7f7e4653fd9802878cedc36defc5ef42d (git)
Affected: 66bd095ab5d408af106808cce302406542f70f65 , < 32aa2fbe319f33b0318ec6f4fceb63879771a286 (git)
Affected: 66bd095ab5d408af106808cce302406542f70f65 , < e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:19.342Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/bluetooth/hci_core.h",
            "net/bluetooth/hci_core.c",
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c9aba9cbdf163e2654be9f82d43ff8a04273962",
              "status": "affected",
              "version": "66bd095ab5d408af106808cce302406542f70f65",
              "versionType": "git"
            },
            {
              "lessThan": "9f66b6531c2b4e996bb61720ee94adb4b2e8d1be",
              "status": "affected",
              "version": "66bd095ab5d408af106808cce302406542f70f65",
              "versionType": "git"
            },
            {
              "lessThan": "9df3e5e7f7e4653fd9802878cedc36defc5ef42d",
              "status": "affected",
              "version": "66bd095ab5d408af106808cce302406542f70f65",
              "versionType": "git"
            },
            {
              "lessThan": "32aa2fbe319f33b0318ec6f4fceb63879771a286",
              "status": "affected",
              "version": "66bd095ab5d408af106808cce302406542f70f65",
              "versionType": "git"
            },
            {
              "lessThan": "e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c",
              "status": "affected",
              "version": "66bd095ab5d408af106808cce302406542f70f65",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/bluetooth/hci_core.h",
            "net/bluetooth/hci_core.c",
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete\n\nThis reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to\navoid crashes like bellow:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406\nRead of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341\n\nCPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406\n hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x711/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 5987:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252\n mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279\n remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n sock_write_iter+0x258/0x330 net/socket.c:1131\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x548/0xa90 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 5989:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2380 [inline]\n slab_free mm/slub.c:4642 [inline]\n kfree+0x18e/0x440 mm/slub.c:4841\n mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242\n mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366\n hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314\n __sys_bind_socket net/socket.c:1810 [inline]\n __sys_bind+0x2c3/0x3e0 net/socket.c:1841\n __do_sys_bind net/socket.c:1846 [inline]\n __se_sys_bind net/socket.c:1844 [inline]\n __x64_sys_bind+0x7a/0x90 net/socket.c:1844\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:12:36.952Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c9aba9cbdf163e2654be9f82d43ff8a04273962"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f66b6531c2b4e996bb61720ee94adb4b2e8d1be"
        },
        {
          "url": "https://git.kernel.org/stable/c/9df3e5e7f7e4653fd9802878cedc36defc5ef42d"
        },
        {
          "url": "https://git.kernel.org/stable/c/32aa2fbe319f33b0318ec6f4fceb63879771a286"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c"
        }
      ],
      "title": "Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38118",
    "datePublished": "2025-07-03T08:35:25.992Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2025-11-03T17:34:19.342Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38628 (GCVE-0-2025-38628)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-09-29 05:55

Title

vdpa/mlx5: Fix release of uninitialized resources on error path

Summary

In the Linux kernel, the following vulnerability has been resolved: vdpa/mlx5: Fix release of uninitialized resources on error path The commit in the fixes tag made sure that mlx5_vdpa_free() is the single entrypoint for removing the vdpa device resources added in mlx5_vdpa_dev_add(), even in the cleanup path of mlx5_vdpa_dev_add(). This means that all functions from mlx5_vdpa_free() should be able to handle uninitialized resources. This was not the case though: mlx5_vdpa_destroy_mr_resources() and mlx5_cmd_cleanup_async_ctx() were not able to do so. This caused the splat below when adding a vdpa device without a MAC address. This patch fixes these remaining issues: - Makes mlx5_vdpa_destroy_mr_resources() return early if called on uninitialized resources. - Moves mlx5_cmd_init_async_ctx() early on during device addition because it can't fail. This means that mlx5_cmd_cleanup_async_ctx() also can't fail. To mirror this, move the call site of mlx5_cmd_cleanup_async_ctx() in mlx5_vdpa_free(). An additional comment was added in mlx5_vdpa_free() to document the expectations of functions called from this context. Splat: mlx5_core 0000:b5:03.2: mlx5_vdpa_dev_add:3950:(pid 2306) warning: No mac address provisioned? ------------[ cut here ]------------ WARNING: CPU: 13 PID: 2306 at kernel/workqueue.c:4207 __flush_work+0x9a/0xb0 [...] Call Trace: <TASK> ? __try_to_del_timer_sync+0x61/0x90 ? __timer_delete_sync+0x2b/0x40 mlx5_vdpa_destroy_mr_resources+0x1c/0x40 [mlx5_vdpa] mlx5_vdpa_free+0x45/0x160 [mlx5_vdpa] vdpa_release_dev+0x1e/0x50 [vdpa] device_release+0x31/0x90 kobject_cleanup+0x37/0x130 mlx5_vdpa_dev_add+0x327/0x890 [mlx5_vdpa] vdpa_nl_cmd_dev_add_set_doit+0x2c1/0x4d0 [vdpa] genl_family_rcv_msg_doit+0xd8/0x130 genl_family_rcv_msg+0x14b/0x220 ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa] genl_rcv_msg+0x47/0xa0 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x53/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x27b/0x3b0 netlink_sendmsg+0x1f7/0x430 __sys_sendto+0x1fa/0x210 ? ___pte_offset_map+0x17/0x160 ? next_uptodate_folio+0x85/0x2b0 ? percpu_counter_add_batch+0x51/0x90 ? filemap_map_pages+0x515/0x660 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x7b/0x2c0 ? do_read_fault+0x108/0x220 ? do_pte_missing+0x14a/0x3e0 ? __handle_mm_fault+0x321/0x730 ? count_memcg_events+0x13f/0x180 ? handle_mm_fault+0x1fb/0x2d0 ? do_user_addr_fault+0x20c/0x700 ? syscall_exit_work+0x104/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f0c25b0feca [...] ---[ end trace 0000000000000000 ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/37f26b9013b46457b…
	https://git.kernel.org/stable/c/cf4fc23d0d3d5b89b…
	https://git.kernel.org/stable/c/6de4ef950dd56a6a8…
	https://git.kernel.org/stable/c/cc51a66815999afb7…

Impacted products

Vendor

Product

Version

Linux

Affected: 83e445e64f48bdae3f25013e788fcf592f142576 , < 37f26b9013b46457b0a96633fc3a7dc977d8beb1 (git)
Affected: 83e445e64f48bdae3f25013e788fcf592f142576 , < cf4fc23d0d3d5b89b36f0d79f2674510bb574d8e (git)
Affected: 83e445e64f48bdae3f25013e788fcf592f142576 , < 6de4ef950dd56a6a81daf92d8a1d864fc6a56971 (git)
Affected: 83e445e64f48bdae3f25013e788fcf592f142576 , < cc51a66815999afb7e9cd845968de4fdf07567b7 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vdpa/mlx5/core/mr.c",
            "drivers/vdpa/mlx5/net/mlx5_vnet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "37f26b9013b46457b0a96633fc3a7dc977d8beb1",
              "status": "affected",
              "version": "83e445e64f48bdae3f25013e788fcf592f142576",
              "versionType": "git"
            },
            {
              "lessThan": "cf4fc23d0d3d5b89b36f0d79f2674510bb574d8e",
              "status": "affected",
              "version": "83e445e64f48bdae3f25013e788fcf592f142576",
              "versionType": "git"
            },
            {
              "lessThan": "6de4ef950dd56a6a81daf92d8a1d864fc6a56971",
              "status": "affected",
              "version": "83e445e64f48bdae3f25013e788fcf592f142576",
              "versionType": "git"
            },
            {
              "lessThan": "cc51a66815999afb7e9cd845968de4fdf07567b7",
              "status": "affected",
              "version": "83e445e64f48bdae3f25013e788fcf592f142576",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vdpa/mlx5/core/mr.c",
            "drivers/vdpa/mlx5/net/mlx5_vnet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa/mlx5: Fix release of uninitialized resources on error path\n\nThe commit in the fixes tag made sure that mlx5_vdpa_free()\nis the single entrypoint for removing the vdpa device resources\nadded in mlx5_vdpa_dev_add(), even in the cleanup path of\nmlx5_vdpa_dev_add().\n\nThis means that all functions from mlx5_vdpa_free() should be able to\nhandle uninitialized resources. This was not the case though:\nmlx5_vdpa_destroy_mr_resources() and mlx5_cmd_cleanup_async_ctx()\nwere not able to do so. This caused the splat below when adding\na vdpa device without a MAC address.\n\nThis patch fixes these remaining issues:\n\n- Makes mlx5_vdpa_destroy_mr_resources() return early if called on\n  uninitialized resources.\n\n- Moves mlx5_cmd_init_async_ctx() early on during device addition\n  because it can\u0027t fail. This means that mlx5_cmd_cleanup_async_ctx()\n  also can\u0027t fail. To mirror this, move the call site of\n  mlx5_cmd_cleanup_async_ctx() in mlx5_vdpa_free().\n\nAn additional comment was added in mlx5_vdpa_free() to document\nthe expectations of functions called from this context.\n\nSplat:\n\n  mlx5_core 0000:b5:03.2: mlx5_vdpa_dev_add:3950:(pid 2306) warning: No mac address provisioned?\n  ------------[ cut here ]------------\n  WARNING: CPU: 13 PID: 2306 at kernel/workqueue.c:4207 __flush_work+0x9a/0xb0\n  [...]\n  Call Trace:\n   \u003cTASK\u003e\n   ? __try_to_del_timer_sync+0x61/0x90\n   ? __timer_delete_sync+0x2b/0x40\n   mlx5_vdpa_destroy_mr_resources+0x1c/0x40 [mlx5_vdpa]\n   mlx5_vdpa_free+0x45/0x160 [mlx5_vdpa]\n   vdpa_release_dev+0x1e/0x50 [vdpa]\n   device_release+0x31/0x90\n   kobject_cleanup+0x37/0x130\n   mlx5_vdpa_dev_add+0x327/0x890 [mlx5_vdpa]\n   vdpa_nl_cmd_dev_add_set_doit+0x2c1/0x4d0 [vdpa]\n   genl_family_rcv_msg_doit+0xd8/0x130\n   genl_family_rcv_msg+0x14b/0x220\n   ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]\n   genl_rcv_msg+0x47/0xa0\n   ? __pfx_genl_rcv_msg+0x10/0x10\n   netlink_rcv_skb+0x53/0x100\n   genl_rcv+0x24/0x40\n   netlink_unicast+0x27b/0x3b0\n   netlink_sendmsg+0x1f7/0x430\n   __sys_sendto+0x1fa/0x210\n   ? ___pte_offset_map+0x17/0x160\n   ? next_uptodate_folio+0x85/0x2b0\n   ? percpu_counter_add_batch+0x51/0x90\n   ? filemap_map_pages+0x515/0x660\n   __x64_sys_sendto+0x20/0x30\n   do_syscall_64+0x7b/0x2c0\n   ? do_read_fault+0x108/0x220\n   ? do_pte_missing+0x14a/0x3e0\n   ? __handle_mm_fault+0x321/0x730\n   ? count_memcg_events+0x13f/0x180\n   ? handle_mm_fault+0x1fb/0x2d0\n   ? do_user_addr_fault+0x20c/0x700\n   ? syscall_exit_work+0x104/0x140\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f0c25b0feca\n  [...]\n  ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:06.134Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/37f26b9013b46457b0a96633fc3a7dc977d8beb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf4fc23d0d3d5b89b36f0d79f2674510bb574d8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6de4ef950dd56a6a81daf92d8a1d864fc6a56971"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc51a66815999afb7e9cd845968de4fdf07567b7"
        }
      ],
      "title": "vdpa/mlx5: Fix release of uninitialized resources on error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38628",
    "datePublished": "2025-08-22T16:00:36.841Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-09-29T05:55:06.134Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-39828 (GCVE-0-2025-39828)

Vulnerability from cvelistv5 – Published: 2025-09-16 13:00 – Updated: 2025-11-03 17:43

Title

atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().

Summary

In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). syzbot reported the splat below. [0] When atmtcp_v_open() or atmtcp_v_close() is called via connect() or close(), atmtcp_send_control() is called to send an in-kernel special message. The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length. Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc. The notable thing is struct atmtcp_control is uAPI but has a space for an in-kernel pointer. struct atmtcp_control { struct atmtcp_hdr hdr; /* must be first */ ... atm_kptr_t vcc; /* both directions */ ... } __ATM_API_ALIGN; typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t; The special message is processed in atmtcp_recv_control() called from atmtcp_c_send(). atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths: 1. .ndo_start_xmit() (vcc->send() == atm_send_aal0()) 2. vcc_sendmsg() The problem is sendmsg() does not validate the message length and userspace can abuse atmtcp_recv_control() to overwrite any kptr by atmtcp_control. Let's add a new ->pre_send() hook to validate messages from sendmsg(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f] CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline] RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297 Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203 RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000 R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff FS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0 Call Trace: <TASK> vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 ____sys_sendmsg+0x505/0x830 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8d7e96a4a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9 RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005 RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250 </TASK> Modules linked in:

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b502f16bad8f0a4cf…
	https://git.kernel.org/stable/c/0a6a6d4fb333f7afe…
	https://git.kernel.org/stable/c/62f368472b0aa4b5d…
	https://git.kernel.org/stable/c/51872b26429077be6…
	https://git.kernel.org/stable/c/3c80c230d6e3e6f63…
	https://git.kernel.org/stable/c/33f9e6dc66b32202b…
	https://git.kernel.org/stable/c/3ab9f5ad9baefe6d3…
	https://git.kernel.org/stable/c/ec79003c5f9d2c7f9…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b502f16bad8f0a4cfbd023452766f21bfda39dde (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0a6a6d4fb333f7afe22e59ffed18511a7a98efc8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 62f368472b0aa4b5d91d9b983152855c6b6d8925 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 51872b26429077be611b0a1816e0e722278015c3 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.298 , ≤ 5.4.* (semver)
Unaffected: 5.10.242 , ≤ 5.10.* (semver)
Unaffected: 5.15.191 , ≤ 5.15.* (semver)
Unaffected: 6.1.150 , ≤ 6.1.* (semver)
Unaffected: 6.6.104 , ≤ 6.6.* (semver)
Unaffected: 6.12.45 , ≤ 6.12.* (semver)
Unaffected: 6.16.5 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:43:50.044Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/atm/atmtcp.c",
            "include/linux/atmdev.h",
            "net/atm/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b502f16bad8f0a4cfbd023452766f21bfda39dde",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0a6a6d4fb333f7afe22e59ffed18511a7a98efc8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "62f368472b0aa4b5d91d9b983152855c6b6d8925",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "51872b26429077be611b0a1816e0e722278015c3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/atm/atmtcp.c",
            "include/linux/atmdev.h",
            "net/atm/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.298",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.242",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.191",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.104",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.45",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.298",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.242",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.191",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.150",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.104",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.45",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.5",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().\n\nsyzbot reported the splat below. [0]\n\nWhen atmtcp_v_open() or atmtcp_v_close() is called via connect()\nor close(), atmtcp_send_control() is called to send an in-kernel\nspecial message.\n\nThe message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.\nAlso, a pointer of struct atm_vcc is set to atmtcp_control.vcc.\n\nThe notable thing is struct atmtcp_control is uAPI but has a\nspace for an in-kernel pointer.\n\n  struct atmtcp_control {\n  \tstruct atmtcp_hdr hdr;\t/* must be first */\n  ...\n  \tatm_kptr_t vcc;\t\t/* both directions */\n  ...\n  } __ATM_API_ALIGN;\n\n  typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;\n\nThe special message is processed in atmtcp_recv_control() called\nfrom atmtcp_c_send().\n\natmtcp_c_send() is vcc-\u003edev-\u003eops-\u003esend() and called from 2 paths:\n\n  1. .ndo_start_xmit() (vcc-\u003esend() == atm_send_aal0())\n  2. vcc_sendmsg()\n\nThe problem is sendmsg() does not validate the message length and\nuserspace can abuse atmtcp_recv_control() to overwrite any kptr\nby atmtcp_control.\n\nLet\u0027s add a new -\u003epre_send() hook to validate messages from sendmsg().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI\nKASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]\nCPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]\nRIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297\nCode: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 \u003c42\u003e 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c\nRSP: 0018:ffffc90003f5f810 EFLAGS: 00010203\nRAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c\nRBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd\nR10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000\nR13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff\nFS:  00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:729\n ____sys_sendmsg+0x505/0x830 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f8d7e96a4a9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9\nRDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005\nRBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac\nR13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250\n \u003c/TASK\u003e\nModules linked in:"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T06:00:30.190Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b502f16bad8f0a4cfbd023452766f21bfda39dde"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a6a6d4fb333f7afe22e59ffed18511a7a98efc8"
        },
        {
          "url": "https://git.kernel.org/stable/c/62f368472b0aa4b5d91d9b983152855c6b6d8925"
        },
        {
          "url": "https://git.kernel.org/stable/c/51872b26429077be611b0a1816e0e722278015c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b"
        },
        {
          "url": "https://git.kernel.org/stable/c/33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a"
        }
      ],
      "title": "atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39828",
    "datePublished": "2025-09-16T13:00:26.433Z",
    "dateReserved": "2025-04-16T07:20:57.140Z",
    "dateUpdated": "2025-11-03T17:43:50.044Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39676 (GCVE-0-2025-39676)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42

Title

scsi: qla4xxx: Prevent a potential error pointer dereference

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to NULL.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d0225f41ee70611ca…
	https://git.kernel.org/stable/c/ad8a9d38d30c691a7…
	https://git.kernel.org/stable/c/325bf7d57c4e2a341…
	https://git.kernel.org/stable/c/46288d12d1c30d08f…
	https://git.kernel.org/stable/c/f5ad0819f902b4b33…
	https://git.kernel.org/stable/c/f1424c830d6ce8403…
	https://git.kernel.org/stable/c/f4bc3cdfe95115191…
	https://git.kernel.org/stable/c/9dcf111dd3e7ed5fc…

Impacted products

Vendor

Product

Version

Linux

Affected: 13483730a13bef372894aefcf73760f5c6c297be , < d0225f41ee70611ca88ccb22c8542ecdfa7faea8 (git)
Affected: 13483730a13bef372894aefcf73760f5c6c297be , < ad8a9d38d30c691a77c456e72b78f7932d4f234d (git)
Affected: 13483730a13bef372894aefcf73760f5c6c297be , < 325bf7d57c4e2a341e381c5805e454fb69dd78c3 (git)
Affected: 13483730a13bef372894aefcf73760f5c6c297be , < 46288d12d1c30d08fbeffd05abc079f57a43a2d4 (git)
Affected: 13483730a13bef372894aefcf73760f5c6c297be , < f5ad0819f902b4b33591791b92a0350fb3692a6b (git)
Affected: 13483730a13bef372894aefcf73760f5c6c297be , < f1424c830d6ce840341aac33fe99c8ac45447ac1 (git)
Affected: 13483730a13bef372894aefcf73760f5c6c297be , < f4bc3cdfe95115191e24592bbfc15f1d4a705a75 (git)
Affected: 13483730a13bef372894aefcf73760f5c6c297be , < 9dcf111dd3e7ed5fce82bb108e3a3fc001c07225 (git)

Linux

Affected: 3.2
Unaffected: 0 , < 3.2 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:10.853Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/qla4xxx/ql4_os.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d0225f41ee70611ca88ccb22c8542ecdfa7faea8",
              "status": "affected",
              "version": "13483730a13bef372894aefcf73760f5c6c297be",
              "versionType": "git"
            },
            {
              "lessThan": "ad8a9d38d30c691a77c456e72b78f7932d4f234d",
              "status": "affected",
              "version": "13483730a13bef372894aefcf73760f5c6c297be",
              "versionType": "git"
            },
            {
              "lessThan": "325bf7d57c4e2a341e381c5805e454fb69dd78c3",
              "status": "affected",
              "version": "13483730a13bef372894aefcf73760f5c6c297be",
              "versionType": "git"
            },
            {
              "lessThan": "46288d12d1c30d08fbeffd05abc079f57a43a2d4",
              "status": "affected",
              "version": "13483730a13bef372894aefcf73760f5c6c297be",
              "versionType": "git"
            },
            {
              "lessThan": "f5ad0819f902b4b33591791b92a0350fb3692a6b",
              "status": "affected",
              "version": "13483730a13bef372894aefcf73760f5c6c297be",
              "versionType": "git"
            },
            {
              "lessThan": "f1424c830d6ce840341aac33fe99c8ac45447ac1",
              "status": "affected",
              "version": "13483730a13bef372894aefcf73760f5c6c297be",
              "versionType": "git"
            },
            {
              "lessThan": "f4bc3cdfe95115191e24592bbfc15f1d4a705a75",
              "status": "affected",
              "version": "13483730a13bef372894aefcf73760f5c6c297be",
              "versionType": "git"
            },
            {
              "lessThan": "9dcf111dd3e7ed5fce82bb108e3a3fc001c07225",
              "status": "affected",
              "version": "13483730a13bef372894aefcf73760f5c6c297be",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/qla4xxx/ql4_os.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla4xxx: Prevent a potential error pointer dereference\n\nThe qla4xxx_get_ep_fwdb() function is supposed to return NULL on error,\nbut qla4xxx_ep_connect() returns error pointers.  Propagating the error\npointers will lead to an Oops in the caller, so change the error pointers\nto NULL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:57:11.888Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d0225f41ee70611ca88ccb22c8542ecdfa7faea8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad8a9d38d30c691a77c456e72b78f7932d4f234d"
        },
        {
          "url": "https://git.kernel.org/stable/c/325bf7d57c4e2a341e381c5805e454fb69dd78c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/46288d12d1c30d08fbeffd05abc079f57a43a2d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5ad0819f902b4b33591791b92a0350fb3692a6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1424c830d6ce840341aac33fe99c8ac45447ac1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4bc3cdfe95115191e24592bbfc15f1d4a705a75"
        },
        {
          "url": "https://git.kernel.org/stable/c/9dcf111dd3e7ed5fce82bb108e3a3fc001c07225"
        }
      ],
      "title": "scsi: qla4xxx: Prevent a potential error pointer dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39676",
    "datePublished": "2025-09-05T17:20:42.270Z",
    "dateReserved": "2025-04-16T07:20:57.112Z",
    "dateUpdated": "2025-11-03T17:42:10.853Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38526 (GCVE-0-2025-38526)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-08-16 11:12

Title

ice: add NULL check in eswitch lag check

Summary

In the Linux kernel, the following vulnerability has been resolved: ice: add NULL check in eswitch lag check The function ice_lag_is_switchdev_running() is being called from outside of the LAG event handler code. This results in the lag->upper_netdev being NULL sometimes. To avoid a NULL-pointer dereference, there needs to be a check before it is dereferenced.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/27591d926191e42b2…
	https://git.kernel.org/stable/c/5a5d64f0eec82076b…
	https://git.kernel.org/stable/c/245917d3c5ed7c6ae…
	https://git.kernel.org/stable/c/3ce58b01ada408b37…

Impacted products

Vendor

Product

Version

Linux

Affected: 776fe19953b0e0af00399e50fb3b205101d4b3c1 , < 27591d926191e42b2332e4bad3bcd3a49def393b (git)
Affected: 776fe19953b0e0af00399e50fb3b205101d4b3c1 , < 5a5d64f0eec82076b2c09fee2195d640cfbe3379 (git)
Affected: 776fe19953b0e0af00399e50fb3b205101d4b3c1 , < 245917d3c5ed7c6ae720302b64eac5c6f0c85177 (git)
Affected: 776fe19953b0e0af00399e50fb3b205101d4b3c1 , < 3ce58b01ada408b372f15b7c992ed0519840e3cf (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_lag.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "27591d926191e42b2332e4bad3bcd3a49def393b",
              "status": "affected",
              "version": "776fe19953b0e0af00399e50fb3b205101d4b3c1",
              "versionType": "git"
            },
            {
              "lessThan": "5a5d64f0eec82076b2c09fee2195d640cfbe3379",
              "status": "affected",
              "version": "776fe19953b0e0af00399e50fb3b205101d4b3c1",
              "versionType": "git"
            },
            {
              "lessThan": "245917d3c5ed7c6ae720302b64eac5c6f0c85177",
              "status": "affected",
              "version": "776fe19953b0e0af00399e50fb3b205101d4b3c1",
              "versionType": "git"
            },
            {
              "lessThan": "3ce58b01ada408b372f15b7c992ed0519840e3cf",
              "status": "affected",
              "version": "776fe19953b0e0af00399e50fb3b205101d4b3c1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_lag.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: add NULL check in eswitch lag check\n\nThe function ice_lag_is_switchdev_running() is being called from outside of\nthe LAG event handler code.  This results in the lag-\u003eupper_netdev being\nNULL sometimes.  To avoid a NULL-pointer dereference, there needs to be a\ncheck before it is dereferenced."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T11:12:20.036Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/27591d926191e42b2332e4bad3bcd3a49def393b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a5d64f0eec82076b2c09fee2195d640cfbe3379"
        },
        {
          "url": "https://git.kernel.org/stable/c/245917d3c5ed7c6ae720302b64eac5c6f0c85177"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ce58b01ada408b372f15b7c992ed0519840e3cf"
        }
      ],
      "title": "ice: add NULL check in eswitch lag check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38526",
    "datePublished": "2025-08-16T11:12:20.036Z",
    "dateReserved": "2025-04-16T04:51:24.023Z",
    "dateUpdated": "2025-08-16T11:12:20.036Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-39902 (GCVE-0-2025-39902)

Vulnerability from cvelistv5 – Published: 2025-10-01 07:42 – Updated: 2025-11-03 17:44

Title

mm/slub: avoid accessing metadata when pointer is invalid in object_err()

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/slub: avoid accessing metadata when pointer is invalid in object_err() object_err() reports details of an object for further debugging, such as the freelist pointer, redzone, etc. However, if the pointer is invalid, attempting to access object metadata can lead to a crash since it does not point to a valid object. One known path to the crash is when alloc_consistency_checks() determines the pointer to the allocated object is invalid because of a freelist corruption, and calls object_err() to report it. The debug code should report and handle the corruption gracefully and not crash in the process. In case the pointer is NULL or check_valid_pointer() returns false for the pointer, only print the pointer value and skip accessing metadata.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/872f2c34ff232af1e…
	https://git.kernel.org/stable/c/f66012909e7bf383f…
	https://git.kernel.org/stable/c/7e287256904ee796c…
	https://git.kernel.org/stable/c/1f0797f17927b5cad…
	https://git.kernel.org/stable/c/0ef7058b4dc6fcef6…
	https://git.kernel.org/stable/c/dda6ec365ab04067a…
	https://git.kernel.org/stable/c/3baa1da473e6e5028…
	https://git.kernel.org/stable/c/b4efccec8d06ceb10…

Impacted products

Vendor

Product

Version

Linux

Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < 872f2c34ff232af1e65ad2df86d61163c8ffad42 (git)
Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < f66012909e7bf383fcdc5850709ed5716073fdc4 (git)
Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < 7e287256904ee796c9477e3ec92b07f236481ef3 (git)
Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < 1f0797f17927b5cad0fb7eced422f9a7c30a3191 (git)
Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < 0ef7058b4dc6fcef622ac23b45225db57f17b83f (git)
Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < dda6ec365ab04067adae40ef17015db447e90736 (git)
Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < 3baa1da473e6e50281324ff1d332d1a07a3bb02e (git)
Affected: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 , < b4efccec8d06ceb10a7d34d7b1c449c569d53770 (git)

Linux

Affected: 2.6.22
Unaffected: 0 , < 2.6.22 (semver)
Unaffected: 5.4.299 , ≤ 5.4.* (semver)
Unaffected: 5.10.243 , ≤ 5.10.* (semver)
Unaffected: 5.15.192 , ≤ 5.15.* (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.105 , ≤ 6.6.* (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.16.6 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:44:33.198Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/slub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "872f2c34ff232af1e65ad2df86d61163c8ffad42",
              "status": "affected",
              "version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
              "versionType": "git"
            },
            {
              "lessThan": "f66012909e7bf383fcdc5850709ed5716073fdc4",
              "status": "affected",
              "version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
              "versionType": "git"
            },
            {
              "lessThan": "7e287256904ee796c9477e3ec92b07f236481ef3",
              "status": "affected",
              "version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
              "versionType": "git"
            },
            {
              "lessThan": "1f0797f17927b5cad0fb7eced422f9a7c30a3191",
              "status": "affected",
              "version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
              "versionType": "git"
            },
            {
              "lessThan": "0ef7058b4dc6fcef622ac23b45225db57f17b83f",
              "status": "affected",
              "version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
              "versionType": "git"
            },
            {
              "lessThan": "dda6ec365ab04067adae40ef17015db447e90736",
              "status": "affected",
              "version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
              "versionType": "git"
            },
            {
              "lessThan": "3baa1da473e6e50281324ff1d332d1a07a3bb02e",
              "status": "affected",
              "version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
              "versionType": "git"
            },
            {
              "lessThan": "b4efccec8d06ceb10a7d34d7b1c449c569d53770",
              "status": "affected",
              "version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/slub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.299",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.192",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.299",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.243",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.192",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.6",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: avoid accessing metadata when pointer is invalid in object_err()\n\nobject_err() reports details of an object for further debugging, such as\nthe freelist pointer, redzone, etc. However, if the pointer is invalid,\nattempting to access object metadata can lead to a crash since it does\nnot point to a valid object.\n\nOne known path to the crash is when alloc_consistency_checks()\ndetermines the pointer to the allocated object is invalid because of a\nfreelist corruption, and calls object_err() to report it. The debug code\nshould report and handle the corruption gracefully and not crash in the\nprocess.\n\nIn case the pointer is NULL or check_valid_pointer() returns false for\nthe pointer, only print the pointer value and skip accessing metadata."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-01T07:42:49.415Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/872f2c34ff232af1e65ad2df86d61163c8ffad42"
        },
        {
          "url": "https://git.kernel.org/stable/c/f66012909e7bf383fcdc5850709ed5716073fdc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e287256904ee796c9477e3ec92b07f236481ef3"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f0797f17927b5cad0fb7eced422f9a7c30a3191"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ef7058b4dc6fcef622ac23b45225db57f17b83f"
        },
        {
          "url": "https://git.kernel.org/stable/c/dda6ec365ab04067adae40ef17015db447e90736"
        },
        {
          "url": "https://git.kernel.org/stable/c/3baa1da473e6e50281324ff1d332d1a07a3bb02e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4efccec8d06ceb10a7d34d7b1c449c569d53770"
        }
      ],
      "title": "mm/slub: avoid accessing metadata when pointer is invalid in object_err()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39902",
    "datePublished": "2025-10-01T07:42:49.415Z",
    "dateReserved": "2025-04-16T07:20:57.146Z",
    "dateUpdated": "2025-11-03T17:44:33.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39731 (GCVE-0-2025-39731)

Vulnerability from cvelistv5 – Published: 2025-09-07 15:16 – Updated: 2025-11-03 17:42

Title

f2fs: vm_unmap_ram() may be called from an invalid context

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: vm_unmap_ram() may be called from an invalid context When testing F2FS with xfstests using UFS backed virtual disks the kernel complains sometimes that f2fs_release_decomp_mem() calls vm_unmap_ram() from an invalid context. Example trace from f2fs/007 test: f2fs/007 5s ... [12:59:38][ 8.902525] run fstests f2fs/007 [ 11.468026] BUG: sleeping function called from invalid context at mm/vmalloc.c:2978 [ 11.471849] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 68, name: irq/22-ufshcd [ 11.475357] preempt_count: 1, expected: 0 [ 11.476970] RCU nest depth: 0, expected: 0 [ 11.478531] CPU: 0 UID: 0 PID: 68 Comm: irq/22-ufshcd Tainted: G W 6.16.0-rc5-xfstests-ufs-g40f92e79b0aa #9 PREEMPT(none) [ 11.478535] Tainted: [W]=WARN [ 11.478536] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.478537] Call Trace: [ 11.478543] <TASK> [ 11.478545] dump_stack_lvl+0x4e/0x70 [ 11.478554] __might_resched.cold+0xaf/0xbe [ 11.478557] vm_unmap_ram+0x21/0xb0 [ 11.478560] f2fs_release_decomp_mem+0x59/0x80 [ 11.478563] f2fs_free_dic+0x18/0x1a0 [ 11.478565] f2fs_finish_read_bio+0xd7/0x290 [ 11.478570] blk_update_request+0xec/0x3b0 [ 11.478574] ? sbitmap_queue_clear+0x3b/0x60 [ 11.478576] scsi_end_request+0x27/0x1a0 [ 11.478582] scsi_io_completion+0x40/0x300 [ 11.478583] ufshcd_mcq_poll_cqe_lock+0xa3/0xe0 [ 11.478588] ufshcd_sl_intr+0x194/0x1f0 [ 11.478592] ufshcd_threaded_intr+0x68/0xb0 [ 11.478594] ? __pfx_irq_thread_fn+0x10/0x10 [ 11.478599] irq_thread_fn+0x20/0x60 [ 11.478602] ? __pfx_irq_thread_fn+0x10/0x10 [ 11.478603] irq_thread+0xb9/0x180 [ 11.478605] ? __pfx_irq_thread_dtor+0x10/0x10 [ 11.478607] ? __pfx_irq_thread+0x10/0x10 [ 11.478609] kthread+0x10a/0x230 [ 11.478614] ? __pfx_kthread+0x10/0x10 [ 11.478615] ret_from_fork+0x7e/0xd0 [ 11.478619] ? __pfx_kthread+0x10/0x10 [ 11.478621] ret_from_fork_asm+0x1a/0x30 [ 11.478623] </TASK> This patch modifies in_task() check inside f2fs_read_end_io() to also check if interrupts are disabled. This ensures that pages are unmapped asynchronously in an interrupt handler.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/eb69e69a5ae6c8350…
	https://git.kernel.org/stable/c/1023836d1b9465593…
	https://git.kernel.org/stable/c/0fe7976b62546f1e9…
	https://git.kernel.org/stable/c/411e00f44e2e1a7fd…
	https://git.kernel.org/stable/c/18eea36f4f460ead3…
	https://git.kernel.org/stable/c/08a7efc5b02a0620a…

Impacted products

Vendor

Product

Version

Linux

Affected: bff139b49d9f70c1ac5384aac94554846aa834de , < eb69e69a5ae6c8350957893b5f68bd55b1565fb2 (git)
Affected: bff139b49d9f70c1ac5384aac94554846aa834de , < 1023836d1b9465593c8746f97d608da32958785f (git)
Affected: bff139b49d9f70c1ac5384aac94554846aa834de , < 0fe7976b62546f1e95eebfe9879925e9aa22b7a8 (git)
Affected: bff139b49d9f70c1ac5384aac94554846aa834de , < 411e00f44e2e1a7fdb526013b25a7f0ed22a0947 (git)
Affected: bff139b49d9f70c1ac5384aac94554846aa834de , < 18eea36f4f460ead3750ed4afe5496f7ce55f99e (git)
Affected: bff139b49d9f70c1ac5384aac94554846aa834de , < 08a7efc5b02a0620ae16aa9584060e980a69cb55 (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:49.723Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "eb69e69a5ae6c8350957893b5f68bd55b1565fb2",
              "status": "affected",
              "version": "bff139b49d9f70c1ac5384aac94554846aa834de",
              "versionType": "git"
            },
            {
              "lessThan": "1023836d1b9465593c8746f97d608da32958785f",
              "status": "affected",
              "version": "bff139b49d9f70c1ac5384aac94554846aa834de",
              "versionType": "git"
            },
            {
              "lessThan": "0fe7976b62546f1e95eebfe9879925e9aa22b7a8",
              "status": "affected",
              "version": "bff139b49d9f70c1ac5384aac94554846aa834de",
              "versionType": "git"
            },
            {
              "lessThan": "411e00f44e2e1a7fdb526013b25a7f0ed22a0947",
              "status": "affected",
              "version": "bff139b49d9f70c1ac5384aac94554846aa834de",
              "versionType": "git"
            },
            {
              "lessThan": "18eea36f4f460ead3750ed4afe5496f7ce55f99e",
              "status": "affected",
              "version": "bff139b49d9f70c1ac5384aac94554846aa834de",
              "versionType": "git"
            },
            {
              "lessThan": "08a7efc5b02a0620ae16aa9584060e980a69cb55",
              "status": "affected",
              "version": "bff139b49d9f70c1ac5384aac94554846aa834de",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: vm_unmap_ram() may be called from an invalid context\n\nWhen testing F2FS with xfstests using UFS backed virtual disks the\nkernel complains sometimes that f2fs_release_decomp_mem() calls\nvm_unmap_ram() from an invalid context. Example trace from\nf2fs/007 test:\n\nf2fs/007 5s ...  [12:59:38][    8.902525] run fstests f2fs/007\n[   11.468026] BUG: sleeping function called from invalid context at mm/vmalloc.c:2978\n[   11.471849] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 68, name: irq/22-ufshcd\n[   11.475357] preempt_count: 1, expected: 0\n[   11.476970] RCU nest depth: 0, expected: 0\n[   11.478531] CPU: 0 UID: 0 PID: 68 Comm: irq/22-ufshcd Tainted: G        W           6.16.0-rc5-xfstests-ufs-g40f92e79b0aa #9 PREEMPT(none)\n[   11.478535] Tainted: [W]=WARN\n[   11.478536] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   11.478537] Call Trace:\n[   11.478543]  \u003cTASK\u003e\n[   11.478545]  dump_stack_lvl+0x4e/0x70\n[   11.478554]  __might_resched.cold+0xaf/0xbe\n[   11.478557]  vm_unmap_ram+0x21/0xb0\n[   11.478560]  f2fs_release_decomp_mem+0x59/0x80\n[   11.478563]  f2fs_free_dic+0x18/0x1a0\n[   11.478565]  f2fs_finish_read_bio+0xd7/0x290\n[   11.478570]  blk_update_request+0xec/0x3b0\n[   11.478574]  ? sbitmap_queue_clear+0x3b/0x60\n[   11.478576]  scsi_end_request+0x27/0x1a0\n[   11.478582]  scsi_io_completion+0x40/0x300\n[   11.478583]  ufshcd_mcq_poll_cqe_lock+0xa3/0xe0\n[   11.478588]  ufshcd_sl_intr+0x194/0x1f0\n[   11.478592]  ufshcd_threaded_intr+0x68/0xb0\n[   11.478594]  ? __pfx_irq_thread_fn+0x10/0x10\n[   11.478599]  irq_thread_fn+0x20/0x60\n[   11.478602]  ? __pfx_irq_thread_fn+0x10/0x10\n[   11.478603]  irq_thread+0xb9/0x180\n[   11.478605]  ? __pfx_irq_thread_dtor+0x10/0x10\n[   11.478607]  ? __pfx_irq_thread+0x10/0x10\n[   11.478609]  kthread+0x10a/0x230\n[   11.478614]  ? __pfx_kthread+0x10/0x10\n[   11.478615]  ret_from_fork+0x7e/0xd0\n[   11.478619]  ? __pfx_kthread+0x10/0x10\n[   11.478621]  ret_from_fork_asm+0x1a/0x30\n[   11.478623]  \u003c/TASK\u003e\n\nThis patch modifies in_task() check inside f2fs_read_end_io() to also\ncheck if interrupts are disabled. This ensures that pages are unmapped\nasynchronously in an interrupt handler."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:58:16.912Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/eb69e69a5ae6c8350957893b5f68bd55b1565fb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/1023836d1b9465593c8746f97d608da32958785f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fe7976b62546f1e95eebfe9879925e9aa22b7a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/411e00f44e2e1a7fdb526013b25a7f0ed22a0947"
        },
        {
          "url": "https://git.kernel.org/stable/c/18eea36f4f460ead3750ed4afe5496f7ce55f99e"
        },
        {
          "url": "https://git.kernel.org/stable/c/08a7efc5b02a0620ae16aa9584060e980a69cb55"
        }
      ],
      "title": "f2fs: vm_unmap_ram() may be called from an invalid context",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39731",
    "datePublished": "2025-09-07T15:16:20.023Z",
    "dateReserved": "2025-04-16T07:20:57.118Z",
    "dateUpdated": "2025-11-03T17:42:49.723Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38484 (GCVE-0-2025-38484)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-07-28 11:21

Title

iio: backend: fix out-of-bound write

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: backend: fix out-of-bound write The buffer is set to 80 character. If a caller write more characters, count is truncated to the max available space in "simple_write_to_buffer". But afterwards a string terminator is written to the buffer at offset count without boundary check. The zero termination is written OUT-OF-BOUND. Add a check that the given buffer is smaller then the buffer to prevent.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6eea9f7648ddb9e49…
	https://git.kernel.org/stable/c/01e941aa7f5175125…
	https://git.kernel.org/stable/c/da9374819eb388563…

Impacted products

Vendor

Product

Version

Linux

Affected: df3892e5e861c43d5612728ed259634675b8a71f , < 6eea9f7648ddb9e4903735a1f77cf196c957aa38 (git)
Affected: 035b4989211dc1c8626e186d655ae8ca5141bb73 , < 01e941aa7f5175125df4ac5d3aab099961525602 (git)
Affected: 035b4989211dc1c8626e186d655ae8ca5141bb73 , < da9374819eb3885636934c1006d450c3cb1a02ed (git)
Affected: 04271a4d2740f98bbe36f82cd3d74677a839d1eb (git)
Affected: fd791c81f410ab1c554686a6f486dc7a176dfe35 (git)

Linux

Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/industrialio-backend.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6eea9f7648ddb9e4903735a1f77cf196c957aa38",
              "status": "affected",
              "version": "df3892e5e861c43d5612728ed259634675b8a71f",
              "versionType": "git"
            },
            {
              "lessThan": "01e941aa7f5175125df4ac5d3aab099961525602",
              "status": "affected",
              "version": "035b4989211dc1c8626e186d655ae8ca5141bb73",
              "versionType": "git"
            },
            {
              "lessThan": "da9374819eb3885636934c1006d450c3cb1a02ed",
              "status": "affected",
              "version": "035b4989211dc1c8626e186d655ae8ca5141bb73",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "04271a4d2740f98bbe36f82cd3d74677a839d1eb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fd791c81f410ab1c554686a6f486dc7a176dfe35",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/industrialio-backend.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.12.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: backend: fix out-of-bound write\n\nThe buffer is set to 80 character. If a caller write more characters,\ncount is truncated to the max available space in \"simple_write_to_buffer\".\nBut afterwards a string terminator is written to the buffer at offset count\nwithout boundary check. The zero termination is written OUT-OF-BOUND.\n\nAdd a check that the given buffer is smaller then the buffer to prevent."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:21:48.690Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6eea9f7648ddb9e4903735a1f77cf196c957aa38"
        },
        {
          "url": "https://git.kernel.org/stable/c/01e941aa7f5175125df4ac5d3aab099961525602"
        },
        {
          "url": "https://git.kernel.org/stable/c/da9374819eb3885636934c1006d450c3cb1a02ed"
        }
      ],
      "title": "iio: backend: fix out-of-bound write",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38484",
    "datePublished": "2025-07-28T11:21:48.690Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-07-28T11:21:48.690Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38711 (GCVE-0-2025-38711)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:33 – Updated: 2025-11-03 17:41

Title

smb/server: avoid deadlock when linking with ReplaceIfExists

Summary

In the Linux kernel, the following vulnerability has been resolved: smb/server: avoid deadlock when linking with ReplaceIfExists If smb2_create_link() is called with ReplaceIfExists set and the name does exist then a deadlock will happen. ksmbd_vfs_kern_path_locked() will return with success and the parent directory will be locked. ksmbd_vfs_remove_file() will then remove the file. ksmbd_vfs_link() will then be called while the parent is still locked. It will try to lock the same parent and will deadlock. This patch moves the ksmbd_vfs_kern_path_unlock() call to *before* ksmbd_vfs_link() and then simplifies the code, removing the file_present flag variable.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9d5012ffe14120f97…
	https://git.kernel.org/stable/c/ac98d54630d5b52e3…
	https://git.kernel.org/stable/c/1e858a7a51c7b8b00…
	https://git.kernel.org/stable/c/814cfdb6358d9b84f…
	https://git.kernel.org/stable/c/a7dddd62578c2eb6c…
	https://git.kernel.org/stable/c/a726fef6d7d4cfc36…
	https://git.kernel.org/stable/c/d5fc1400a34b4ea5e…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 9d5012ffe14120f978ee34aef4df3d6cb026b7c4 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < ac98d54630d5b52e3f684d872f0d82c06c418ea9 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 1e858a7a51c7b8b009d8f246de7ceb7743b44a71 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 814cfdb6358d9b84fcbec9918c8f938cc096a43a (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < a7dddd62578c2eb6cb28b8835556a121b5157323 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < a726fef6d7d4cfc365d3434e3916dbfe78991a33 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < d5fc1400a34b4ea5e8f2ce296ea12bf8c8421694 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:40.187Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9d5012ffe14120f978ee34aef4df3d6cb026b7c4",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "ac98d54630d5b52e3f684d872f0d82c06c418ea9",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "1e858a7a51c7b8b009d8f246de7ceb7743b44a71",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "814cfdb6358d9b84fcbec9918c8f938cc096a43a",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "a7dddd62578c2eb6cb28b8835556a121b5157323",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "a726fef6d7d4cfc365d3434e3916dbfe78991a33",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "d5fc1400a34b4ea5e8f2ce296ea12bf8c8421694",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: avoid deadlock when linking with ReplaceIfExists\n\nIf smb2_create_link() is called with ReplaceIfExists set and the name\ndoes exist then a deadlock will happen.\n\nksmbd_vfs_kern_path_locked() will return with success and the parent\ndirectory will be locked.  ksmbd_vfs_remove_file() will then remove the\nfile.  ksmbd_vfs_link() will then be called while the parent is still\nlocked.  It will try to lock the same parent and will deadlock.\n\nThis patch moves the ksmbd_vfs_kern_path_unlock() call to *before*\nksmbd_vfs_link() and then simplifies the code, removing the file_present\nflag variable."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:56:33.089Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9d5012ffe14120f978ee34aef4df3d6cb026b7c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac98d54630d5b52e3f684d872f0d82c06c418ea9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e858a7a51c7b8b009d8f246de7ceb7743b44a71"
        },
        {
          "url": "https://git.kernel.org/stable/c/814cfdb6358d9b84fcbec9918c8f938cc096a43a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7dddd62578c2eb6cb28b8835556a121b5157323"
        },
        {
          "url": "https://git.kernel.org/stable/c/a726fef6d7d4cfc365d3434e3916dbfe78991a33"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5fc1400a34b4ea5e8f2ce296ea12bf8c8421694"
        }
      ],
      "title": "smb/server: avoid deadlock when linking with ReplaceIfExists",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38711",
    "datePublished": "2025-09-04T15:33:01.367Z",
    "dateReserved": "2025-04-16T04:51:24.033Z",
    "dateUpdated": "2025-11-03T17:41:40.187Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-52975 (GCVE-0-2023-52975)

Vulnerability from cvelistv5 – Published: 2025-03-27 16:43 – Updated: 2026-01-19 12:17

Title

scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress Bug report and analysis from Ding Hui. During iSCSI session logout, if another task accesses the shost ipaddress attr, we can get a KASAN UAF report like this: [ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0 [ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088 [ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3 [ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 276.944470] Call Trace: [ 276.944943] <TASK> [ 276.945397] dump_stack_lvl+0x34/0x48 [ 276.945887] print_address_description.constprop.0+0x86/0x1e7 [ 276.946421] print_report+0x36/0x4f [ 276.947358] kasan_report+0xad/0x130 [ 276.948234] kasan_check_range+0x35/0x1c0 [ 276.948674] _raw_spin_lock_bh+0x78/0xe0 [ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp] [ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi] [ 276.952185] dev_attr_show+0x3f/0x80 [ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0 [ 276.953401] seq_read_iter+0x402/0x1020 [ 276.954260] vfs_read+0x532/0x7b0 [ 276.955113] ksys_read+0xed/0x1c0 [ 276.955952] do_syscall_64+0x38/0x90 [ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.956769] RIP: 0033:0x7f5d3a679222 [ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 [ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222 [ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003 [ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000 [ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000 [ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58 [ 276.960536] </TASK> [ 276.961357] Allocated by task 2209: [ 276.961756] kasan_save_stack+0x1e/0x40 [ 276.962170] kasan_set_track+0x21/0x30 [ 276.962557] __kasan_kmalloc+0x7e/0x90 [ 276.962923] __kmalloc+0x5b/0x140 [ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi] [ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi] [ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp] [ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi] [ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi] [ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.965546] netlink_unicast+0x4d5/0x7b0 [ 276.965905] netlink_sendmsg+0x78d/0xc30 [ 276.966236] sock_sendmsg+0xe5/0x120 [ 276.966576] ____sys_sendmsg+0x5fe/0x860 [ 276.966923] ___sys_sendmsg+0xe0/0x170 [ 276.967300] __sys_sendmsg+0xc8/0x170 [ 276.967666] do_syscall_64+0x38/0x90 [ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.968773] Freed by task 2209: [ 276.969111] kasan_save_stack+0x1e/0x40 [ 276.969449] kasan_set_track+0x21/0x30 [ 276.969789] kasan_save_free_info+0x2a/0x50 [ 276.970146] __kasan_slab_free+0x106/0x190 [ 276.970470] __kmem_cache_free+0x133/0x270 [ 276.970816] device_release+0x98/0x210 [ 276.971145] kobject_cleanup+0x101/0x360 [ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi] [ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp] [ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi] [ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.972808] netlink_unicast+0x4d5/0x7b0 [ 276.973201] netlink_sendmsg+0x78d/0xc30 [ 276.973544] sock_sendmsg+0xe5/0x120 [ 276.973864] ____sys_sendmsg+0x5fe/0x860 [ 276.974248] ___sys_ ---truncated---

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0af745fddefbd5619…
	https://git.kernel.org/stable/c/17b738590b97fb3fc…
	https://git.kernel.org/stable/c/8859687f5b242c0b0…
	https://git.kernel.org/stable/c/6f1d64b13097e85ab…

Impacted products

Vendor

Product

Version

Linux

Affected: a79af8a64d395bd89de8695a5ea5e1a7f01f02a8 , < 0af745fddefbd56198f4f35eb309215ee5f9e21e (git)
Affected: a79af8a64d395bd89de8695a5ea5e1a7f01f02a8 , < 17b738590b97fb3fc287289971d1519ff9b875a1 (git)
Affected: a79af8a64d395bd89de8695a5ea5e1a7f01f02a8 , < 8859687f5b242c0b057461df0a9ff51d5500783b (git)
Affected: a79af8a64d395bd89de8695a5ea5e1a7f01f02a8 , < 6f1d64b13097e85abda0f91b5638000afc5f9a06 (git)

Linux

Affected: 2.6.39
Unaffected: 0 , < 2.6.39 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.93 , ≤ 5.15.* (semver)
Unaffected: 6.1.11 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-52975",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T16:59:46.852113Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T17:08:22.400Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/iscsi_tcp.c",
            "drivers/scsi/libiscsi.c",
            "include/scsi/libiscsi.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0af745fddefbd56198f4f35eb309215ee5f9e21e",
              "status": "affected",
              "version": "a79af8a64d395bd89de8695a5ea5e1a7f01f02a8",
              "versionType": "git"
            },
            {
              "lessThan": "17b738590b97fb3fc287289971d1519ff9b875a1",
              "status": "affected",
              "version": "a79af8a64d395bd89de8695a5ea5e1a7f01f02a8",
              "versionType": "git"
            },
            {
              "lessThan": "8859687f5b242c0b057461df0a9ff51d5500783b",
              "status": "affected",
              "version": "a79af8a64d395bd89de8695a5ea5e1a7f01f02a8",
              "versionType": "git"
            },
            {
              "lessThan": "6f1d64b13097e85abda0f91b5638000afc5f9a06",
              "status": "affected",
              "version": "a79af8a64d395bd89de8695a5ea5e1a7f01f02a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/iscsi_tcp.c",
            "drivers/scsi/libiscsi.c",
            "include/scsi/libiscsi.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.39"
            },
            {
              "lessThan": "2.6.39",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.93",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.11",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress\n\nBug report and analysis from Ding Hui.\n\nDuring iSCSI session logout, if another task accesses the shost ipaddress\nattr, we can get a KASAN UAF report like this:\n\n[  276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0\n[  276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088\n[  276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G            E      6.1.0-rc8+ #3\n[  276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[  276.944470] Call Trace:\n[  276.944943]  \u003cTASK\u003e\n[  276.945397]  dump_stack_lvl+0x34/0x48\n[  276.945887]  print_address_description.constprop.0+0x86/0x1e7\n[  276.946421]  print_report+0x36/0x4f\n[  276.947358]  kasan_report+0xad/0x130\n[  276.948234]  kasan_check_range+0x35/0x1c0\n[  276.948674]  _raw_spin_lock_bh+0x78/0xe0\n[  276.949989]  iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]\n[  276.951765]  show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]\n[  276.952185]  dev_attr_show+0x3f/0x80\n[  276.953005]  sysfs_kf_seq_show+0x1fb/0x3e0\n[  276.953401]  seq_read_iter+0x402/0x1020\n[  276.954260]  vfs_read+0x532/0x7b0\n[  276.955113]  ksys_read+0xed/0x1c0\n[  276.955952]  do_syscall_64+0x38/0x90\n[  276.956347]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  276.956769] RIP: 0033:0x7f5d3a679222\n[  276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n[  276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[  276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222\n[  276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003\n[  276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000\n[  276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000\n[  276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58\n[  276.960536]  \u003c/TASK\u003e\n[  276.961357] Allocated by task 2209:\n[  276.961756]  kasan_save_stack+0x1e/0x40\n[  276.962170]  kasan_set_track+0x21/0x30\n[  276.962557]  __kasan_kmalloc+0x7e/0x90\n[  276.962923]  __kmalloc+0x5b/0x140\n[  276.963308]  iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]\n[  276.963712]  iscsi_session_setup+0xda/0xba0 [libiscsi]\n[  276.964078]  iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]\n[  276.964431]  iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]\n[  276.964793]  iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]\n[  276.965153]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[  276.965546]  netlink_unicast+0x4d5/0x7b0\n[  276.965905]  netlink_sendmsg+0x78d/0xc30\n[  276.966236]  sock_sendmsg+0xe5/0x120\n[  276.966576]  ____sys_sendmsg+0x5fe/0x860\n[  276.966923]  ___sys_sendmsg+0xe0/0x170\n[  276.967300]  __sys_sendmsg+0xc8/0x170\n[  276.967666]  do_syscall_64+0x38/0x90\n[  276.968028]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  276.968773] Freed by task 2209:\n[  276.969111]  kasan_save_stack+0x1e/0x40\n[  276.969449]  kasan_set_track+0x21/0x30\n[  276.969789]  kasan_save_free_info+0x2a/0x50\n[  276.970146]  __kasan_slab_free+0x106/0x190\n[  276.970470]  __kmem_cache_free+0x133/0x270\n[  276.970816]  device_release+0x98/0x210\n[  276.971145]  kobject_cleanup+0x101/0x360\n[  276.971462]  iscsi_session_teardown+0x3fb/0x530 [libiscsi]\n[  276.971775]  iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]\n[  276.972143]  iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]\n[  276.972485]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[  276.972808]  netlink_unicast+0x4d5/0x7b0\n[  276.973201]  netlink_sendmsg+0x78d/0xc30\n[  276.973544]  sock_sendmsg+0xe5/0x120\n[  276.973864]  ____sys_sendmsg+0x5fe/0x860\n[  276.974248]  ___sys_\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:17:43.562Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0af745fddefbd56198f4f35eb309215ee5f9e21e"
        },
        {
          "url": "https://git.kernel.org/stable/c/17b738590b97fb3fc287289971d1519ff9b875a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/8859687f5b242c0b057461df0a9ff51d5500783b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f1d64b13097e85abda0f91b5638000afc5f9a06"
        }
      ],
      "title": "scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52975",
    "datePublished": "2025-03-27T16:43:15.322Z",
    "dateReserved": "2025-03-27T16:40:15.737Z",
    "dateUpdated": "2026-01-19T12:17:43.562Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-49935 (GCVE-0-2024-49935)

Vulnerability from cvelistv5 – Published: 2024-10-21 18:01 – Updated: 2026-01-05 10:54

Title

ACPI: PAD: fix crash in exit_round_robin()

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPI: PAD: fix crash in exit_round_robin() The kernel occasionally crashes in cpumask_clear_cpu(), which is called within exit_round_robin(), because when executing clear_bit(nr, addr) with nr set to 0xffffffff, the address calculation may cause misalignment within the memory, leading to access to an invalid memory address. ---------- BUG: unable to handle kernel paging request at ffffffffe0740618 ... CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1 ... RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad] Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31 RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202 RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? acpi_pad_add+0x120/0x120 [acpi_pad] kthread+0x10b/0x130 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x1f/0x40 ... CR2: ffffffffe0740618 crash> dis -lr ffffffffc0726923 ... /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114 0xffffffffc0726918 <power_saving_thread+776>: mov %r12d,%r12d /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325 0xffffffffc072691b <power_saving_thread+779>: mov -0x3f8d7de0(,%r12,4),%eax /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80 0xffffffffc0726923 <power_saving_thread+787>: lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 <pad_busy_cpus_bits> crash> px tsk_in_cpu[14] $66 = 0xffffffff crash> px 0xffffffffc072692c+0x19cf4 $99 = 0xffffffffc0740620 crash> sym 0xffffffffc0740620 ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad] crash> px pad_busy_cpus_bits[0] $42 = 0xfffc0 ---------- To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling cpumask_clear_cpu() in exit_round_robin(), just as it is done in round_robin_cpu(). [ rjw: Subject edit, avoid updates to the same value ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/82191a21a0dedc8c6…
	https://git.kernel.org/stable/c/d214ffa6eb39c08d1…
	https://git.kernel.org/stable/c/92e5661b7d0727ab9…
	https://git.kernel.org/stable/c/68a599da16ebad442…
	https://git.kernel.org/stable/c/68a8e45743d6a120f…
	https://git.kernel.org/stable/c/03593dbb0b272ef7b…
	https://git.kernel.org/stable/c/27c045f868f0e5052…
	https://git.kernel.org/stable/c/0a2ed70a549e61c51…

Impacted products

Vendor

Product

Version

Linux

Affected: 8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d , < 82191a21a0dedc8c64e14f07f5d568d09bc4b331 (git)
Affected: 8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d , < d214ffa6eb39c08d18a460124dd7ba318dc56f33 (git)
Affected: 8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d , < 92e5661b7d0727ab912b76625a88b33fdb9b609a (git)
Affected: 8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d , < 68a599da16ebad442ce295d8d2d5c488e3992822 (git)
Affected: 8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d , < 68a8e45743d6a120f863fb14b72dc59616597019 (git)
Affected: 8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d , < 03593dbb0b272ef7b0358b099841e65735422aca (git)
Affected: 8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d , < 27c045f868f0e5052c6b532868a65e0cd250c8fc (git)
Affected: 8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d , < 0a2ed70a549e61c5181bad5db418d223b68ae932 (git)

Linux

Affected: 2.6.32
Unaffected: 0 , < 2.6.32 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.168 , ≤ 5.15.* (semver)
Unaffected: 6.1.113 , ≤ 6.1.* (semver)
Unaffected: 6.6.55 , ≤ 6.6.* (semver)
Unaffected: 6.10.14 , ≤ 6.10.* (semver)
Unaffected: 6.11.3 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49935",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:38:31.252329Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:38:51.383Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:23:19.179Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpi_pad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "82191a21a0dedc8c64e14f07f5d568d09bc4b331",
              "status": "affected",
              "version": "8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d",
              "versionType": "git"
            },
            {
              "lessThan": "d214ffa6eb39c08d18a460124dd7ba318dc56f33",
              "status": "affected",
              "version": "8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d",
              "versionType": "git"
            },
            {
              "lessThan": "92e5661b7d0727ab912b76625a88b33fdb9b609a",
              "status": "affected",
              "version": "8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d",
              "versionType": "git"
            },
            {
              "lessThan": "68a599da16ebad442ce295d8d2d5c488e3992822",
              "status": "affected",
              "version": "8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d",
              "versionType": "git"
            },
            {
              "lessThan": "68a8e45743d6a120f863fb14b72dc59616597019",
              "status": "affected",
              "version": "8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d",
              "versionType": "git"
            },
            {
              "lessThan": "03593dbb0b272ef7b0358b099841e65735422aca",
              "status": "affected",
              "version": "8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d",
              "versionType": "git"
            },
            {
              "lessThan": "27c045f868f0e5052c6b532868a65e0cd250c8fc",
              "status": "affected",
              "version": "8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d",
              "versionType": "git"
            },
            {
              "lessThan": "0a2ed70a549e61c5181bad5db418d223b68ae932",
              "status": "affected",
              "version": "8e0af5141ab950b78b3ebbfaded5439dcf8b3a8d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpi_pad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.32"
            },
            {
              "lessThan": "2.6.32",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.168",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.113",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.55",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.14",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.3",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: PAD: fix crash in exit_round_robin()\n\nThe kernel occasionally crashes in cpumask_clear_cpu(), which is called\nwithin exit_round_robin(), because when executing clear_bit(nr, addr) with\nnr set to 0xffffffff, the address calculation may cause misalignment within\nthe memory, leading to access to an invalid memory address.\n\n----------\nBUG: unable to handle kernel paging request at ffffffffe0740618\n        ...\nCPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G           OE  X --------- -  - 4.18.0-425.19.2.el8_7.x86_64 #1\n        ...\nRIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]\nCode: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 \u003cf0\u003e 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31\nRSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202\nRAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\nRBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8\nR10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e\nR13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e\nFS:  0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n ? acpi_pad_add+0x120/0x120 [acpi_pad]\n kthread+0x10b/0x130\n ? set_kthread_struct+0x50/0x50\n ret_from_fork+0x1f/0x40\n        ...\nCR2: ffffffffe0740618\n\ncrash\u003e dis -lr ffffffffc0726923\n        ...\n/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114\n0xffffffffc0726918 \u003cpower_saving_thread+776\u003e:\tmov    %r12d,%r12d\n/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325\n0xffffffffc072691b \u003cpower_saving_thread+779\u003e:\tmov    -0x3f8d7de0(,%r12,4),%eax\n/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80\n0xffffffffc0726923 \u003cpower_saving_thread+787\u003e:\tlock btr %rax,0x19cf4(%rip)        # 0xffffffffc0740620 \u003cpad_busy_cpus_bits\u003e\n\ncrash\u003e px tsk_in_cpu[14]\n$66 = 0xffffffff\n\ncrash\u003e px 0xffffffffc072692c+0x19cf4\n$99 = 0xffffffffc0740620\n\ncrash\u003e sym 0xffffffffc0740620\nffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad]\n\ncrash\u003e px pad_busy_cpus_bits[0]\n$42 = 0xfffc0\n----------\n\nTo fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling\ncpumask_clear_cpu() in exit_round_robin(), just as it is done in\nround_robin_cpu().\n\n[ rjw: Subject edit, avoid updates to the same value ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:54:29.176Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/82191a21a0dedc8c64e14f07f5d568d09bc4b331"
        },
        {
          "url": "https://git.kernel.org/stable/c/d214ffa6eb39c08d18a460124dd7ba318dc56f33"
        },
        {
          "url": "https://git.kernel.org/stable/c/92e5661b7d0727ab912b76625a88b33fdb9b609a"
        },
        {
          "url": "https://git.kernel.org/stable/c/68a599da16ebad442ce295d8d2d5c488e3992822"
        },
        {
          "url": "https://git.kernel.org/stable/c/68a8e45743d6a120f863fb14b72dc59616597019"
        },
        {
          "url": "https://git.kernel.org/stable/c/03593dbb0b272ef7b0358b099841e65735422aca"
        },
        {
          "url": "https://git.kernel.org/stable/c/27c045f868f0e5052c6b532868a65e0cd250c8fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a2ed70a549e61c5181bad5db418d223b68ae932"
        }
      ],
      "title": "ACPI: PAD: fix crash in exit_round_robin()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49935",
    "datePublished": "2024-10-21T18:01:56.404Z",
    "dateReserved": "2024-10-21T12:17:06.042Z",
    "dateUpdated": "2026-01-05T10:54:29.176Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38581 (GCVE-0-2025-38581)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40

Title

crypto: ccp - Fix crash when rebind ccp device for ccp.ko

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind [ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 204.978026] #PF: supervisor write access in kernel mode [ 204.979126] #PF: error_code(0x0002) - not-present page [ 204.980226] PGD 0 P4D 0 [ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI ... [ 204.997852] Call Trace: [ 204.999074] <TASK> [ 205.000297] start_creating+0x9f/0x1c0 [ 205.001533] debugfs_create_dir+0x1f/0x170 [ 205.002769] ? srso_return_thunk+0x5/0x5f [ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp] [ 205.005241] ccp5_init+0x8b2/0x960 [ccp] [ 205.006469] ccp_dev_init+0xd4/0x150 [ccp] [ 205.007709] sp_init+0x5f/0x80 [ccp] [ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp] [ 205.010165] ? srso_return_thunk+0x5/0x5f [ 205.011376] local_pci_probe+0x4f/0xb0 [ 205.012584] pci_device_probe+0xdb/0x230 [ 205.013810] really_probe+0xed/0x380 [ 205.015024] __driver_probe_device+0x7e/0x160 [ 205.016240] device_driver_attach+0x2f/0x60 [ 205.017457] bind_store+0x7c/0xb0 [ 205.018663] drv_attr_store+0x28/0x40 [ 205.019868] sysfs_kf_write+0x5f/0x70 [ 205.021065] kernfs_fop_write_iter+0x145/0x1d0 [ 205.022267] vfs_write+0x308/0x440 [ 205.023453] ksys_write+0x6d/0xe0 [ 205.024616] __x64_sys_write+0x1e/0x30 [ 205.025778] x64_sys_call+0x16ba/0x2150 [ 205.026942] do_syscall_64+0x56/0x1e0 [ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 205.029276] RIP: 0033:0x7fbc36f10104 [ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5 This patch sets ccp_debugfs_dir to NULL after destroying it in ccp5_debugfs_destroy, allowing the directory dentry to be recreated when rebinding the ccp device. Tested on AMD Ryzen 7 1700X.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a25ab6dfa0ce323ec…
	https://git.kernel.org/stable/c/ce63a83925964ab75…
	https://git.kernel.org/stable/c/20c0ed8dd65834e6b…
	https://git.kernel.org/stable/c/2d4060f05e74dbee8…
	https://git.kernel.org/stable/c/db111468531777cac…
	https://git.kernel.org/stable/c/9dea08eac4f6d6fbb…
	https://git.kernel.org/stable/c/6eadf50c1d894cb34…
	https://git.kernel.org/stable/c/64ec9a7e7a6398b17…
	https://git.kernel.org/stable/c/181698af38d3f9338…

Impacted products

Vendor

Product

Version

Linux

Affected: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 , < a25ab6dfa0ce323ec308966988be6b675eb9d3e5 (git)
Affected: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 , < ce63a83925964ab7564bd216bd92b80bc365492e (git)
Affected: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 , < 20c0ed8dd65834e6bab464f54cd6ff68659bacb9 (git)
Affected: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 , < 2d4060f05e74dbee884ba723f6afd9282befc3c5 (git)
Affected: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 , < db111468531777cac8b4beb6515a88a54b0c4a74 (git)
Affected: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 , < 9dea08eac4f6d6fbbae59992978252e2edab995d (git)
Affected: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 , < 6eadf50c1d894cb34f3237064063207460946040 (git)
Affected: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 , < 64ec9a7e7a6398b172ab6feba60e952163a1c3d5 (git)
Affected: 3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0 , < 181698af38d3f93381229ad89c09b5bd0496661a (git)

Linux

Affected: 4.13
Unaffected: 0 , < 4.13 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:10.652Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/ccp/ccp-debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a25ab6dfa0ce323ec308966988be6b675eb9d3e5",
              "status": "affected",
              "version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
              "versionType": "git"
            },
            {
              "lessThan": "ce63a83925964ab7564bd216bd92b80bc365492e",
              "status": "affected",
              "version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
              "versionType": "git"
            },
            {
              "lessThan": "20c0ed8dd65834e6bab464f54cd6ff68659bacb9",
              "status": "affected",
              "version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
              "versionType": "git"
            },
            {
              "lessThan": "2d4060f05e74dbee884ba723f6afd9282befc3c5",
              "status": "affected",
              "version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
              "versionType": "git"
            },
            {
              "lessThan": "db111468531777cac8b4beb6515a88a54b0c4a74",
              "status": "affected",
              "version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
              "versionType": "git"
            },
            {
              "lessThan": "9dea08eac4f6d6fbbae59992978252e2edab995d",
              "status": "affected",
              "version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
              "versionType": "git"
            },
            {
              "lessThan": "6eadf50c1d894cb34f3237064063207460946040",
              "status": "affected",
              "version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
              "versionType": "git"
            },
            {
              "lessThan": "64ec9a7e7a6398b172ab6feba60e952163a1c3d5",
              "status": "affected",
              "version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
              "versionType": "git"
            },
            {
              "lessThan": "181698af38d3f93381229ad89c09b5bd0496661a",
              "status": "affected",
              "version": "3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/ccp/ccp-debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix crash when rebind ccp device for ccp.ko\n\nWhen CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding\nthe ccp device causes the following crash:\n\n$ echo \u00270000:0a:00.2\u0027 \u003e /sys/bus/pci/drivers/ccp/unbind\n$ echo \u00270000:0a:00.2\u0027 \u003e /sys/bus/pci/drivers/ccp/bind\n\n[  204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098\n[  204.978026] #PF: supervisor write access in kernel mode\n[  204.979126] #PF: error_code(0x0002) - not-present page\n[  204.980226] PGD 0 P4D 0\n[  204.981317] Oops: Oops: 0002 [#1] SMP NOPTI\n...\n[  204.997852] Call Trace:\n[  204.999074]  \u003cTASK\u003e\n[  205.000297]  start_creating+0x9f/0x1c0\n[  205.001533]  debugfs_create_dir+0x1f/0x170\n[  205.002769]  ? srso_return_thunk+0x5/0x5f\n[  205.004000]  ccp5_debugfs_setup+0x87/0x170 [ccp]\n[  205.005241]  ccp5_init+0x8b2/0x960 [ccp]\n[  205.006469]  ccp_dev_init+0xd4/0x150 [ccp]\n[  205.007709]  sp_init+0x5f/0x80 [ccp]\n[  205.008942]  sp_pci_probe+0x283/0x2e0 [ccp]\n[  205.010165]  ? srso_return_thunk+0x5/0x5f\n[  205.011376]  local_pci_probe+0x4f/0xb0\n[  205.012584]  pci_device_probe+0xdb/0x230\n[  205.013810]  really_probe+0xed/0x380\n[  205.015024]  __driver_probe_device+0x7e/0x160\n[  205.016240]  device_driver_attach+0x2f/0x60\n[  205.017457]  bind_store+0x7c/0xb0\n[  205.018663]  drv_attr_store+0x28/0x40\n[  205.019868]  sysfs_kf_write+0x5f/0x70\n[  205.021065]  kernfs_fop_write_iter+0x145/0x1d0\n[  205.022267]  vfs_write+0x308/0x440\n[  205.023453]  ksys_write+0x6d/0xe0\n[  205.024616]  __x64_sys_write+0x1e/0x30\n[  205.025778]  x64_sys_call+0x16ba/0x2150\n[  205.026942]  do_syscall_64+0x56/0x1e0\n[  205.028108]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  205.029276] RIP: 0033:0x7fbc36f10104\n[  205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5\n\nThis patch sets ccp_debugfs_dir to NULL after destroying it in\nccp5_debugfs_destroy, allowing the directory dentry to be\nrecreated when rebinding the ccp device.\n\nTested on AMD Ryzen 7 1700X."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:12.571Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a25ab6dfa0ce323ec308966988be6b675eb9d3e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce63a83925964ab7564bd216bd92b80bc365492e"
        },
        {
          "url": "https://git.kernel.org/stable/c/20c0ed8dd65834e6bab464f54cd6ff68659bacb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d4060f05e74dbee884ba723f6afd9282befc3c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/db111468531777cac8b4beb6515a88a54b0c4a74"
        },
        {
          "url": "https://git.kernel.org/stable/c/9dea08eac4f6d6fbbae59992978252e2edab995d"
        },
        {
          "url": "https://git.kernel.org/stable/c/6eadf50c1d894cb34f3237064063207460946040"
        },
        {
          "url": "https://git.kernel.org/stable/c/64ec9a7e7a6398b172ab6feba60e952163a1c3d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/181698af38d3f93381229ad89c09b5bd0496661a"
        }
      ],
      "title": "crypto: ccp - Fix crash when rebind ccp device for ccp.ko",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38581",
    "datePublished": "2025-08-19T17:03:03.718Z",
    "dateReserved": "2025-04-16T04:51:24.026Z",
    "dateUpdated": "2025-11-03T17:40:10.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38635 (GCVE-0-2025-38635)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-11-03 17:40

Title

clk: davinci: Add NULL check in davinci_lpsc_clk_register()

Summary

In the Linux kernel, the following vulnerability has been resolved: clk: davinci: Add NULL check in davinci_lpsc_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, davinci_lpsc_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue and ensuring no resources are left allocated.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/77e9ad7a2d0e2a771…
	https://git.kernel.org/stable/c/7843412e5927dafbb…
	https://git.kernel.org/stable/c/2adc945b70c4d97e9…
	https://git.kernel.org/stable/c/105e8115944a9f93e…
	https://git.kernel.org/stable/c/1d92608a292512780…
	https://git.kernel.org/stable/c/7943ed1f05f5cb737…
	https://git.kernel.org/stable/c/6fb19cdcf040e1dec…
	https://git.kernel.org/stable/c/23f564326deaafacf…
	https://git.kernel.org/stable/c/13de464f445d42738…

Impacted products

Vendor

Product

Version

Linux

Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 77e9ad7a2d0e2a771c9e0be04b9d1639413b5f13 (git)
Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 7843412e5927dafbb844782c56b6380564064109 (git)
Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 2adc945b70c4d97e9491a6c0c9f3b217a9eecfba (git)
Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 105e8115944a9f93e9412abe7bb07ed96725adf9 (git)
Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 1d92608a29251278015f57f3572bc950db7519f0 (git)
Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 7943ed1f05f5cb7372dca2aa227f848747a98791 (git)
Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 6fb19cdcf040e1dec052a9032acb66cc2ad1d43f (git)
Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 23f564326deaafacfd7adf6104755b15216d8320 (git)
Affected: c6ed4d734bc7f731709dab0ffd69eed499dd5277 , < 13de464f445d42738fe18c9a28bab056ba3a290a (git)

Linux

Affected: 4.17
Unaffected: 0 , < 4.17 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:38.124Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/davinci/psc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "77e9ad7a2d0e2a771c9e0be04b9d1639413b5f13",
              "status": "affected",
              "version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
              "versionType": "git"
            },
            {
              "lessThan": "7843412e5927dafbb844782c56b6380564064109",
              "status": "affected",
              "version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
              "versionType": "git"
            },
            {
              "lessThan": "2adc945b70c4d97e9491a6c0c9f3b217a9eecfba",
              "status": "affected",
              "version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
              "versionType": "git"
            },
            {
              "lessThan": "105e8115944a9f93e9412abe7bb07ed96725adf9",
              "status": "affected",
              "version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
              "versionType": "git"
            },
            {
              "lessThan": "1d92608a29251278015f57f3572bc950db7519f0",
              "status": "affected",
              "version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
              "versionType": "git"
            },
            {
              "lessThan": "7943ed1f05f5cb7372dca2aa227f848747a98791",
              "status": "affected",
              "version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
              "versionType": "git"
            },
            {
              "lessThan": "6fb19cdcf040e1dec052a9032acb66cc2ad1d43f",
              "status": "affected",
              "version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
              "versionType": "git"
            },
            {
              "lessThan": "23f564326deaafacfd7adf6104755b15216d8320",
              "status": "affected",
              "version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
              "versionType": "git"
            },
            {
              "lessThan": "13de464f445d42738fe18c9a28bab056ba3a290a",
              "status": "affected",
              "version": "c6ed4d734bc7f731709dab0ffd69eed499dd5277",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/davinci/psc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: davinci: Add NULL check in davinci_lpsc_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\ndavinci_lpsc_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue and ensuring\nno resources are left allocated."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:14.546Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/77e9ad7a2d0e2a771c9e0be04b9d1639413b5f13"
        },
        {
          "url": "https://git.kernel.org/stable/c/7843412e5927dafbb844782c56b6380564064109"
        },
        {
          "url": "https://git.kernel.org/stable/c/2adc945b70c4d97e9491a6c0c9f3b217a9eecfba"
        },
        {
          "url": "https://git.kernel.org/stable/c/105e8115944a9f93e9412abe7bb07ed96725adf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d92608a29251278015f57f3572bc950db7519f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/7943ed1f05f5cb7372dca2aa227f848747a98791"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fb19cdcf040e1dec052a9032acb66cc2ad1d43f"
        },
        {
          "url": "https://git.kernel.org/stable/c/23f564326deaafacfd7adf6104755b15216d8320"
        },
        {
          "url": "https://git.kernel.org/stable/c/13de464f445d42738fe18c9a28bab056ba3a290a"
        }
      ],
      "title": "clk: davinci: Add NULL check in davinci_lpsc_clk_register()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38635",
    "datePublished": "2025-08-22T16:00:43.181Z",
    "dateReserved": "2025-04-16T04:51:24.030Z",
    "dateUpdated": "2025-11-03T17:40:38.124Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21722 (GCVE-0-2025-21722)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:36

Title

nilfs2: do not force clear folio if buffer is referenced

Summary

In the Linux kernel, the following vulnerability has been resolved: nilfs2: do not force clear folio if buffer is referenced Patch series "nilfs2: protect busy buffer heads from being force-cleared". This series fixes the buffer head state inconsistency issues reported by syzbot that occurs when the filesystem is corrupted and falls back to read-only, and the associated buffer head use-after-free issue. This patch (of 2): Syzbot has reported that after nilfs2 detects filesystem corruption and falls back to read-only, inconsistencies in the buffer state may occur. One of the inconsistencies is that when nilfs2 calls mark_buffer_dirty() to set a data or metadata buffer as dirty, but it detects that the buffer is not in the uptodate state: WARNING: CPU: 0 PID: 6049 at fs/buffer.c:1177 mark_buffer_dirty+0x2e5/0x520 fs/buffer.c:1177 ... Call Trace: <TASK> nilfs_palloc_commit_alloc_entry+0x4b/0x160 fs/nilfs2/alloc.c:598 nilfs_ifile_create_inode+0x1dd/0x3a0 fs/nilfs2/ifile.c:73 nilfs_new_inode+0x254/0x830 fs/nilfs2/inode.c:344 nilfs_mkdir+0x10d/0x340 fs/nilfs2/namei.c:218 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 do_mkdirat+0x264/0x3a0 fs/namei.c:4280 __do_sys_mkdirat fs/namei.c:4295 [inline] __se_sys_mkdirat fs/namei.c:4293 [inline] __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The other is when nilfs_btree_propagate(), which propagates the dirty state to the ancestor nodes of a b-tree that point to a dirty buffer, detects that the origin buffer is not dirty, even though it should be: WARNING: CPU: 0 PID: 5245 at fs/nilfs2/btree.c:2089 nilfs_btree_propagate+0xc79/0xdf0 fs/nilfs2/btree.c:2089 ... Call Trace: <TASK> nilfs_bmap_propagate+0x75/0x120 fs/nilfs2/bmap.c:345 nilfs_collect_file_data+0x4d/0xd0 fs/nilfs2/segment.c:587 nilfs_segctor_apply_buffers+0x184/0x340 fs/nilfs2/segment.c:1006 nilfs_segctor_scan_file+0x28c/0xa50 fs/nilfs2/segment.c:1045 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1216 [inline] nilfs_segctor_collect fs/nilfs2/segment.c:1540 [inline] nilfs_segctor_do_construct+0x1c28/0x6b90 fs/nilfs2/segment.c:2115 nilfs_segctor_construct+0x181/0x6b0 fs/nilfs2/segment.c:2479 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2587 [inline] nilfs_segctor_thread+0x69e/0xe80 fs/nilfs2/segment.c:2701 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Both of these issues are caused by the callbacks that handle the page/folio write requests, forcibly clear various states, including the working state of the buffers they hold, at unexpected times when they detect read-only fallback. Fix these issues by checking if the buffer is referenced before clearing the page/folio state, and skipping the clear if it is.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7d0544bacc11d6aa2…
	https://git.kernel.org/stable/c/4d042811c72f71be7…
	https://git.kernel.org/stable/c/f51ff43c4c5a6c8e7…
	https://git.kernel.org/stable/c/19296737024cd220a…
	https://git.kernel.org/stable/c/1098bb8d52419d262…
	https://git.kernel.org/stable/c/557ccf5e49f1fb848…
	https://git.kernel.org/stable/c/ca76bb226bf47ff04…

Impacted products

Vendor

Product

Version

Linux

Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 7d0544bacc11d6aa26ecd7debf9353193c7a3328 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 4d042811c72f71be7c14726db2c72b67025a7cb5 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < f51ff43c4c5a6c8e72d0aca89e4d5e688938412f (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 19296737024cd220a1d6590bf4c092bca8c99497 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 1098bb8d52419d262a3358d099a1598a920b730f (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 557ccf5e49f1fb848a29698585bcab2e50a597ef (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < ca76bb226bf47ff04c782cacbd299f12ddee1ec1 (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21722",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:37.739187Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:30.078Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:21.865Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/page.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7d0544bacc11d6aa26ecd7debf9353193c7a3328",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "4d042811c72f71be7c14726db2c72b67025a7cb5",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "f51ff43c4c5a6c8e72d0aca89e4d5e688938412f",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "19296737024cd220a1d6590bf4c092bca8c99497",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "1098bb8d52419d262a3358d099a1598a920b730f",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "557ccf5e49f1fb848a29698585bcab2e50a597ef",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "ca76bb226bf47ff04c782cacbd299f12ddee1ec1",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/page.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: do not force clear folio if buffer is referenced\n\nPatch series \"nilfs2: protect busy buffer heads from being force-cleared\".\n\nThis series fixes the buffer head state inconsistency issues reported by\nsyzbot that occurs when the filesystem is corrupted and falls back to\nread-only, and the associated buffer head use-after-free issue.\n\n\nThis patch (of 2):\n\nSyzbot has reported that after nilfs2 detects filesystem corruption and\nfalls back to read-only, inconsistencies in the buffer state may occur.\n\nOne of the inconsistencies is that when nilfs2 calls mark_buffer_dirty()\nto set a data or metadata buffer as dirty, but it detects that the buffer\nis not in the uptodate state:\n\n WARNING: CPU: 0 PID: 6049 at fs/buffer.c:1177 mark_buffer_dirty+0x2e5/0x520\n  fs/buffer.c:1177\n ...\n Call Trace:\n  \u003cTASK\u003e\n  nilfs_palloc_commit_alloc_entry+0x4b/0x160 fs/nilfs2/alloc.c:598\n  nilfs_ifile_create_inode+0x1dd/0x3a0 fs/nilfs2/ifile.c:73\n  nilfs_new_inode+0x254/0x830 fs/nilfs2/inode.c:344\n  nilfs_mkdir+0x10d/0x340 fs/nilfs2/namei.c:218\n  vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257\n  do_mkdirat+0x264/0x3a0 fs/namei.c:4280\n  __do_sys_mkdirat fs/namei.c:4295 [inline]\n  __se_sys_mkdirat fs/namei.c:4293 [inline]\n  __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe other is when nilfs_btree_propagate(), which propagates the dirty\nstate to the ancestor nodes of a b-tree that point to a dirty buffer,\ndetects that the origin buffer is not dirty, even though it should be:\n\n WARNING: CPU: 0 PID: 5245 at fs/nilfs2/btree.c:2089\n  nilfs_btree_propagate+0xc79/0xdf0 fs/nilfs2/btree.c:2089\n ...\n Call Trace:\n  \u003cTASK\u003e\n  nilfs_bmap_propagate+0x75/0x120 fs/nilfs2/bmap.c:345\n  nilfs_collect_file_data+0x4d/0xd0 fs/nilfs2/segment.c:587\n  nilfs_segctor_apply_buffers+0x184/0x340 fs/nilfs2/segment.c:1006\n  nilfs_segctor_scan_file+0x28c/0xa50 fs/nilfs2/segment.c:1045\n  nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1216 [inline]\n  nilfs_segctor_collect fs/nilfs2/segment.c:1540 [inline]\n  nilfs_segctor_do_construct+0x1c28/0x6b90 fs/nilfs2/segment.c:2115\n  nilfs_segctor_construct+0x181/0x6b0 fs/nilfs2/segment.c:2479\n  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2587 [inline]\n  nilfs_segctor_thread+0x69e/0xe80 fs/nilfs2/segment.c:2701\n  kthread+0x2f0/0x390 kernel/kthread.c:389\n  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n  \u003c/TASK\u003e\n\nBoth of these issues are caused by the callbacks that handle the\npage/folio write requests, forcibly clear various states, including the\nworking state of the buffers they hold, at unexpected times when they\ndetect read-only fallback.\n\nFix these issues by checking if the buffer is referenced before clearing\nthe page/folio state, and skipping the clear if it is."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:46.489Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7d0544bacc11d6aa26ecd7debf9353193c7a3328"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d042811c72f71be7c14726db2c72b67025a7cb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f51ff43c4c5a6c8e72d0aca89e4d5e688938412f"
        },
        {
          "url": "https://git.kernel.org/stable/c/19296737024cd220a1d6590bf4c092bca8c99497"
        },
        {
          "url": "https://git.kernel.org/stable/c/1098bb8d52419d262a3358d099a1598a920b730f"
        },
        {
          "url": "https://git.kernel.org/stable/c/557ccf5e49f1fb848a29698585bcab2e50a597ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca76bb226bf47ff04c782cacbd299f12ddee1ec1"
        }
      ],
      "title": "nilfs2: do not force clear folio if buffer is referenced",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21722",
    "datePublished": "2025-02-27T02:07:30.387Z",
    "dateReserved": "2024-12-29T08:45:45.753Z",
    "dateUpdated": "2025-11-03T19:36:21.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39801 (GCVE-0-2025-39801)

Vulnerability from cvelistv5 – Published: 2025-09-15 12:36 – Updated: 2026-01-02 15:32

Title

usb: dwc3: Remove WARN_ON for device endpoint command timeouts

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen during fast software-controlled connect/disconnect testcases. The following is one such endpoint command timeout that we observed: 1. Connect ======= ->dwc3_thread_interrupt ->dwc3_ep0_interrupt ->configfs_composite_setup ->composite_setup ->usb_ep_queue ->dwc3_gadget_ep0_queue ->__dwc3_gadget_ep0_queue ->__dwc3_ep0_do_control_data ->dwc3_send_gadget_ep_cmd 2. Disconnect ========== ->dwc3_thread_interrupt ->dwc3_gadget_disconnect_interrupt ->dwc3_ep0_reset_state ->dwc3_ep0_end_control_data ->dwc3_send_gadget_ep_cmd In the issue scenario, in Exynos platforms, we observed that control transfers for the previous connect have not yet been completed and end transfer command sent as a part of the disconnect sequence and processing of USB_ENDPOINT_HALT feature request from the host timeout. This maybe an expected scenario since the controller is processing EP commands sent as a part of the previous connect. It maybe better to remove WARN_ON in all places where device endpoint commands are sent to avoid unnecessary kernel panic due to warn.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dfe40159eec6ca63b…
	https://git.kernel.org/stable/c/5a1a847d841505dba…
	https://git.kernel.org/stable/c/84c95dbf5bece5608…
	https://git.kernel.org/stable/c/f49697dfba2915a9f…
	https://git.kernel.org/stable/c/db27482b9db340402…
	https://git.kernel.org/stable/c/45eae113dccaf8e50…

Impacted products

Vendor

Product

Version

Linux

Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < dfe40159eec6ca63b40133bfa783eee2e3ed829f (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 5a1a847d841505dba2bd85602daf5c218e1d85b8 (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 84c95dbf5bece56086cdb65a64162af35158bdd9 (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < f49697dfba2915a9ff36f94604eb76fa61413929 (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < db27482b9db340402e05d4e9b75352bbaca51af2 (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 45eae113dccaf8e502090ecf5b3d9e9b805add6f (git)

Linux

Affected: 3.2
Unaffected: 0 , < 3.2 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:43:31.805Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/dwc3/ep0.c",
            "drivers/usb/dwc3/gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dfe40159eec6ca63b40133bfa783eee2e3ed829f",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "5a1a847d841505dba2bd85602daf5c218e1d85b8",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "84c95dbf5bece56086cdb65a64162af35158bdd9",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "f49697dfba2915a9ff36f94604eb76fa61413929",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "db27482b9db340402e05d4e9b75352bbaca51af2",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "45eae113dccaf8e502090ecf5b3d9e9b805add6f",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/dwc3/ep0.c",
            "drivers/usb/dwc3/gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Remove WARN_ON for device endpoint command timeouts\n\nThis commit addresses a rarely observed endpoint command timeout\nwhich causes kernel panic due to warn when \u0027panic_on_warn\u0027 is enabled\nand unnecessary call trace prints when \u0027panic_on_warn\u0027 is disabled.\nIt is seen during fast software-controlled connect/disconnect testcases.\nThe following is one such endpoint command timeout that we observed:\n\n1. Connect\n   =======\n-\u003edwc3_thread_interrupt\n -\u003edwc3_ep0_interrupt\n  -\u003econfigfs_composite_setup\n   -\u003ecomposite_setup\n    -\u003eusb_ep_queue\n     -\u003edwc3_gadget_ep0_queue\n      -\u003e__dwc3_gadget_ep0_queue\n       -\u003e__dwc3_ep0_do_control_data\n        -\u003edwc3_send_gadget_ep_cmd\n\n2. Disconnect\n   ==========\n-\u003edwc3_thread_interrupt\n -\u003edwc3_gadget_disconnect_interrupt\n  -\u003edwc3_ep0_reset_state\n   -\u003edwc3_ep0_end_control_data\n    -\u003edwc3_send_gadget_ep_cmd\n\nIn the issue scenario, in Exynos platforms, we observed that control\ntransfers for the previous connect have not yet been completed and end\ntransfer command sent as a part of the disconnect sequence and\nprocessing of USB_ENDPOINT_HALT feature request from the host timeout.\nThis maybe an expected scenario since the controller is processing EP\ncommands sent as a part of the previous connect. It maybe better to\nremove WARN_ON in all places where device endpoint commands are sent to\navoid unnecessary kernel panic due to warn."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:32:27.861Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dfe40159eec6ca63b40133bfa783eee2e3ed829f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a1a847d841505dba2bd85602daf5c218e1d85b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/84c95dbf5bece56086cdb65a64162af35158bdd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f49697dfba2915a9ff36f94604eb76fa61413929"
        },
        {
          "url": "https://git.kernel.org/stable/c/db27482b9db340402e05d4e9b75352bbaca51af2"
        },
        {
          "url": "https://git.kernel.org/stable/c/45eae113dccaf8e502090ecf5b3d9e9b805add6f"
        }
      ],
      "title": "usb: dwc3: Remove WARN_ON for device endpoint command timeouts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39801",
    "datePublished": "2025-09-15T12:36:43.936Z",
    "dateReserved": "2025-04-16T07:20:57.134Z",
    "dateUpdated": "2026-01-02T15:32:27.861Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38460 (GCVE-0-2025-38460)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

atm: clip: Fix potential null-ptr-deref in to_atmarpd().

Summary

In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip causes unregister hang"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a4c5785feb979cd99…
	https://git.kernel.org/stable/c/70eac9ba7ce25d99c…
	https://git.kernel.org/stable/c/3251ce3979f41bd22…
	https://git.kernel.org/stable/c/ee4d9e4ddf3f9c4ee…
	https://git.kernel.org/stable/c/06935c50cfa3ac57c…
	https://git.kernel.org/stable/c/36caab990b69ef4ee…
	https://git.kernel.org/stable/c/f58e4270c73e7f086…
	https://git.kernel.org/stable/c/706cc36477139c161…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a4c5785feb979cd996a99cfaad8bf353b2e79301 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 70eac9ba7ce25d99c1d99bbf4ddb058940f631f9 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3251ce3979f41bd228f77a7615f9dd616d06a110 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ee4d9e4ddf3f9c4ee2ec0a3aad6196ee36d30e57 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 06935c50cfa3ac57cce80bba67b6d38ec1406e92 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 36caab990b69ef4eec1d81c52a19f080b7daa059 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f58e4270c73e7f086322978d585ea67c8076ce49 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 706cc36477139c1616a9b2b96610a8bb520b7119 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:19.880Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/atm/clip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a4c5785feb979cd996a99cfaad8bf353b2e79301",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "70eac9ba7ce25d99c1d99bbf4ddb058940f631f9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3251ce3979f41bd228f77a7615f9dd616d06a110",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ee4d9e4ddf3f9c4ee2ec0a3aad6196ee36d30e57",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "06935c50cfa3ac57cce80bba67b6d38ec1406e92",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "36caab990b69ef4eec1d81c52a19f080b7daa059",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f58e4270c73e7f086322978d585ea67c8076ce49",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "706cc36477139c1616a9b2b96610a8bb520b7119",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/atm/clip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix potential null-ptr-deref in to_atmarpd().\n\natmarpd is protected by RTNL since commit f3a0592b37b8 (\"[ATM]: clip\ncauses unregister hang\").\n\nHowever, it is not enough because to_atmarpd() is called without RTNL,\nespecially clip_neigh_solicit() / neigh_ops-\u003esolicit() is unsleepable.\n\nAlso, there is no RTNL dependency around atmarpd.\n\nLet\u0027s use a private mutex and RCU to protect access to atmarpd in\nto_atmarpd()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:23:06.309Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a4c5785feb979cd996a99cfaad8bf353b2e79301"
        },
        {
          "url": "https://git.kernel.org/stable/c/70eac9ba7ce25d99c1d99bbf4ddb058940f631f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/3251ce3979f41bd228f77a7615f9dd616d06a110"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee4d9e4ddf3f9c4ee2ec0a3aad6196ee36d30e57"
        },
        {
          "url": "https://git.kernel.org/stable/c/06935c50cfa3ac57cce80bba67b6d38ec1406e92"
        },
        {
          "url": "https://git.kernel.org/stable/c/36caab990b69ef4eec1d81c52a19f080b7daa059"
        },
        {
          "url": "https://git.kernel.org/stable/c/f58e4270c73e7f086322978d585ea67c8076ce49"
        },
        {
          "url": "https://git.kernel.org/stable/c/706cc36477139c1616a9b2b96610a8bb520b7119"
        }
      ],
      "title": "atm: clip: Fix potential null-ptr-deref in to_atmarpd().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38460",
    "datePublished": "2025-07-25T15:27:38.608Z",
    "dateReserved": "2025-04-16T04:51:24.019Z",
    "dateUpdated": "2025-11-03T17:38:19.880Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38676 (GCVE-0-2025-38676)

Vulnerability from cvelistv5 – Published: 2025-08-26 13:07 – Updated: 2025-11-03 17:40

Title

iommu/amd: Avoid stack buffer overflow from kernel cmdline

Summary

In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Avoid stack buffer overflow from kernel cmdline While the kernel command line is considered trusted in most environments, avoid writing 1 byte past the end of "acpiid" if the "str" argument is maximum length.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a732502bf3bbe8596…
	https://git.kernel.org/stable/c/0ad8509b468fa1058…
	https://git.kernel.org/stable/c/9ff52d3af0ef28653…
	https://git.kernel.org/stable/c/8f80c633cba144f72…
	https://git.kernel.org/stable/c/4bdb0f78bddbfa77d…
	https://git.kernel.org/stable/c/736db11c86f03e717…
	https://git.kernel.org/stable/c/8503d0fcb1086a7cf…

Impacted products

Vendor

Product

Version

Linux

Affected: f2a5ec7f7b28f9b9cd5fac232ff51019a7f7b9e9 , < a732502bf3bbe859613b6d7b2b0313b11f0474ac (git)
Affected: c513043e0afe6a8ba79d00af358655afabb576d2 , < 0ad8509b468fa1058f4f400a1829f29e4ccc4de8 (git)
Affected: 2ae19ac3ea82a5b87a81c10adbb497c9e58bdd60 , < 9ff52d3af0ef286535749e14e3fe9eceb39a8349 (git)
Affected: b6b26d86c61c441144c72f842f7469bb686e1211 , < 8f80c633cba144f721d38d9380f23d23ab7db10e (git)
Affected: b6b26d86c61c441144c72f842f7469bb686e1211 , < 4bdb0f78bddbfa77d3ab458a21dd9cec495d317a (git)
Affected: b6b26d86c61c441144c72f842f7469bb686e1211 , < 736db11c86f03e717fc4bf771d05efdf10d23acb (git)
Affected: b6b26d86c61c441144c72f842f7469bb686e1211 , < 8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec (git)
Affected: 5e97dc748d13fad582136ba0c8cec215c7aeeb17 (git)
Affected: 63cd11165e5e0ea2012254c764003eda1f9adb7d (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.44 , ≤ 6.12.* (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:59.770Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/amd/init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a732502bf3bbe859613b6d7b2b0313b11f0474ac",
              "status": "affected",
              "version": "f2a5ec7f7b28f9b9cd5fac232ff51019a7f7b9e9",
              "versionType": "git"
            },
            {
              "lessThan": "0ad8509b468fa1058f4f400a1829f29e4ccc4de8",
              "status": "affected",
              "version": "c513043e0afe6a8ba79d00af358655afabb576d2",
              "versionType": "git"
            },
            {
              "lessThan": "9ff52d3af0ef286535749e14e3fe9eceb39a8349",
              "status": "affected",
              "version": "2ae19ac3ea82a5b87a81c10adbb497c9e58bdd60",
              "versionType": "git"
            },
            {
              "lessThan": "8f80c633cba144f721d38d9380f23d23ab7db10e",
              "status": "affected",
              "version": "b6b26d86c61c441144c72f842f7469bb686e1211",
              "versionType": "git"
            },
            {
              "lessThan": "4bdb0f78bddbfa77d3ab458a21dd9cec495d317a",
              "status": "affected",
              "version": "b6b26d86c61c441144c72f842f7469bb686e1211",
              "versionType": "git"
            },
            {
              "lessThan": "736db11c86f03e717fc4bf771d05efdf10d23acb",
              "status": "affected",
              "version": "b6b26d86c61c441144c72f842f7469bb686e1211",
              "versionType": "git"
            },
            {
              "lessThan": "8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec",
              "status": "affected",
              "version": "b6b26d86c61c441144c72f842f7469bb686e1211",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5e97dc748d13fad582136ba0c8cec215c7aeeb17",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "63cd11165e5e0ea2012254c764003eda1f9adb7d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/amd/init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.10.175",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.15.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "6.1.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.237",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.2.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Avoid stack buffer overflow from kernel cmdline\n\nWhile the kernel command line is considered trusted in most environments,\navoid writing 1 byte past the end of \"acpiid\" if the \"str\" argument is\nmaximum length."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:46.029Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a732502bf3bbe859613b6d7b2b0313b11f0474ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ad8509b468fa1058f4f400a1829f29e4ccc4de8"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ff52d3af0ef286535749e14e3fe9eceb39a8349"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f80c633cba144f721d38d9380f23d23ab7db10e"
        },
        {
          "url": "https://git.kernel.org/stable/c/4bdb0f78bddbfa77d3ab458a21dd9cec495d317a"
        },
        {
          "url": "https://git.kernel.org/stable/c/736db11c86f03e717fc4bf771d05efdf10d23acb"
        },
        {
          "url": "https://git.kernel.org/stable/c/8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec"
        }
      ],
      "title": "iommu/amd: Avoid stack buffer overflow from kernel cmdline",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38676",
    "datePublished": "2025-08-26T13:07:48.761Z",
    "dateReserved": "2025-04-16T04:51:24.031Z",
    "dateUpdated": "2025-11-03T17:40:59.770Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38608 (GCVE-0-2025-38608)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40

Title

bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the corresponding ciphertext length. However, if we later reduced the plaintext data length via socket policy, we failed to recalculate the ciphertext length. This results in transmitting buffers containing uninitialized data during ciphertext transmission. This causes uninitialized bytes to be appended after a complete "Application Data" packet, leading to errors on the receiving end when parsing TLS record.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6ba20ff3cdb96a908…
	https://git.kernel.org/stable/c/849d24dc5aed45ebe…
	https://git.kernel.org/stable/c/73fc5d04009d3969f…
	https://git.kernel.org/stable/c/16aca8bb4ad0d8a13…
	https://git.kernel.org/stable/c/0e853c1464bcf6120…
	https://git.kernel.org/stable/c/ee03766d79de0f61e…
	https://git.kernel.org/stable/c/90d6ef67440cec2a0…
	https://git.kernel.org/stable/c/1e480387d4b42776f…
	https://git.kernel.org/stable/c/178f6a5c8cb3b6be1…

Impacted products

Vendor

Product

Version

Linux

Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 6ba20ff3cdb96a908b9dc93cf247d0b087672e7c (git)
Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 849d24dc5aed45ebeb3490df429356739256ac40 (git)
Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 73fc5d04009d3969ff8e8574f0fd769f04124e59 (git)
Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb (git)
Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 0e853c1464bcf61207f8b5c32d2ac5ee495e859d (git)
Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < ee03766d79de0f61ea29ffb6ab1c7b196ea1b02e (git)
Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 90d6ef67440cec2a0aad71a0108c8f216437345c (git)
Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 1e480387d4b42776f8957fb148af9d75ce93b96d (git)
Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 178f6a5c8cb3b6be1602de0964cd440243f493c9 (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:21.692Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6ba20ff3cdb96a908b9dc93cf247d0b087672e7c",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "849d24dc5aed45ebeb3490df429356739256ac40",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "73fc5d04009d3969ff8e8574f0fd769f04124e59",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "0e853c1464bcf61207f8b5c32d2ac5ee495e859d",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "ee03766d79de0f61ea29ffb6ab1c7b196ea1b02e",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "90d6ef67440cec2a0aad71a0108c8f216437345c",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "1e480387d4b42776f8957fb148af9d75ce93b96d",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "178f6a5c8cb3b6be1602de0964cd440243f493c9",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls\n\nWhen sending plaintext data, we initially calculated the corresponding\nciphertext length. However, if we later reduced the plaintext data length\nvia socket policy, we failed to recalculate the ciphertext length.\n\nThis results in transmitting buffers containing uninitialized data during\nciphertext transmission.\n\nThis causes uninitialized bytes to be appended after a complete\n\"Application Data\" packet, leading to errors on the receiving end when\nparsing TLS record."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:42.829Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6ba20ff3cdb96a908b9dc93cf247d0b087672e7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/849d24dc5aed45ebeb3490df429356739256ac40"
        },
        {
          "url": "https://git.kernel.org/stable/c/73fc5d04009d3969ff8e8574f0fd769f04124e59"
        },
        {
          "url": "https://git.kernel.org/stable/c/16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e853c1464bcf61207f8b5c32d2ac5ee495e859d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee03766d79de0f61ea29ffb6ab1c7b196ea1b02e"
        },
        {
          "url": "https://git.kernel.org/stable/c/90d6ef67440cec2a0aad71a0108c8f216437345c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e480387d4b42776f8957fb148af9d75ce93b96d"
        },
        {
          "url": "https://git.kernel.org/stable/c/178f6a5c8cb3b6be1602de0964cd440243f493c9"
        }
      ],
      "title": "bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38608",
    "datePublished": "2025-08-19T17:03:51.688Z",
    "dateReserved": "2025-04-16T04:51:24.028Z",
    "dateUpdated": "2025-11-03T17:40:21.692Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38718 (GCVE-0-2025-38718)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:33 – Updated: 2025-11-03 17:41

Title

sctp: linearize cloned gso packets in sctp_rcv

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline] and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] This patch fixes it by linearizing cloned gso packets in sctp_rcv().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d0194e391bb493aa6…
	https://git.kernel.org/stable/c/03d0cc6889e024201…
	https://git.kernel.org/stable/c/cd0e92bb2b7542fb9…
	https://git.kernel.org/stable/c/ea094f38d387d1b0d…
	https://git.kernel.org/stable/c/7d757f17bc2ef2727…
	https://git.kernel.org/stable/c/fc66772607101bd20…
	https://git.kernel.org/stable/c/1bd5214ea681584c5…
	https://git.kernel.org/stable/c/fd60d8a086191fe33…

Impacted products

Vendor

Product

Version

Linux

Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < d0194e391bb493aa6cec56d177b14df6b29188d5 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 03d0cc6889e02420125510b5444b570f4bbf53d5 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < cd0e92bb2b7542fb96397ffac639b4f5b099d0cb (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < ea094f38d387d1b0ded5dee4a3e5720aa4ce0139 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 7d757f17bc2ef2727994ffa6d5d6e4bc4789a770 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < fc66772607101bd2030a4332b3bd0ea3b3605250 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 1bd5214ea681584c5886fea3ba03e49f93a43c0e (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < fd60d8a086191fe33c2d719732d2482052fa6805 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:41:48.713Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/input.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d0194e391bb493aa6cec56d177b14df6b29188d5",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "03d0cc6889e02420125510b5444b570f4bbf53d5",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "cd0e92bb2b7542fb96397ffac639b4f5b099d0cb",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "ea094f38d387d1b0ded5dee4a3e5720aa4ce0139",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "7d757f17bc2ef2727994ffa6d5d6e4bc4789a770",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "fc66772607101bd2030a4332b3bd0ea3b3605250",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "1bd5214ea681584c5886fea3ba03e49f93a43c0e",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "fd60d8a086191fe33c2d719732d2482052fa6805",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/input.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: linearize cloned gso packets in sctp_rcv\n\nA cloned head skb still shares these frag skbs in fraglist with the\noriginal head skb. It\u0027s not safe to access these frag skbs.\n\nsyzbot reported two use-of-uninitialized-memory bugs caused by this:\n\n  BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\n   sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\n   sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998\n   sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88\n   sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331\n   sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122\n   __release_sock+0x1da/0x330 net/core/sock.c:3106\n   release_sock+0x6b/0x250 net/core/sock.c:3660\n   sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360\n   sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885\n   sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031\n   inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851\n   sock_sendmsg_nosec net/socket.c:718 [inline]\n\nand\n\n  BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\n   sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\n   sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88\n   sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331\n   sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148\n   __release_sock+0x1d3/0x330 net/core/sock.c:3213\n   release_sock+0x6b/0x270 net/core/sock.c:3767\n   sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367\n   sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886\n   sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032\n   inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851\n   sock_sendmsg_nosec net/socket.c:712 [inline]\n\nThis patch fixes it by linearizing cloned gso packets in sctp_rcv()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:56:42.147Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d0194e391bb493aa6cec56d177b14df6b29188d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/03d0cc6889e02420125510b5444b570f4bbf53d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd0e92bb2b7542fb96397ffac639b4f5b099d0cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea094f38d387d1b0ded5dee4a3e5720aa4ce0139"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d757f17bc2ef2727994ffa6d5d6e4bc4789a770"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc66772607101bd2030a4332b3bd0ea3b3605250"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bd5214ea681584c5886fea3ba03e49f93a43c0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd60d8a086191fe33c2d719732d2482052fa6805"
        }
      ],
      "title": "sctp: linearize cloned gso packets in sctp_rcv",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38718",
    "datePublished": "2025-09-04T15:33:12.448Z",
    "dateReserved": "2025-04-16T04:51:24.033Z",
    "dateUpdated": "2025-11-03T17:41:48.713Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38558 (GCVE-0-2025-38558)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-09-29 05:53

Title

usb: gadget: uvc: Initialize frame-based format color matching descriptor

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: Initialize frame-based format color matching descriptor Fix NULL pointer crash in uvcg_framebased_make due to uninitialized color matching descriptor for frame-based format which was added in commit f5e7bdd34aca ("usb: gadget: uvc: Allow creating new color matching descriptors") that added handling for uncompressed and mjpeg format. Crash is seen when userspace configuration (via configfs) does not explicitly define the color matching descriptor. If color_matching is not found, config_group_find_item() returns NULL. The code then jumps to out_put_cm, where it calls config_item_put(color_matching);. If color_matching is NULL, this will dereference a null pointer, leading to a crash. [ 2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c [ 2.756273] Mem abort info: [ 2.760080] ESR = 0x0000000096000005 [ 2.764872] EC = 0x25: DABT (current EL), IL = 32 bits [ 2.771068] SET = 0, FnV = 0 [ 2.771069] EA = 0, S1PTW = 0 [ 2.771070] FSC = 0x05: level 1 translation fault [ 2.771071] Data abort info: [ 2.771072] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 2.771073] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 2.771074] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000 [ 2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 2.771084] Dumping ftrace buffer: [ 2.771085] (ftrace buffer empty) [ 2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G W E 6.6.58-android15 [ 2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT) [ 2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 2.771141] pc : __uvcg_fill_strm+0x198/0x2cc [ 2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c [ 2.771146] sp : ffffffc08140bbb0 [ 2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250 [ 2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768 [ 2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48 [ 2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00 [ 2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250 [ 2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615 [ 2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0 [ 2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a [ 2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000 [ 2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000 [ 2.771156] Call trace: [ 2.771157] __uvcg_fill_strm+0x198/0x2cc [ 2.771157] __uvcg_iter_strm_cls+0xc8/0x17c [ 2.771158] uvcg_streaming_class_allow_link+0x240/0x290 [ 2.771159] configfs_symlink+0x1f8/0x630 [ 2.771161] vfs_symlink+0x114/0x1a0 [ 2.771163] do_symlinkat+0x94/0x28c [ 2.771164] __arm64_sys_symlinkat+0x54/0x70 [ 2.771164] invoke_syscall+0x58/0x114 [ 2.771166] el0_svc_common+0x80/0xe0 [ 2.771168] do_el0_svc+0x1c/0x28 [ 2.771169] el0_svc+0x3c/0x70 [ 2.771172] el0t_64_sync_handler+0x68/0xbc [ 2.771173] el0t_64_sync+0x1a8/0x1ac Initialize color matching descriptor for frame-based format to prevent NULL pointer crash by mirroring the handling done for uncompressed and mjpeg formats.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6db61c1aa23075eee…
	https://git.kernel.org/stable/c/7f8576fc9d1a203d1…
	https://git.kernel.org/stable/c/323a80a1a5ace319a…

Impacted products

Vendor

Product

Version

Linux

Affected: 7b5a58952fc3b51905c2963647485565df1e5e26 , < 6db61c1aa23075eeee90e083ca3f6567a5635da6 (git)
Affected: 7b5a58952fc3b51905c2963647485565df1e5e26 , < 7f8576fc9d1a203d12474bf52710c7af68cae490 (git)
Affected: 7b5a58952fc3b51905c2963647485565df1e5e26 , < 323a80a1a5ace319a722909c006d5bdb2a35d273 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/uvc_configfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6db61c1aa23075eeee90e083ca3f6567a5635da6",
              "status": "affected",
              "version": "7b5a58952fc3b51905c2963647485565df1e5e26",
              "versionType": "git"
            },
            {
              "lessThan": "7f8576fc9d1a203d12474bf52710c7af68cae490",
              "status": "affected",
              "version": "7b5a58952fc3b51905c2963647485565df1e5e26",
              "versionType": "git"
            },
            {
              "lessThan": "323a80a1a5ace319a722909c006d5bdb2a35d273",
              "status": "affected",
              "version": "7b5a58952fc3b51905c2963647485565df1e5e26",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/uvc_configfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Initialize frame-based format color matching descriptor\n\nFix NULL pointer crash in uvcg_framebased_make due to uninitialized color\nmatching descriptor for frame-based format which was added in\ncommit f5e7bdd34aca (\"usb: gadget: uvc: Allow creating new color matching\ndescriptors\") that added handling for uncompressed and mjpeg format.\n\nCrash is seen when userspace configuration (via configfs) does not\nexplicitly define the color matching descriptor. If color_matching is not\nfound, config_group_find_item() returns NULL. The code then jumps to\nout_put_cm, where it calls config_item_put(color_matching);. If\ncolor_matching is NULL, this will dereference a null pointer, leading to a\ncrash.\n\n[    2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c\n[    2.756273] Mem abort info:\n[    2.760080]   ESR = 0x0000000096000005\n[    2.764872]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    2.771068]   SET = 0, FnV = 0\n[    2.771069]   EA = 0, S1PTW = 0\n[    2.771070]   FSC = 0x05: level 1 translation fault\n[    2.771071] Data abort info:\n[    2.771072]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[    2.771073]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    2.771074]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000\n[    2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[    2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[    2.771084] Dumping ftrace buffer:\n[    2.771085]    (ftrace buffer empty)\n[    2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G        W   E      6.6.58-android15\n[    2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT)\n[    2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[    2.771141] pc : __uvcg_fill_strm+0x198/0x2cc\n[    2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c\n[    2.771146] sp : ffffffc08140bbb0\n[    2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250\n[    2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768\n[    2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48\n[    2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00\n[    2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250\n[    2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615\n[    2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0\n[    2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a\n[    2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000\n[    2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000\n[    2.771156] Call trace:\n[    2.771157]  __uvcg_fill_strm+0x198/0x2cc\n[    2.771157]  __uvcg_iter_strm_cls+0xc8/0x17c\n[    2.771158]  uvcg_streaming_class_allow_link+0x240/0x290\n[    2.771159]  configfs_symlink+0x1f8/0x630\n[    2.771161]  vfs_symlink+0x114/0x1a0\n[    2.771163]  do_symlinkat+0x94/0x28c\n[    2.771164]  __arm64_sys_symlinkat+0x54/0x70\n[    2.771164]  invoke_syscall+0x58/0x114\n[    2.771166]  el0_svc_common+0x80/0xe0\n[    2.771168]  do_el0_svc+0x1c/0x28\n[    2.771169]  el0_svc+0x3c/0x70\n[    2.771172]  el0t_64_sync_handler+0x68/0xbc\n[    2.771173]  el0t_64_sync+0x1a8/0x1ac\n\nInitialize color matching descriptor for frame-based format to prevent\nNULL pointer crash by mirroring the handling done for uncompressed and\nmjpeg formats."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:53:45.730Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6db61c1aa23075eeee90e083ca3f6567a5635da6"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f8576fc9d1a203d12474bf52710c7af68cae490"
        },
        {
          "url": "https://git.kernel.org/stable/c/323a80a1a5ace319a722909c006d5bdb2a35d273"
        }
      ],
      "title": "usb: gadget: uvc: Initialize frame-based format color matching descriptor",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38558",
    "datePublished": "2025-08-19T17:02:36.355Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2025-09-29T05:53:45.730Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38489 (GCVE-0-2025-38489)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-07-28 11:21

Title

s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again

Summary

In the Linux kernel, the following vulnerability has been resolved: s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has accidentally removed the critical piece of commit c730fce7c70c ("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing intermittent kernel panics in e.g. perf's on_switch() prog to reappear. Restore the fix and add a comment.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0c7b20f7785cfdd59…
	https://git.kernel.org/stable/c/d5629d1af0600f8cc…
	https://git.kernel.org/stable/c/a4f9c7846b1ac4289…
	https://git.kernel.org/stable/c/6a5abf8cf182f577c…

Impacted products

Vendor

Product

Version

Linux

Affected: c3062bdb859b6e2567e7f5c8cde20c0250bb130f , < 0c7b20f7785cfdd59403333612c90b458b12307c (git)
Affected: 7ded842b356d151ece8ac4985940438e6d3998bb , < d5629d1af0600f8cc7c9245e8d832a66358ef889 (git)
Affected: 7ded842b356d151ece8ac4985940438e6d3998bb , < a4f9c7846b1ac428921ce9676b1b8c80ed60093c (git)
Affected: 7ded842b356d151ece8ac4985940438e6d3998bb , < 6a5abf8cf182f577c7ae6c62f14debc9754ec986 (git)
Affected: d3d74e45a060d218fe4b0c9174f0a77517509d8e (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/s390/net/bpf_jit_comp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c7b20f7785cfdd59403333612c90b458b12307c",
              "status": "affected",
              "version": "c3062bdb859b6e2567e7f5c8cde20c0250bb130f",
              "versionType": "git"
            },
            {
              "lessThan": "d5629d1af0600f8cc7c9245e8d832a66358ef889",
              "status": "affected",
              "version": "7ded842b356d151ece8ac4985940438e6d3998bb",
              "versionType": "git"
            },
            {
              "lessThan": "a4f9c7846b1ac428921ce9676b1b8c80ed60093c",
              "status": "affected",
              "version": "7ded842b356d151ece8ac4985940438e6d3998bb",
              "versionType": "git"
            },
            {
              "lessThan": "6a5abf8cf182f577c7ae6c62f14debc9754ec986",
              "status": "affected",
              "version": "7ded842b356d151ece8ac4985940438e6d3998bb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d3d74e45a060d218fe4b0c9174f0a77517509d8e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/s390/net/bpf_jit_comp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "6.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again\n\nCommit 7ded842b356d (\"s390/bpf: Fix bpf_plt pointer arithmetic\") has\naccidentally removed the critical piece of commit c730fce7c70c\n(\"s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL\"), causing\nintermittent kernel panics in e.g. perf\u0027s on_switch() prog to reappear.\n\nRestore the fix and add a comment."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:21:53.024Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c7b20f7785cfdd59403333612c90b458b12307c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5629d1af0600f8cc7c9245e8d832a66358ef889"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4f9c7846b1ac428921ce9676b1b8c80ed60093c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a5abf8cf182f577c7ae6c62f14debc9754ec986"
        }
      ],
      "title": "s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38489",
    "datePublished": "2025-07-28T11:21:53.024Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-07-28T11:21:53.024Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38619 (GCVE-0-2025-38619)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2025-09-29 05:54

Title

media: ti: j721e-csi2rx: fix list_del corruption

Summary

In the Linux kernel, the following vulnerability has been resolved: media: ti: j721e-csi2rx: fix list_del corruption If ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is marked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue. This causes the same buffer to be retried in the next iteration, resulting in a double list_del() and eventual list corruption. Fix this by removing the buffer from the queue before calling vb2_buffer_done() on error. This resolves a crash due to list_del corruption: [ 37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA [ 37.832187] slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048 [ 37.839761] list_del corruption. next->prev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428) [ 37.850799] ------------[ cut here ]------------ [ 37.855424] kernel BUG at lib/list_debug.c:65! [ 37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul [ 37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY [ 37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT) [ 37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114 [ 37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114 [ 37.914059] sp : ffff800080003db0 [ 37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000 [ 37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122 [ 37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0 [ 37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a [ 37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720 [ 37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea [ 37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568 [ 37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff [ 37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000 [ 37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d [ 37.988832] Call trace: [ 37.991281] __list_del_entry_valid_or_report+0xdc/0x114 (P) [ 37.996959] ti_csi2rx_dma_callback+0x84/0x1c4 [ 38.001419] udma_vchan_complete+0x1e0/0x344 [ 38.005705] tasklet_action_common+0x118/0x310 [ 38.010163] tasklet_action+0x30/0x3c [ 38.013832] handle_softirqs+0x10c/0x2e0 [ 38.017761] __do_softirq+0x14/0x20 [ 38.021256] ____do_softirq+0x10/0x20 [ 38.024931] call_on_irq_stack+0x24/0x60 [ 38.028873] do_softirq_own_stack+0x1c/0x40 [ 38.033064] __irq_exit_rcu+0x130/0x15c [ 38.036909] irq_exit_rcu+0x10/0x20 [ 38.040403] el1_interrupt+0x38/0x60 [ 38.043987] el1h_64_irq_handler+0x18/0x24 [ 38.048091] el1h_64_irq+0x6c/0x70 [ 38.051501] default_idle_call+0x34/0xe0 (P) [ 38.055783] do_idle+0x1f8/0x250 [ 38.059021] cpu_startup_entry+0x34/0x3c [ 38.062951] rest_init+0xb4/0xc0 [ 38.066186] console_on_rootfs+0x0/0x6c [ 38.070031] __primary_switched+0x88/0x90 [ 38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000) [ 38.080168] ---[ end trace 0000000000000000 ]--- [ 38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt [ 38.092197] SMP: stopping secondary CPUs [ 38.096139] Kernel Offset: disabled [ 38.099631] CPU features: 0x0000,00002000,02000801,0400420b [ 38.105202] Memory Limit: none [ 38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/68e5579f4de12207b…
	https://git.kernel.org/stable/c/92d0188f36ca8082a…
	https://git.kernel.org/stable/c/a4a8cb0889927d59e…
	https://git.kernel.org/stable/c/ae42c6fe531425ef2…

Impacted products

Vendor

Product

Version

Linux

Affected: b4a3d877dc92963a4db16ddb71df3d333c0d40bd , < 68e5579f4de12207b23c41b44a4c0778b6c2858f (git)
Affected: b4a3d877dc92963a4db16ddb71df3d333c0d40bd , < 92d0188f36ca8082af7989d743eb5b44c2d259f7 (git)
Affected: b4a3d877dc92963a4db16ddb71df3d333c0d40bd , < a4a8cb0889927d59ebd839458c8f038bc5298ef9 (git)
Affected: b4a3d877dc92963a4db16ddb71df3d333c0d40bd , < ae42c6fe531425ef2f47e82f96851427d24bbf6b (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "68e5579f4de12207b23c41b44a4c0778b6c2858f",
              "status": "affected",
              "version": "b4a3d877dc92963a4db16ddb71df3d333c0d40bd",
              "versionType": "git"
            },
            {
              "lessThan": "92d0188f36ca8082af7989d743eb5b44c2d259f7",
              "status": "affected",
              "version": "b4a3d877dc92963a4db16ddb71df3d333c0d40bd",
              "versionType": "git"
            },
            {
              "lessThan": "a4a8cb0889927d59ebd839458c8f038bc5298ef9",
              "status": "affected",
              "version": "b4a3d877dc92963a4db16ddb71df3d333c0d40bd",
              "versionType": "git"
            },
            {
              "lessThan": "ae42c6fe531425ef2f47e82f96851427d24bbf6b",
              "status": "affected",
              "version": "b4a3d877dc92963a4db16ddb71df3d333c0d40bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ti: j721e-csi2rx: fix list_del corruption\n\nIf ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is\nmarked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue.\nThis causes the same buffer to be retried in the next iteration, resulting\nin a double list_del() and eventual list corruption.\n\nFix this by removing the buffer from the queue before calling\nvb2_buffer_done() on error.\n\nThis resolves a crash due to list_del corruption:\n[   37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA\n[   37.832187]  slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048\n[   37.839761] list_del corruption. next-\u003eprev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428)\n[   37.850799] ------------[ cut here ]------------\n[   37.855424] kernel BUG at lib/list_debug.c:65!\n[   37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP\n[   37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul\n[   37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY\n[   37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT)\n[   37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114\n[   37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114\n[   37.914059] sp : ffff800080003db0\n[   37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000\n[   37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122\n[   37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0\n[   37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a\n[   37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720\n[   37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea\n[   37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568\n[   37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff\n[   37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000\n[   37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d\n[   37.988832] Call trace:\n[   37.991281]  __list_del_entry_valid_or_report+0xdc/0x114 (P)\n[   37.996959]  ti_csi2rx_dma_callback+0x84/0x1c4\n[   38.001419]  udma_vchan_complete+0x1e0/0x344\n[   38.005705]  tasklet_action_common+0x118/0x310\n[   38.010163]  tasklet_action+0x30/0x3c\n[   38.013832]  handle_softirqs+0x10c/0x2e0\n[   38.017761]  __do_softirq+0x14/0x20\n[   38.021256]  ____do_softirq+0x10/0x20\n[   38.024931]  call_on_irq_stack+0x24/0x60\n[   38.028873]  do_softirq_own_stack+0x1c/0x40\n[   38.033064]  __irq_exit_rcu+0x130/0x15c\n[   38.036909]  irq_exit_rcu+0x10/0x20\n[   38.040403]  el1_interrupt+0x38/0x60\n[   38.043987]  el1h_64_irq_handler+0x18/0x24\n[   38.048091]  el1h_64_irq+0x6c/0x70\n[   38.051501]  default_idle_call+0x34/0xe0 (P)\n[   38.055783]  do_idle+0x1f8/0x250\n[   38.059021]  cpu_startup_entry+0x34/0x3c\n[   38.062951]  rest_init+0xb4/0xc0\n[   38.066186]  console_on_rootfs+0x0/0x6c\n[   38.070031]  __primary_switched+0x88/0x90\n[   38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000)\n[   38.080168] ---[ end trace 0000000000000000 ]---\n[   38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt\n[   38.092197] SMP: stopping secondary CPUs\n[   38.096139] Kernel Offset: disabled\n[   38.099631] CPU features: 0x0000,00002000,02000801,0400420b\n[   38.105202] Memory Limit: none\n[   38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:54.550Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/68e5579f4de12207b23c41b44a4c0778b6c2858f"
        },
        {
          "url": "https://git.kernel.org/stable/c/92d0188f36ca8082af7989d743eb5b44c2d259f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4a8cb0889927d59ebd839458c8f038bc5298ef9"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae42c6fe531425ef2f47e82f96851427d24bbf6b"
        }
      ],
      "title": "media: ti: j721e-csi2rx: fix list_del corruption",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38619",
    "datePublished": "2025-08-22T16:00:23.564Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-09-29T05:54:54.550Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38440 (GCVE-0-2025-38440)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-07-28 04:22

Title

net/mlx5e: Fix race between DIM disable and net_dim()

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race between DIM disable and net_dim() There's a race between disabling DIM and NAPI callbacks using the dim pointer on the RQ or SQ. If NAPI checks the DIM state bit and sees it still set, it assumes `rq->dim` or `sq->dim` is valid. But if DIM gets disabled right after that check, the pointer might already be set to NULL, leading to a NULL pointer dereference in net_dim(). Fix this by calling `synchronize_net()` before freeing the DIM context. This ensures all in-progress NAPI callbacks are finished before the pointer is cleared. Kernel log: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:net_dim+0x23/0x190 ... Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? common_interrupt+0xf/0xa0 ? sysvec_call_function_single+0xb/0x90 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? net_dim+0x23/0x190 ? mlx5e_poll_ico_cq+0x41/0x6f0 [mlx5_core] ? sysvec_apic_timer_interrupt+0xb/0x90 mlx5e_handle_rx_dim+0x92/0xd0 [mlx5_core] mlx5e_napi_poll+0x2cd/0xac0 [mlx5_core] ? mlx5e_poll_ico_cq+0xe5/0x6f0 [mlx5_core] busy_poll_stop+0xa2/0x200 ? mlx5e_napi_poll+0x1d9/0xac0 [mlx5_core] ? mlx5e_trigger_irq+0x130/0x130 [mlx5_core] __napi_busy_loop+0x345/0x3b0 ? sysvec_call_function_single+0xb/0x90 ? asm_sysvec_call_function_single+0x16/0x20 ? sysvec_apic_timer_interrupt+0xb/0x90 ? pcpu_free_area+0x1e4/0x2e0 napi_busy_loop+0x11/0x20 xsk_recvmsg+0x10c/0x130 sock_recvmsg+0x44/0x70 __sys_recvfrom+0xbc/0x130 ? __schedule+0x398/0x890 __x64_sys_recvfrom+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ... ---[ end trace 0000000000000000 ]--- ... ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7581afc051542e11c…
	https://git.kernel.org/stable/c/2bc6fb90486e42dd8…
	https://git.kernel.org/stable/c/eb41a264a3a576dc0…

Impacted products

Vendor

Product

Version

Linux

Affected: 445a25f6e1a2f6a132b06af6ede4f3c9b5f9af68 , < 7581afc051542e11ccf3ade68acd01b7fb1a3cde (git)
Affected: 445a25f6e1a2f6a132b06af6ede4f3c9b5f9af68 , < 2bc6fb90486e42dd80e660ef7a40c02b2516c6d6 (git)
Affected: 445a25f6e1a2f6a132b06af6ede4f3c9b5f9af68 , < eb41a264a3a576dc040ee37c3d9d6b7e2d9be968 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_dim.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7581afc051542e11ccf3ade68acd01b7fb1a3cde",
              "status": "affected",
              "version": "445a25f6e1a2f6a132b06af6ede4f3c9b5f9af68",
              "versionType": "git"
            },
            {
              "lessThan": "2bc6fb90486e42dd80e660ef7a40c02b2516c6d6",
              "status": "affected",
              "version": "445a25f6e1a2f6a132b06af6ede4f3c9b5f9af68",
              "versionType": "git"
            },
            {
              "lessThan": "eb41a264a3a576dc040ee37c3d9d6b7e2d9be968",
              "status": "affected",
              "version": "445a25f6e1a2f6a132b06af6ede4f3c9b5f9af68",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_dim.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix race between DIM disable and net_dim()\n\nThere\u0027s a race between disabling DIM and NAPI callbacks using the dim\npointer on the RQ or SQ.\n\nIf NAPI checks the DIM state bit and sees it still set, it assumes\n`rq-\u003edim` or `sq-\u003edim` is valid. But if DIM gets disabled right after\nthat check, the pointer might already be set to NULL, leading to a NULL\npointer dereference in net_dim().\n\nFix this by calling `synchronize_net()` before freeing the DIM context.\nThis ensures all in-progress NAPI callbacks are finished before the\npointer is cleared.\n\nKernel log:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nRIP: 0010:net_dim+0x23/0x190\n...\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x20/0x60\n ? page_fault_oops+0x150/0x3e0\n ? common_interrupt+0xf/0xa0\n ? sysvec_call_function_single+0xb/0x90\n ? exc_page_fault+0x74/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? net_dim+0x23/0x190\n ? mlx5e_poll_ico_cq+0x41/0x6f0 [mlx5_core]\n ? sysvec_apic_timer_interrupt+0xb/0x90\n mlx5e_handle_rx_dim+0x92/0xd0 [mlx5_core]\n mlx5e_napi_poll+0x2cd/0xac0 [mlx5_core]\n ? mlx5e_poll_ico_cq+0xe5/0x6f0 [mlx5_core]\n busy_poll_stop+0xa2/0x200\n ? mlx5e_napi_poll+0x1d9/0xac0 [mlx5_core]\n ? mlx5e_trigger_irq+0x130/0x130 [mlx5_core]\n __napi_busy_loop+0x345/0x3b0\n ? sysvec_call_function_single+0xb/0x90\n ? asm_sysvec_call_function_single+0x16/0x20\n ? sysvec_apic_timer_interrupt+0xb/0x90\n ? pcpu_free_area+0x1e4/0x2e0\n napi_busy_loop+0x11/0x20\n xsk_recvmsg+0x10c/0x130\n sock_recvmsg+0x44/0x70\n __sys_recvfrom+0xbc/0x130\n ? __schedule+0x398/0x890\n __x64_sys_recvfrom+0x20/0x30\n do_syscall_64+0x4c/0x100\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n...\n---[ end trace 0000000000000000 ]---\n...\n---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:22:15.952Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7581afc051542e11ccf3ade68acd01b7fb1a3cde"
        },
        {
          "url": "https://git.kernel.org/stable/c/2bc6fb90486e42dd80e660ef7a40c02b2516c6d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb41a264a3a576dc040ee37c3d9d6b7e2d9be968"
        }
      ],
      "title": "net/mlx5e: Fix race between DIM disable and net_dim()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38440",
    "datePublished": "2025-07-25T15:27:19.447Z",
    "dateReserved": "2025-04-16T04:51:24.016Z",
    "dateUpdated": "2025-07-28T04:22:15.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38352 (GCVE-0-2025-38352)

Vulnerability from cvelistv5 – Published: 2025-07-22 08:04 – Updated: 2026-01-07 15:03

Title

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

Summary

In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/78a4b8e3795b31dae…
	https://git.kernel.org/stable/c/c076635b3a42771ac…
	https://git.kernel.org/stable/c/2f3daa04a9328220d…
	https://git.kernel.org/stable/c/764a7a5dfda23f699…
	https://git.kernel.org/stable/c/2c72fe18cc5f9f175…
	https://git.kernel.org/stable/c/c29d5318708e67ac1…
	https://git.kernel.org/stable/c/460188bc042a3f40f…
	https://git.kernel.org/stable/c/f90fff1e152dedf52…

Impacted products

Vendor

Product

Version

Linux

Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 78a4b8e3795b31dae58762bc091bb0f4f74a2200 (git)
Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < c076635b3a42771ace7d276de8dc3bc76ee2ba1b (git)
Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 2f3daa04a9328220de46f0d5c919a6c0073a9f0b (git)
Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 764a7a5dfda23f69919441f2eac2a83e7db6e5bb (git)
Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff (git)
Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < c29d5318708e67ac13c1b6fc1007d179fb65b4d7 (git)
Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 460188bc042a3f40f72d34b9f7fc6ee66b0b757b (git)
Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < f90fff1e152dedf52b932240ebbd670d83330eca (git)

Linux

Affected: 2.6.36
Unaffected: 0 , < 2.6.36 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-38352",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-05T03:55:31.566379Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-09-04",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-38352"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-367",
                "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-07T15:03:54.648Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-38352"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/farazsth98/chronomaly"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:02.965Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/time/posix-cpu-timers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "78a4b8e3795b31dae58762bc091bb0f4f74a2200",
              "status": "affected",
              "version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
              "versionType": "git"
            },
            {
              "lessThan": "c076635b3a42771ace7d276de8dc3bc76ee2ba1b",
              "status": "affected",
              "version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
              "versionType": "git"
            },
            {
              "lessThan": "2f3daa04a9328220de46f0d5c919a6c0073a9f0b",
              "status": "affected",
              "version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
              "versionType": "git"
            },
            {
              "lessThan": "764a7a5dfda23f69919441f2eac2a83e7db6e5bb",
              "status": "affected",
              "version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
              "versionType": "git"
            },
            {
              "lessThan": "2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff",
              "status": "affected",
              "version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
              "versionType": "git"
            },
            {
              "lessThan": "c29d5318708e67ac13c1b6fc1007d179fb65b4d7",
              "status": "affected",
              "version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
              "versionType": "git"
            },
            {
              "lessThan": "460188bc042a3f40f72d34b9f7fc6ee66b0b757b",
              "status": "affected",
              "version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
              "versionType": "git"
            },
            {
              "lessThan": "f90fff1e152dedf52b932240ebbd670d83330eca",
              "status": "affected",
              "version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/time/posix-cpu-timers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.36"
            },
            {
              "lessThan": "2.6.36",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()\n\nIf an exiting non-autoreaping task has already passed exit_notify() and\ncalls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent\nor debugger right after unlock_task_sighand().\n\nIf a concurrent posix_cpu_timer_del() runs at that moment, it won\u0027t be\nable to detect timer-\u003eit.cpu.firing != 0: cpu_timer_task_rcu() and/or\nlock_task_sighand() will fail.\n\nAdd the tsk-\u003eexit_state check into run_posix_cpu_timers() to fix this.\n\nThis fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because\nexit_task_work() is called before exit_notify(). But the check still\nmakes sense, task_work_add(\u0026tsk-\u003eposix_cputimers_work.work) will fail\nanyway in this case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:41.105Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/78a4b8e3795b31dae58762bc091bb0f4f74a2200"
        },
        {
          "url": "https://git.kernel.org/stable/c/c076635b3a42771ace7d276de8dc3bc76ee2ba1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f3daa04a9328220de46f0d5c919a6c0073a9f0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/764a7a5dfda23f69919441f2eac2a83e7db6e5bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/c29d5318708e67ac13c1b6fc1007d179fb65b4d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/460188bc042a3f40f72d34b9f7fc6ee66b0b757b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f90fff1e152dedf52b932240ebbd670d83330eca"
        }
      ],
      "title": "posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38352",
    "datePublished": "2025-07-22T08:04:25.277Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2026-01-07T15:03:54.648Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21729 (GCVE-0-2025-21729)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-05-04 07:19

Title

wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the condition, but suddenly hw_scan completion unset the flag and calls ieee80211_scan_completed() that will free local->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and use-after-free. Fix it by moving the check condition to where protected by mutex. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019 Workqueue: events cfg80211_conn_work [cfg80211] RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001 RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089 RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960 R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0 Call Trace: <TASK> ? show_regs+0x61/0x73 ? __die_body+0x20/0x73 ? die_addr+0x4f/0x7b ? exc_general_protection+0x191/0x1db ? asm_exc_general_protection+0x27/0x30 ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core] ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core] ? do_raw_spin_lock+0x75/0xdb ? __pfx_do_raw_spin_lock+0x10/0x10 rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core] ? _raw_spin_unlock+0xe/0x24 ? __mutex_lock.constprop.0+0x40c/0x471 ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core] ? __mutex_lock_slowpath+0x13/0x1f ? mutex_lock+0xa2/0xdc ? __pfx_mutex_lock+0x10/0x10 rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core] rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core] ieee80211_scan_cancel+0x468/0x4d0 [mac80211] ieee80211_prep_connection+0x858/0x899 [mac80211] ieee80211_mgd_auth+0xbea/0xdde [mac80211] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211] ? cfg80211_find_elem+0x15/0x29 [cfg80211] ? is_bss+0x1b7/0x1d7 [cfg80211] ieee80211_auth+0x18/0x27 [mac80211] cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211] cfg80211_conn_do_work+0x410/0xb81 [cfg80211] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211] ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? __kasan_check_write+0x14/0x22 ? mutex_lock+0x8e/0xdc ? __pfx_mutex_lock+0x10/0x10 ? __pfx___radix_tree_lookup+0x10/0x10 cfg80211_conn_work+0x245/0x34d [cfg80211] ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211] ? update_cfs_rq_load_avg+0x3bc/0x3d7 ? sched_clock_noinstr+0x9/0x1a ? sched_clock+0x10/0x24 ? sched_clock_cpu+0x7e/0x42e ? newidle_balance+0x796/0x937 ? __pfx_sched_clock_cpu+0x10/0x10 ? __pfx_newidle_balance+0x10/0x10 ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? _raw_spin_unlock+0xe/0x24 ? raw_spin_rq_unlock+0x47/0x54 ? raw_spin_rq_unlock_irq+0x9/0x1f ? finish_task_switch.isra.0+0x347/0x586 ? __schedule+0x27bf/0x2892 ? mutex_unlock+0x80/0xd0 ? do_raw_spin_lock+0x75/0xdb ? __pfx___schedule+0x10/0x10 process_scheduled_works+0x58c/0x821 worker_thread+0x4c7/0x586 ? __kasan_check_read+0x11/0x1f kthread+0x285/0x294 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x6f ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2403cb3c235d5e339…
	https://git.kernel.org/stable/c/5afcd6fcd1e1c1fd6…
	https://git.kernel.org/stable/c/ba4bb0402c60e945c…

Impacted products

Vendor

Product

Version

Linux

Affected: 895907779752606f6a4795abfc008509f8e38314 , < 2403cb3c235d5e339b580cc3a825493769fadca8 (git)
Affected: 895907779752606f6a4795abfc008509f8e38314 , < 5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67 (git)
Affected: 895907779752606f6a4795abfc008509f8e38314 , < ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21729",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:34.158732Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:29.958Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw89/mac80211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2403cb3c235d5e339b580cc3a825493769fadca8",
              "status": "affected",
              "version": "895907779752606f6a4795abfc008509f8e38314",
              "versionType": "git"
            },
            {
              "lessThan": "5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67",
              "status": "affected",
              "version": "895907779752606f6a4795abfc008509f8e38314",
              "versionType": "git"
            },
            {
              "lessThan": "ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c",
              "status": "affected",
              "version": "895907779752606f6a4795abfc008509f8e38314",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw89/mac80211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\n\nThe rtwdev-\u003escanning flag isn\u0027t protected by mutex originally, so\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\nunset the flag and calls ieee80211_scan_completed() that will free\nlocal-\u003ehw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\nuse-after-free. Fix it by moving the check condition to where\nprotected by mutex.\n\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G           OE\n Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\n Workqueue: events cfg80211_conn_work [cfg80211]\n RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\n RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\n RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\n RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\n R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\n FS:  0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\n Call Trace:\n  \u003cTASK\u003e\n  ? show_regs+0x61/0x73\n  ? __die_body+0x20/0x73\n  ? die_addr+0x4f/0x7b\n  ? exc_general_protection+0x191/0x1db\n  ? asm_exc_general_protection+0x27/0x30\n  ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n  ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\n  ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\n  ? do_raw_spin_lock+0x75/0xdb\n  ? __pfx_do_raw_spin_lock+0x10/0x10\n  rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\n  ? _raw_spin_unlock+0xe/0x24\n  ? __mutex_lock.constprop.0+0x40c/0x471\n  ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\n  ? __mutex_lock_slowpath+0x13/0x1f\n  ? mutex_lock+0xa2/0xdc\n  ? __pfx_mutex_lock+0x10/0x10\n  rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\n  rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\n  ieee80211_scan_cancel+0x468/0x4d0 [mac80211]\n  ieee80211_prep_connection+0x858/0x899 [mac80211]\n  ieee80211_mgd_auth+0xbea/0xdde [mac80211]\n  ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\n  ? cfg80211_find_elem+0x15/0x29 [cfg80211]\n  ? is_bss+0x1b7/0x1d7 [cfg80211]\n  ieee80211_auth+0x18/0x27 [mac80211]\n  cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\n  cfg80211_conn_do_work+0x410/0xb81 [cfg80211]\n  ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\n  ? __kasan_check_read+0x11/0x1f\n  ? psi_group_change+0x8bc/0x944\n  ? __kasan_check_write+0x14/0x22\n  ? mutex_lock+0x8e/0xdc\n  ? __pfx_mutex_lock+0x10/0x10\n  ? __pfx___radix_tree_lookup+0x10/0x10\n  cfg80211_conn_work+0x245/0x34d [cfg80211]\n  ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\n  ? update_cfs_rq_load_avg+0x3bc/0x3d7\n  ? sched_clock_noinstr+0x9/0x1a\n  ? sched_clock+0x10/0x24\n  ? sched_clock_cpu+0x7e/0x42e\n  ? newidle_balance+0x796/0x937\n  ? __pfx_sched_clock_cpu+0x10/0x10\n  ? __pfx_newidle_balance+0x10/0x10\n  ? __kasan_check_read+0x11/0x1f\n  ? psi_group_change+0x8bc/0x944\n  ? _raw_spin_unlock+0xe/0x24\n  ? raw_spin_rq_unlock+0x47/0x54\n  ? raw_spin_rq_unlock_irq+0x9/0x1f\n  ? finish_task_switch.isra.0+0x347/0x586\n  ? __schedule+0x27bf/0x2892\n  ? mutex_unlock+0x80/0xd0\n  ? do_raw_spin_lock+0x75/0xdb\n  ? __pfx___schedule+0x10/0x10\n  process_scheduled_works+0x58c/0x821\n  worker_thread+0x4c7/0x586\n  ? __kasan_check_read+0x11/0x1f\n  kthread+0x285/0x294\n  ? __pfx_worker_thread+0x10/0x10\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x29/0x6f\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork_asm+0x1b/0x30\n  \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:54.470Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2403cb3c235d5e339b580cc3a825493769fadca8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c"
        }
      ],
      "title": "wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21729",
    "datePublished": "2025-02-27T02:07:34.711Z",
    "dateReserved": "2024-12-29T08:45:45.755Z",
    "dateUpdated": "2025-05-04T07:19:54.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38623 (GCVE-0-2025-38623)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2026-01-02 15:30

Title

PCI: pnv_php: Fix surprise plug detection and recovery

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Fix surprise plug detection and recovery The existing PowerNV hotplug code did not handle surprise plug events correctly, leading to a complete failure of the hotplug system after device removal and a required reboot to detect new devices. This comes down to two issues: 1) When a device is surprise removed, often the bridge upstream port will cause a PE freeze on the PHB. If this freeze is not cleared, the MSI interrupts from the bridge hotplug notification logic will not be received by the kernel, stalling all plug events on all slots associated with the PE. 2) When a device is removed from a slot, regardless of surprise or programmatic removal, the associated PHB/PE ls left frozen. If this freeze is not cleared via a fundamental reset, skiboot is unable to clear the freeze and cannot retrain / rescan the slot. This also requires a reboot to clear the freeze and redetect the device in the slot. Issue the appropriate unfreeze and rescan commands on hotplug events, and don't oops on hotplug if pci_bus_to_OF_node() returns NULL. [bhelgaas: tidy comments]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6e7b5f922901585b8…
	https://git.kernel.org/stable/c/2ec8ec57bb8ebde3e…
	https://git.kernel.org/stable/c/473999ba937eac977…
	https://git.kernel.org/stable/c/6e7b24c71e530a6c1…
	https://git.kernel.org/stable/c/48c6935a34981bb56…
	https://git.kernel.org/stable/c/1d2f63680c5719a5d…
	https://git.kernel.org/stable/c/78d20b8c13075eae3…
	https://git.kernel.org/stable/c/a2a2a6fc2469524ca…

Impacted products

Vendor

Product

Version

Linux

Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 6e7b5f922901585b8f11e0d6cda12bda5c59fc8a (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 2ec8ec57bb8ebde3e2a015eff80e5d66e6634fe3 (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 473999ba937eac9776be791deed7c84a21d7880b (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 6e7b24c71e530a6c1d656e73d8a30ee081656844 (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 48c6935a34981bb56f35be0774ec1f30c6e386f8 (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 1d2f63680c5719a5da92639e981c6c9a87fcee08 (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < 78d20b8c13075eae3d884c21db7a09a6bbdda5b2 (git)
Affected: 360aebd85a4c946764f6301d68de2a817fad5159 , < a2a2a6fc2469524caa713036297c542746d148dc (git)

Linux

Affected: 4.9
Unaffected: 0 , < 4.9 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:40:33.389Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/kernel/pci-hotplug.c",
            "drivers/pci/hotplug/pnv_php.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6e7b5f922901585b8f11e0d6cda12bda5c59fc8a",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "2ec8ec57bb8ebde3e2a015eff80e5d66e6634fe3",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "473999ba937eac9776be791deed7c84a21d7880b",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "6e7b24c71e530a6c1d656e73d8a30ee081656844",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "48c6935a34981bb56f35be0774ec1f30c6e386f8",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "1d2f63680c5719a5da92639e981c6c9a87fcee08",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "78d20b8c13075eae3d884c21db7a09a6bbdda5b2",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            },
            {
              "lessThan": "a2a2a6fc2469524caa713036297c542746d148dc",
              "status": "affected",
              "version": "360aebd85a4c946764f6301d68de2a817fad5159",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/kernel/pci-hotplug.c",
            "drivers/pci/hotplug/pnv_php.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pnv_php: Fix surprise plug detection and recovery\n\nThe existing PowerNV hotplug code did not handle surprise plug events\ncorrectly, leading to a complete failure of the hotplug system after device\nremoval and a required reboot to detect new devices.\n\nThis comes down to two issues:\n\n 1) When a device is surprise removed, often the bridge upstream\n    port will cause a PE freeze on the PHB.  If this freeze is not\n    cleared, the MSI interrupts from the bridge hotplug notification\n    logic will not be received by the kernel, stalling all plug events\n    on all slots associated with the PE.\n\n 2) When a device is removed from a slot, regardless of surprise or\n    programmatic removal, the associated PHB/PE ls left frozen.\n    If this freeze is not cleared via a fundamental reset, skiboot\n    is unable to clear the freeze and cannot retrain / rescan the\n    slot.  This also requires a reboot to clear the freeze and redetect\n    the device in the slot.\n\nIssue the appropriate unfreeze and rescan commands on hotplug events,\nand don\u0027t oops on hotplug if pci_bus_to_OF_node() returns NULL.\n\n[bhelgaas: tidy comments]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:59.100Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6e7b5f922901585b8f11e0d6cda12bda5c59fc8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ec8ec57bb8ebde3e2a015eff80e5d66e6634fe3"
        },
        {
          "url": "https://git.kernel.org/stable/c/473999ba937eac9776be791deed7c84a21d7880b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e7b24c71e530a6c1d656e73d8a30ee081656844"
        },
        {
          "url": "https://git.kernel.org/stable/c/48c6935a34981bb56f35be0774ec1f30c6e386f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d2f63680c5719a5da92639e981c6c9a87fcee08"
        },
        {
          "url": "https://git.kernel.org/stable/c/78d20b8c13075eae3d884c21db7a09a6bbdda5b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2a2a6fc2469524caa713036297c542746d148dc"
        }
      ],
      "title": "PCI: pnv_php: Fix surprise plug detection and recovery",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38623",
    "datePublished": "2025-08-22T16:00:32.046Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2026-01-02T15:30:59.100Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38557 (GCVE-0-2025-38557)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-09-29 05:53

Title

HID: apple: validate feature-report field count to prevent NULL pointer dereference

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: apple: validate feature-report field count to prevent NULL pointer dereference A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL pointer dereference whilst the power feature-report is toggled and sent to the device in apple_magic_backlight_report_set(). The power feature-report is expected to have two data fields, but if the descriptor declares one field then accessing field[1] and dereferencing it in apple_magic_backlight_report_set() becomes invalid since field[1] will be NULL. An example of a minimal descriptor which can cause the crash is something like the following where the report with ID 3 (power report) only references a single 1-byte field. When hid core parses the descriptor it will encounter the final feature tag, allocate a hid_report (all members of field[] will be zeroed out), create field structure and populate it, increasing the maxfield to 1. The subsequent field[1] access and dereference causes the crash. Usage Page (Vendor Defined 0xFF00) Usage (0x0F) Collection (Application) Report ID (1) Usage (0x01) Logical Minimum (0) Logical Maximum (255) Report Size (8) Report Count (1) Feature (Data,Var,Abs) Usage (0x02) Logical Maximum (32767) Report Size (16) Report Count (1) Feature (Data,Var,Abs) Report ID (3) Usage (0x03) Logical Minimum (0) Logical Maximum (1) Report Size (8) Report Count (1) Feature (Data,Var,Abs) End Collection Here we see the KASAN splat when the kernel dereferences the NULL pointer and crashes: [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary) [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210 [ 15.165691] Call Trace: [ 15.165691] <TASK> [ 15.165691] apple_probe+0x571/0xa20 [ 15.165691] hid_device_probe+0x2e2/0x6f0 [ 15.165691] really_probe+0x1ca/0x5c0 [ 15.165691] __driver_probe_device+0x24f/0x310 [ 15.165691] driver_probe_device+0x4a/0xd0 [ 15.165691] __device_attach_driver+0x169/0x220 [ 15.165691] bus_for_each_drv+0x118/0x1b0 [ 15.165691] __device_attach+0x1d5/0x380 [ 15.165691] device_initial_probe+0x12/0x20 [ 15.165691] bus_probe_device+0x13d/0x180 [ 15.165691] device_add+0xd87/0x1510 [...] To fix this issue we should validate the number of fields that the backlight and power reports have and if they do not have the required number of fields then bail.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ba08cc6801ec5fb98…
	https://git.kernel.org/stable/c/7e15d1eaa88179c51…
	https://git.kernel.org/stable/c/00896c3f41cb6b74f…
	https://git.kernel.org/stable/c/1bb3363da862e0464…

Impacted products

Vendor

Product

Version

Linux

Affected: 394ba612f9419ec5bfebbffb72212fd3b2094986 , < ba08cc6801ec5fb98f2d02b5f0c614c931845325 (git)
Affected: 394ba612f9419ec5bfebbffb72212fd3b2094986 , < 7e15d1eaa88179c5185e57a38ab05fe852d0cb8d (git)
Affected: 394ba612f9419ec5bfebbffb72212fd3b2094986 , < 00896c3f41cb6b74fec853386076115ba50baf0a (git)
Affected: 394ba612f9419ec5bfebbffb72212fd3b2094986 , < 1bb3363da862e0464ec050eea2fb5472a36ad86b (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-apple.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ba08cc6801ec5fb98f2d02b5f0c614c931845325",
              "status": "affected",
              "version": "394ba612f9419ec5bfebbffb72212fd3b2094986",
              "versionType": "git"
            },
            {
              "lessThan": "7e15d1eaa88179c5185e57a38ab05fe852d0cb8d",
              "status": "affected",
              "version": "394ba612f9419ec5bfebbffb72212fd3b2094986",
              "versionType": "git"
            },
            {
              "lessThan": "00896c3f41cb6b74fec853386076115ba50baf0a",
              "status": "affected",
              "version": "394ba612f9419ec5bfebbffb72212fd3b2094986",
              "versionType": "git"
            },
            {
              "lessThan": "1bb3363da862e0464ec050eea2fb5472a36ad86b",
              "status": "affected",
              "version": "394ba612f9419ec5bfebbffb72212fd3b2094986",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-apple.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: apple: validate feature-report field count to prevent NULL pointer dereference\n\nA malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL\npointer dereference whilst the power feature-report is toggled and sent to\nthe device in apple_magic_backlight_report_set(). The power feature-report\nis expected to have two data fields, but if the descriptor declares one\nfield then accessing field[1] and dereferencing it in\napple_magic_backlight_report_set() becomes invalid\nsince field[1] will be NULL.\n\nAn example of a minimal descriptor which can cause the crash is something\nlike the following where the report with ID 3 (power report) only\nreferences a single 1-byte field. When hid core parses the descriptor it\nwill encounter the final feature tag, allocate a hid_report (all members\nof field[] will be zeroed out), create field structure and populate it,\nincreasing the maxfield to 1. The subsequent field[1] access and\ndereference causes the crash.\n\n  Usage Page (Vendor Defined 0xFF00)\n  Usage (0x0F)\n  Collection (Application)\n    Report ID (1)\n    Usage (0x01)\n    Logical Minimum (0)\n    Logical Maximum (255)\n    Report Size (8)\n    Report Count (1)\n    Feature (Data,Var,Abs)\n\n    Usage (0x02)\n    Logical Maximum (32767)\n    Report Size (16)\n    Report Count (1)\n    Feature (Data,Var,Abs)\n\n    Report ID (3)\n    Usage (0x03)\n    Logical Minimum (0)\n    Logical Maximum (1)\n    Report Size (8)\n    Report Count (1)\n    Feature (Data,Var,Abs)\n  End Collection\n\nHere we see the KASAN splat when the kernel dereferences the\nNULL pointer and crashes:\n\n  [   15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI\n  [   15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n  [   15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)\n  [   15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n  [   15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210\n  [   15.165691] Call Trace:\n  [   15.165691]  \u003cTASK\u003e\n  [   15.165691]  apple_probe+0x571/0xa20\n  [   15.165691]  hid_device_probe+0x2e2/0x6f0\n  [   15.165691]  really_probe+0x1ca/0x5c0\n  [   15.165691]  __driver_probe_device+0x24f/0x310\n  [   15.165691]  driver_probe_device+0x4a/0xd0\n  [   15.165691]  __device_attach_driver+0x169/0x220\n  [   15.165691]  bus_for_each_drv+0x118/0x1b0\n  [   15.165691]  __device_attach+0x1d5/0x380\n  [   15.165691]  device_initial_probe+0x12/0x20\n  [   15.165691]  bus_probe_device+0x13d/0x180\n  [   15.165691]  device_add+0xd87/0x1510\n  [...]\n\nTo fix this issue we should validate the number of fields that the\nbacklight and power reports have and if they do not have the required\nnumber of fields then bail."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:53:44.556Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ba08cc6801ec5fb98f2d02b5f0c614c931845325"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e15d1eaa88179c5185e57a38ab05fe852d0cb8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/00896c3f41cb6b74fec853386076115ba50baf0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bb3363da862e0464ec050eea2fb5472a36ad86b"
        }
      ],
      "title": "HID: apple: validate feature-report field count to prevent NULL pointer dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38557",
    "datePublished": "2025-08-19T17:02:35.641Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2025-09-29T05:53:44.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38549 (GCVE-0-2025-38549)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:34 – Updated: 2025-08-16 11:34

Title

efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths

Summary

In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths When processing mount options, efivarfs allocates efivarfs_fs_info (sfi) early in fs_context initialization. However, sfi is associated with the superblock and typically freed when the superblock is destroyed. If the fs_context is released (final put) before fill_super is called—such as on error paths or during reconfiguration—the sfi structure would leak, as ownership never transfers to the superblock. Implement the .free callback in efivarfs_context_ops to ensure any allocated sfi is properly freed if the fs_context is torn down before fill_super, preventing this memory leak.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/816d36973467d1c9c…
	https://git.kernel.org/stable/c/e9fabe7036bb8be60…
	https://git.kernel.org/stable/c/64e135f1eaba0bbb0…

Impacted products

Vendor

Product

Version

Linux

Affected: 5329aa5101f73c451bcd48deaf3f296685849d9c , < 816d36973467d1c9c08a48bdffe4675e219a2e84 (git)
Affected: 5329aa5101f73c451bcd48deaf3f296685849d9c , < e9fabe7036bb8be6071f39dc38605508f5f57b20 (git)
Affected: 5329aa5101f73c451bcd48deaf3f296685849d9c , < 64e135f1eaba0bbb0cdee859af3328c68d5b9789 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/efivarfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "816d36973467d1c9c08a48bdffe4675e219a2e84",
              "status": "affected",
              "version": "5329aa5101f73c451bcd48deaf3f296685849d9c",
              "versionType": "git"
            },
            {
              "lessThan": "e9fabe7036bb8be6071f39dc38605508f5f57b20",
              "status": "affected",
              "version": "5329aa5101f73c451bcd48deaf3f296685849d9c",
              "versionType": "git"
            },
            {
              "lessThan": "64e135f1eaba0bbb0cdee859af3328c68d5b9789",
              "status": "affected",
              "version": "5329aa5101f73c451bcd48deaf3f296685849d9c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/efivarfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths\n\nWhen processing mount options, efivarfs allocates efivarfs_fs_info (sfi)\nearly in fs_context initialization. However, sfi is associated with the\nsuperblock and typically freed when the superblock is destroyed. If the\nfs_context is released (final put) before fill_super is called\u2014such as\non error paths or during reconfiguration\u2014the sfi structure would leak,\nas ownership never transfers to the superblock.\n\nImplement the .free callback in efivarfs_context_ops to ensure any\nallocated sfi is properly freed if the fs_context is torn down before\nfill_super, preventing this memory leak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T11:34:17.699Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/816d36973467d1c9c08a48bdffe4675e219a2e84"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9fabe7036bb8be6071f39dc38605508f5f57b20"
        },
        {
          "url": "https://git.kernel.org/stable/c/64e135f1eaba0bbb0cdee859af3328c68d5b9789"
        }
      ],
      "title": "efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38549",
    "datePublished": "2025-08-16T11:34:17.699Z",
    "dateReserved": "2025-04-16T04:51:24.024Z",
    "dateUpdated": "2025-08-16T11:34:17.699Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38438 (GCVE-0-2025-38438)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-07-28 11:17

Title

ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. sof_pdata->tplg_filename can have address allocated by kstrdup() and can be overwritten. Memory leak was detected with kmemleak: unreferenced object 0xffff88812391ff60 (size 16): comm "kworker/4:1", pid 161, jiffies 4294802931 hex dump (first 16 bytes): 73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00 sof-hda-generic. backtrace (crc 4bf1675c): __kmalloc_node_track_caller_noprof+0x49c/0x6b0 kstrdup+0x46/0xc0 hda_machine_select.cold+0x1de/0x12cf [snd_sof_intel_hda_generic] sof_init_environment+0x16f/0xb50 [snd_sof] sof_probe_continue+0x45/0x7c0 [snd_sof] sof_probe_work+0x1e/0x40 [snd_sof] process_one_work+0x894/0x14b0 worker_thread+0x5e5/0xfb0 kthread+0x39d/0x760 ret_from_fork+0x31/0x70 ret_from_fork_asm+0x1a/0x30

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/68397fda2caa90e99…
	https://git.kernel.org/stable/c/58ecf51af12cb32b8…
	https://git.kernel.org/stable/c/6c038b58a2dc5a008…

Impacted products

Vendor

Product

Version

Linux

Affected: dd96daca6c83ecaf37f38ff49d8d174bbff576b4 , < 68397fda2caa90e99a7c0bcb2cf604e42ef3b91f (git)
Affected: dd96daca6c83ecaf37f38ff49d8d174bbff576b4 , < 58ecf51af12cb32b890858b52b2c34e80590c74a (git)
Affected: dd96daca6c83ecaf37f38ff49d8d174bbff576b4 , < 6c038b58a2dc5a008c7e7a1297f5aaa4deaaaa7e (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/sof/intel/hda.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "68397fda2caa90e99a7c0bcb2cf604e42ef3b91f",
              "status": "affected",
              "version": "dd96daca6c83ecaf37f38ff49d8d174bbff576b4",
              "versionType": "git"
            },
            {
              "lessThan": "58ecf51af12cb32b890858b52b2c34e80590c74a",
              "status": "affected",
              "version": "dd96daca6c83ecaf37f38ff49d8d174bbff576b4",
              "versionType": "git"
            },
            {
              "lessThan": "6c038b58a2dc5a008c7e7a1297f5aaa4deaaaa7e",
              "status": "affected",
              "version": "dd96daca6c83ecaf37f38ff49d8d174bbff576b4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/sof/intel/hda.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.\n\nsof_pdata-\u003etplg_filename can have address allocated by kstrdup()\nand can be overwritten. Memory leak was detected with kmemleak:\n\nunreferenced object 0xffff88812391ff60 (size 16):\n  comm \"kworker/4:1\", pid 161, jiffies 4294802931\n  hex dump (first 16 bytes):\n    73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00  sof-hda-generic.\n  backtrace (crc 4bf1675c):\n    __kmalloc_node_track_caller_noprof+0x49c/0x6b0\n    kstrdup+0x46/0xc0\n    hda_machine_select.cold+0x1de/0x12cf [snd_sof_intel_hda_generic]\n    sof_init_environment+0x16f/0xb50 [snd_sof]\n    sof_probe_continue+0x45/0x7c0 [snd_sof]\n    sof_probe_work+0x1e/0x40 [snd_sof]\n    process_one_work+0x894/0x14b0\n    worker_thread+0x5e5/0xfb0\n    kthread+0x39d/0x760\n    ret_from_fork+0x31/0x70\n    ret_from_fork_asm+0x1a/0x30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:17:02.383Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/68397fda2caa90e99a7c0bcb2cf604e42ef3b91f"
        },
        {
          "url": "https://git.kernel.org/stable/c/58ecf51af12cb32b890858b52b2c34e80590c74a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c038b58a2dc5a008c7e7a1297f5aaa4deaaaa7e"
        }
      ],
      "title": "ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38438",
    "datePublished": "2025-07-25T15:27:17.917Z",
    "dateReserved": "2025-04-16T04:51:24.016Z",
    "dateUpdated": "2025-07-28T11:17:02.383Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38616 (GCVE-0-2025-38616)

Vulnerability from cvelistv5 – Published: 2025-08-22 13:01 – Updated: 2025-09-29 05:54

Title

tls: handle data disappearing from under the TLS ULP

Summary

In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f1fe99919f629f980…
	https://git.kernel.org/stable/c/eb0336f213fe88bbd…
	https://git.kernel.org/stable/c/db3658a12d5ec4db7…
	https://git.kernel.org/stable/c/2fb97ed9e2672b4f6…
	https://git.kernel.org/stable/c/6db015fc4b5d5f63a…

Impacted products

Vendor

Product

Version

Linux

Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < f1fe99919f629f980d0b8a7ff16950bffe06a859 (git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < eb0336f213fe88bbdb7d2b19c9c9ec19245a3155 (git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < db3658a12d5ec4db7185ae7476151a50521b7207 (git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 2fb97ed9e2672b4f6e24ce206ac1a875ce4bcb38 (git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 6db015fc4b5d5f63a64a193f65d98da3a7fc811d (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls.h",
            "net/tls/tls_strp.c",
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f1fe99919f629f980d0b8a7ff16950bffe06a859",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "eb0336f213fe88bbdb7d2b19c9c9ec19245a3155",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "db3658a12d5ec4db7185ae7476151a50521b7207",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "2fb97ed9e2672b4f6e24ce206ac1a875ce4bcb38",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "6db015fc4b5d5f63a64a193f65d98da3a7fc811d",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls.h",
            "net/tls/tls_strp.c",
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: handle data disappearing from under the TLS ULP\n\nTLS expects that it owns the receive queue of the TCP socket.\nThis cannot be guaranteed in case the reader of the TCP socket\nentered before the TLS ULP was installed, or uses some non-standard\nread API (eg. zerocopy ones). Replace the WARN_ON() and a buggy\nearly exit (which leaves anchor pointing to a freed skb) with real\nerror handling. Wipe the parsing state and tell the reader to retry.\n\nWe already reload the anchor every time we (re)acquire the socket lock,\nso the only condition we need to avoid is an out of bounds read\n(not having enough bytes in the socket for previously parsed record len).\n\nIf some data was read from under TLS but there\u0027s enough in the queue\nwe\u0027ll reload and decrypt what is most likely not a valid TLS record.\nLeading to some undefined behavior from TLS perspective (corrupting\na stream? missing an alert? missing an attack?) but no kernel crash\nshould take place."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:51.143Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f1fe99919f629f980d0b8a7ff16950bffe06a859"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb0336f213fe88bbdb7d2b19c9c9ec19245a3155"
        },
        {
          "url": "https://git.kernel.org/stable/c/db3658a12d5ec4db7185ae7476151a50521b7207"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fb97ed9e2672b4f6e24ce206ac1a875ce4bcb38"
        },
        {
          "url": "https://git.kernel.org/stable/c/6db015fc4b5d5f63a64a193f65d98da3a7fc811d"
        }
      ],
      "title": "tls: handle data disappearing from under the TLS ULP",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38616",
    "datePublished": "2025-08-22T13:01:23.217Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2025-09-29T05:54:51.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21727 (GCVE-0-2025-21727)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:36

Title

padata: fix UAF in padata_reorder

Summary

In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd); // pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF. As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish. [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f78170bee51469734…
	https://git.kernel.org/stable/c/f3e0b9f790f8e8065…
	https://git.kernel.org/stable/c/0ae2f332cfd2d74cf…
	https://git.kernel.org/stable/c/bbccae982e9fa1d7a…
	https://git.kernel.org/stable/c/573ac9c70bf7885dc…
	https://git.kernel.org/stable/c/80231f069240d52e9…
	https://git.kernel.org/stable/c/e01780ea466117273…

Impacted products

Vendor

Product

Version

Linux

Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < f78170bee51469734b1a306a74fc5f777bb22ba6 (git)
Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < f3e0b9f790f8e8065d59e67b565a83154d9f3079 (git)
Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < 0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd (git)
Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de (git)
Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < 573ac9c70bf7885dc85d82fa44550581bfc3b738 (git)
Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < 80231f069240d52e98b6a317456c67b2eafd0781 (git)
Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < e01780ea4661172734118d2a5f41bc9720765668 (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21727",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:06.104597Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:27.953Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:30.604Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f78170bee51469734b1a306a74fc5f777bb22ba6",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "f3e0b9f790f8e8065d59e67b565a83154d9f3079",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "573ac9c70bf7885dc85d82fa44550581bfc3b738",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "80231f069240d52e98b6a317456c67b2eafd0781",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "e01780ea4661172734118d2a5f41bc9720765668",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: fix UAF in padata_reorder\n\nA bug was found when run ltp test:\n\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0\nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206\n\nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+\nWorkqueue: pdecrypt_parallel padata_parallel_worker\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x32/0x50\nprint_address_description.constprop.0+0x6b/0x3d0\nprint_report+0xdd/0x2c0\nkasan_report+0xa5/0xd0\npadata_find_next+0x29/0x1a0\npadata_reorder+0x131/0x220\npadata_parallel_worker+0x3d/0xc0\nprocess_one_work+0x2ec/0x5a0\n\nIf \u0027mdelay(10)\u0027 is added before calling \u0027padata_find_next\u0027 in the\n\u0027padata_reorder\u0027 function, this issue could be reproduced easily with\nltp test (pcrypt_aead01).\n\nThis can be explained as bellow:\n\npcrypt_aead_encrypt\n...\npadata_do_parallel\nrefcount_inc(\u0026pd-\u003erefcnt); // add refcnt\n...\npadata_do_serial\npadata_reorder // pd\nwhile (1) {\npadata_find_next(pd, true); // using pd\nqueue_work_on\n...\npadata_serial_worker\t\t\t\tcrypto_del_alg\npadata_put_pd_cnt // sub refcnt\n\t\t\t\t\t\tpadata_free_shell\n\t\t\t\t\t\tpadata_put_pd(ps-\u003epd);\n\t\t\t\t\t\t// pd is freed\n// loop again, but pd is freed\n// call padata_find_next, UAF\n}\n\nIn the padata_reorder function, when it loops in \u0027while\u0027, if the alg is\ndeleted, the refcnt may be decreased to 0 before entering\n\u0027padata_find_next\u0027, which leads to UAF.\n\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\nand always happen under RCU protection, to address this issue, add\nsynchronize_rcu() in \u0027padata_free_shell\u0027 wait for all _do_serial calls\nto finish.\n\n[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/\n[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:52.256Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de"
        },
        {
          "url": "https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738"
        },
        {
          "url": "https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781"
        },
        {
          "url": "https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668"
        }
      ],
      "title": "padata: fix UAF in padata_reorder",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21727",
    "datePublished": "2025-02-27T02:07:33.501Z",
    "dateReserved": "2024-12-29T08:45:45.754Z",
    "dateUpdated": "2025-11-03T19:36:30.604Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39727 (GCVE-0-2025-39727)

Vulnerability from cvelistv5 – Published: 2025-09-07 15:16 – Updated: 2025-09-29 05:58

Title

mm: swap: fix potential buffer overflow in setup_clusters()

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix potential buffer overflow in setup_clusters() In setup_swap_map(), we only ensure badpages are in range (0, last_page]. As maxpages might be < last_page, setup_clusters() will encounter a buffer overflow when a badpage is >= maxpages. Only call inc_cluster_info_page() for badpage which is < maxpages to fix the issue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/91b370800b3f2b3dd…
	https://git.kernel.org/stable/c/9b01ada580ee84fb3…
	https://git.kernel.org/stable/c/815c528b13f2bb9b3…
	https://git.kernel.org/stable/c/152c1339dc13ad46f…

Impacted products

Vendor

Product

Version

Linux

Affected: b843786b0bd01ced7fcdbf3b033d68db2f7c61b2 , < 91b370800b3f2b3dda244c0ab06719c4971190a5 (git)
Affected: b843786b0bd01ced7fcdbf3b033d68db2f7c61b2 , < 9b01ada580ee84fb319e7ecb5fb5b1f54a9eb799 (git)
Affected: b843786b0bd01ced7fcdbf3b033d68db2f7c61b2 , < 815c528b13f2bb9b3130c13bedeabf2351a68129 (git)
Affected: b843786b0bd01ced7fcdbf3b033d68db2f7c61b2 , < 152c1339dc13ad46f1b136e8693de15980750835 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/swapfile.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "91b370800b3f2b3dda244c0ab06719c4971190a5",
              "status": "affected",
              "version": "b843786b0bd01ced7fcdbf3b033d68db2f7c61b2",
              "versionType": "git"
            },
            {
              "lessThan": "9b01ada580ee84fb319e7ecb5fb5b1f54a9eb799",
              "status": "affected",
              "version": "b843786b0bd01ced7fcdbf3b033d68db2f7c61b2",
              "versionType": "git"
            },
            {
              "lessThan": "815c528b13f2bb9b3130c13bedeabf2351a68129",
              "status": "affected",
              "version": "b843786b0bd01ced7fcdbf3b033d68db2f7c61b2",
              "versionType": "git"
            },
            {
              "lessThan": "152c1339dc13ad46f1b136e8693de15980750835",
              "status": "affected",
              "version": "b843786b0bd01ced7fcdbf3b033d68db2f7c61b2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/swapfile.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix potential buffer overflow in setup_clusters()\n\nIn setup_swap_map(), we only ensure badpages are in range (0, last_page]. \nAs maxpages might be \u003c last_page, setup_clusters() will encounter a buffer\noverflow when a badpage is \u003e= maxpages.\n\nOnly call inc_cluster_info_page() for badpage which is \u003c maxpages to fix\nthe issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:58:13.176Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/91b370800b3f2b3dda244c0ab06719c4971190a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b01ada580ee84fb319e7ecb5fb5b1f54a9eb799"
        },
        {
          "url": "https://git.kernel.org/stable/c/815c528b13f2bb9b3130c13bedeabf2351a68129"
        },
        {
          "url": "https://git.kernel.org/stable/c/152c1339dc13ad46f1b136e8693de15980750835"
        }
      ],
      "title": "mm: swap: fix potential buffer overflow in setup_clusters()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39727",
    "datePublished": "2025-09-07T15:16:17.986Z",
    "dateReserved": "2025-04-16T07:20:57.118Z",
    "dateUpdated": "2025-09-29T05:58:13.176Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-49390 (GCVE-0-2022-49390)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:11 – Updated: 2025-05-04 12:44

Title

macsec: fix UAF bug for real_dev

Summary

In the Linux kernel, the following vulnerability has been resolved: macsec: fix UAF bug for real_dev Create a new macsec device but not get reference to real_dev. That can not ensure that real_dev is freed after macsec. That will trigger the UAF bug for real_dev as following: ================================================================== BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662 Call Trace: ... macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662 dev_get_iflink+0x73/0xe0 net/core/dev.c:637 default_operstate net/core/link_watch.c:42 [inline] rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54 linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161 Allocated by task 22209: ... alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549 rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235 veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748 Freed by task 8: ... kfree+0xd6/0x4d0 mm/slub.c:4552 kvfree+0x42/0x50 mm/util.c:615 device_release+0x9f/0x240 drivers/base/core.c:2229 kobject_cleanup lib/kobject.c:673 [inline] kobject_release lib/kobject.c:704 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1c8/0x540 lib/kobject.c:721 netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327 After commit faab39f63c1f ("net: allow out-of-order netdev unregistration") and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we can add dev_hold_track() in macsec_dev_init() and dev_put_track() in macsec_free_netdev() to fix the problem.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/78933cbc143b82d02…
	https://git.kernel.org/stable/c/d130282179aa60514…
	https://git.kernel.org/stable/c/196a888ca6571deb3…

Impacted products

Vendor

Product

Version

Linux

Affected: 2bce1ebed17da54c65042ec2b962e3234bad5b47 , < 78933cbc143b82d02330e00900d2fd08f2682f4e (git)
Affected: 2bce1ebed17da54c65042ec2b962e3234bad5b47 , < d130282179aa6051449ac8f8df1115769998a665 (git)
Affected: 2bce1ebed17da54c65042ec2b962e3234bad5b47 , < 196a888ca6571deb344468e1d7138e3273206335 (git)
Affected: 1861904a6092ed411203c6a02c75bfc45b27cc3c (git)
Affected: 3a2675a2d97a68332fa5c33043038bfeb31455a8 (git)
Affected: b0add6db3d5ec4561cab257358871a9d3df7f0a3 (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.17.15 , ≤ 5.17.* (semver)
Unaffected: 5.18.3 , ≤ 5.18.* (semver)
Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49390",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:33.560218Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:28.747Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/macsec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "78933cbc143b82d02330e00900d2fd08f2682f4e",
              "status": "affected",
              "version": "2bce1ebed17da54c65042ec2b962e3234bad5b47",
              "versionType": "git"
            },
            {
              "lessThan": "d130282179aa6051449ac8f8df1115769998a665",
              "status": "affected",
              "version": "2bce1ebed17da54c65042ec2b962e3234bad5b47",
              "versionType": "git"
            },
            {
              "lessThan": "196a888ca6571deb344468e1d7138e3273206335",
              "status": "affected",
              "version": "2bce1ebed17da54c65042ec2b962e3234bad5b47",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1861904a6092ed411203c6a02c75bfc45b27cc3c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3a2675a2d97a68332fa5c33043038bfeb31455a8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b0add6db3d5ec4561cab257358871a9d3df7f0a3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/macsec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.15",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.3",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.154",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.84",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.3.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: fix UAF bug for real_dev\n\nCreate a new macsec device but not get reference to real_dev. That can\nnot ensure that real_dev is freed after macsec. That will trigger the\nUAF bug for real_dev as following:\n\n==================================================================\nBUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662\nCall Trace:\n ...\n macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662\n dev_get_iflink+0x73/0xe0 net/core/dev.c:637\n default_operstate net/core/link_watch.c:42 [inline]\n rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54\n linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161\n\nAllocated by task 22209:\n ...\n alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549\n rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235\n veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748\n\nFreed by task 8:\n ...\n kfree+0xd6/0x4d0 mm/slub.c:4552\n kvfree+0x42/0x50 mm/util.c:615\n device_release+0x9f/0x240 drivers/base/core.c:2229\n kobject_cleanup lib/kobject.c:673 [inline]\n kobject_release lib/kobject.c:704 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1c8/0x540 lib/kobject.c:721\n netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327\n\nAfter commit faab39f63c1f (\"net: allow out-of-order netdev unregistration\")\nand commit e5f80fcf869a (\"ipv6: give an IPv6 dev to blackhole_netdev\"), we\ncan add dev_hold_track() in macsec_dev_init() and dev_put_track() in\nmacsec_free_netdev() to fix the problem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:44:34.195Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/78933cbc143b82d02330e00900d2fd08f2682f4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d130282179aa6051449ac8f8df1115769998a665"
        },
        {
          "url": "https://git.kernel.org/stable/c/196a888ca6571deb344468e1d7138e3273206335"
        }
      ],
      "title": "macsec: fix UAF bug for real_dev",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49390",
    "datePublished": "2025-02-26T02:11:23.327Z",
    "dateReserved": "2025-02-26T02:08:31.561Z",
    "dateUpdated": "2025-05-04T12:44:34.195Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56596 (GCVE-0-2024-56596)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2026-01-05 10:55

Title

jfs: fix array-index-out-of-bounds in jfs_readdir

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in jfs_readdir The stbl might contain some invalid values. Added a check to return error code in that case.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-129 - Improper Validation of Array Index

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b62f41aeec9d25014…
	https://git.kernel.org/stable/c/97e693593162eef68…
	https://git.kernel.org/stable/c/9efe72eefd4c4a7ce…
	https://git.kernel.org/stable/c/ff9fc48fab0e1ea0d…
	https://git.kernel.org/stable/c/e7d376f94f72b020f…
	https://git.kernel.org/stable/c/8ff7579554571d92e…
	https://git.kernel.org/stable/c/839f102efb168f02d…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b62f41aeec9d250144c53875b507c1d45ae8c8fc (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 97e693593162eef6851d232f0c8148169ed46a5c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9efe72eefd4c4a7ce63b3e4d667d766d2b360cb4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ff9fc48fab0e1ea0d423c23c99b91bba178f0b05 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e7d376f94f72b020f84e77278b150ec1cc27502c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8ff7579554571d92e3deab168f5a7d7b146ed368 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 839f102efb168f02dfdd46717b7c6dddb26b015e (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56596",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:01:31.920173Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-129",
                "description": "CWE-129 Improper Validation of Array Index",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:14.017Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:27.430Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dtree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b62f41aeec9d250144c53875b507c1d45ae8c8fc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "97e693593162eef6851d232f0c8148169ed46a5c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9efe72eefd4c4a7ce63b3e4d667d766d2b360cb4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ff9fc48fab0e1ea0d423c23c99b91bba178f0b05",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e7d376f94f72b020f84e77278b150ec1cc27502c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8ff7579554571d92e3deab168f5a7d7b146ed368",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "839f102efb168f02dfdd46717b7c6dddb26b015e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dtree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in jfs_readdir\n\nThe stbl might contain some invalid values. Added a check to\nreturn error code in that case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:55:58.987Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b62f41aeec9d250144c53875b507c1d45ae8c8fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/97e693593162eef6851d232f0c8148169ed46a5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9efe72eefd4c4a7ce63b3e4d667d766d2b360cb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff9fc48fab0e1ea0d423c23c99b91bba178f0b05"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7d376f94f72b020f84e77278b150ec1cc27502c"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ff7579554571d92e3deab168f5a7d7b146ed368"
        },
        {
          "url": "https://git.kernel.org/stable/c/839f102efb168f02dfdd46717b7c6dddb26b015e"
        }
      ],
      "title": "jfs: fix array-index-out-of-bounds in jfs_readdir",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56596",
    "datePublished": "2024-12-27T14:51:03.282Z",
    "dateReserved": "2024-12-27T14:03:06.010Z",
    "dateUpdated": "2026-01-05T10:55:58.987Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39725 (GCVE-0-2025-39725)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:27 – Updated: 2025-09-05 17:27

Title

mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list In shrink_folio_list(), the hwpoisoned folio may be large folio, which can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a WARN_ON_ONCE due to the page isn't in swapcache. Since UCE is rare in real world, and race with reclaimation is more rare, just skipping the hwpoisoned large folio is enough. memory_failure() will handle it if the UCE is triggered again. This happens when memory reclaim for large folio races with memory_failure(), and will lead to kernel panic. The race is as follows: cpu0 cpu1 shrink_folio_list memory_failure TestSetPageHWPoison unmap_poisoned_folio --> trigger BUG_ON due to unmap_poisoned_folio couldn't handle large folio [tujinjiang@huawei.com: add comment to unmap_poisoned_folio()]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/656eaddbc952e1baa…
	https://git.kernel.org/stable/c/c1101113d45838a82…
	https://git.kernel.org/stable/c/9f1e8cd0b7c4c944e…

Impacted products

Vendor

Product

Version

Linux

Affected: 1c9798bf8145a92abf45aa9d38a6406d9eb8bdf0 , < 656eaddbc952e1baae2f69281c22debe22140312 (git)
Affected: 1b0449544c6482179ac84530b61fc192a6527bfd , < c1101113d45838a823188ae25c61af97552a28ae (git)
Affected: 1b0449544c6482179ac84530b61fc192a6527bfd , < 9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab (git)
Affected: 912e9f0300c3564b72a8808db406e313193a37ad (git)

Linux

Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.12.41 , ≤ 6.12.* (semver)
Unaffected: 6.15.9 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/memory-failure.c",
            "mm/vmscan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "656eaddbc952e1baae2f69281c22debe22140312",
              "status": "affected",
              "version": "1c9798bf8145a92abf45aa9d38a6406d9eb8bdf0",
              "versionType": "git"
            },
            {
              "lessThan": "c1101113d45838a823188ae25c61af97552a28ae",
              "status": "affected",
              "version": "1b0449544c6482179ac84530b61fc192a6527bfd",
              "versionType": "git"
            },
            {
              "lessThan": "9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab",
              "status": "affected",
              "version": "1b0449544c6482179ac84530b61fc192a6527bfd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "912e9f0300c3564b72a8808db406e313193a37ad",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/memory-failure.c",
            "mm/vmscan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.41",
                  "versionStartIncluding": "6.12.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.9",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list\n\nIn shrink_folio_list(), the hwpoisoned folio may be large folio, which\ncan\u0027t be handled by unmap_poisoned_folio().  For THP, try_to_unmap_one()\nmust be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then\nretry.  Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of\npvmw.pte.  Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a\nWARN_ON_ONCE due to the page isn\u0027t in swapcache.\n\nSince UCE is rare in real world, and race with reclaimation is more rare,\njust skipping the hwpoisoned large folio is enough.  memory_failure() will\nhandle it if the UCE is triggered again.\n\nThis happens when memory reclaim for large folio races with\nmemory_failure(), and will lead to kernel panic.  The race is as\nfollows:\n\ncpu0      cpu1\n shrink_folio_list memory_failure\n  TestSetPageHWPoison\n  unmap_poisoned_folio\n  --\u003e trigger BUG_ON due to\n  unmap_poisoned_folio couldn\u0027t\n   handle large folio\n\n[tujinjiang@huawei.com: add comment to unmap_poisoned_folio()]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-05T17:27:18.719Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/656eaddbc952e1baae2f69281c22debe22140312"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1101113d45838a823188ae25c61af97552a28ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab"
        }
      ],
      "title": "mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39725",
    "datePublished": "2025-09-05T17:27:18.719Z",
    "dateReserved": "2025-04-16T07:20:57.117Z",
    "dateUpdated": "2025-09-05T17:27:18.719Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38551 (GCVE-0-2025-38551)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:34 – Updated: 2025-08-16 11:34

Title

virtio-net: fix recursived rtnl_lock() during probe()

Summary

In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix recursived rtnl_lock() during probe() The deadlock appears in a stack trace like: virtnet_probe() rtnl_lock() virtio_config_changed_work() netdev_notify_peers() rtnl_lock() It happens if the VMM sends a VIRTIO_NET_S_ANNOUNCE request while the virtio-net driver is still probing. The config_work in probe() will get scheduled until virtnet_open() enables the config change notification via virtio_config_driver_enable().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4e7c46362550b2293…
	https://git.kernel.org/stable/c/3859f137b3c1fa1f0…
	https://git.kernel.org/stable/c/be5dcaed694e4255d…

Impacted products

Vendor

Product

Version

Linux

Affected: df28de7b00502761eba62490f413c65c9b175ed9 , < 4e7c46362550b229354aeb52038f414e231b0037 (git)
Affected: df28de7b00502761eba62490f413c65c9b175ed9 , < 3859f137b3c1fa1f0031d54263234566bdcdd7aa (git)
Affected: df28de7b00502761eba62490f413c65c9b175ed9 , < be5dcaed694e4255dc02dd0acfe036708c535def (git)
Affected: cb06b26bb2e6d2c6a32f65f7bb1b7dcbe033d675 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/virtio_net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4e7c46362550b229354aeb52038f414e231b0037",
              "status": "affected",
              "version": "df28de7b00502761eba62490f413c65c9b175ed9",
              "versionType": "git"
            },
            {
              "lessThan": "3859f137b3c1fa1f0031d54263234566bdcdd7aa",
              "status": "affected",
              "version": "df28de7b00502761eba62490f413c65c9b175ed9",
              "versionType": "git"
            },
            {
              "lessThan": "be5dcaed694e4255dc02dd0acfe036708c535def",
              "status": "affected",
              "version": "df28de7b00502761eba62490f413c65c9b175ed9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cb06b26bb2e6d2c6a32f65f7bb1b7dcbe033d675",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/virtio_net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix recursived rtnl_lock() during probe()\n\nThe deadlock appears in a stack trace like:\n\n  virtnet_probe()\n    rtnl_lock()\n    virtio_config_changed_work()\n      netdev_notify_peers()\n        rtnl_lock()\n\nIt happens if the VMM sends a VIRTIO_NET_S_ANNOUNCE request while the\nvirtio-net driver is still probing.\n\nThe config_work in probe() will get scheduled until virtnet_open() enables\nthe config change notification via virtio_config_driver_enable()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T11:34:19.544Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4e7c46362550b229354aeb52038f414e231b0037"
        },
        {
          "url": "https://git.kernel.org/stable/c/3859f137b3c1fa1f0031d54263234566bdcdd7aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/be5dcaed694e4255dc02dd0acfe036708c535def"
        }
      ],
      "title": "virtio-net: fix recursived rtnl_lock() during probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38551",
    "datePublished": "2025-08-16T11:34:19.544Z",
    "dateReserved": "2025-04-16T04:51:24.024Z",
    "dateUpdated": "2025-08-16T11:34:19.544Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-39794 (GCVE-0-2025-39794)

Vulnerability from cvelistv5 – Published: 2025-09-12 15:59 – Updated: 2026-01-02 15:32

Title

ARM: tegra: Use I/O memcpy to write to IRAM

Summary

In the Linux kernel, the following vulnerability has been resolved: ARM: tegra: Use I/O memcpy to write to IRAM Kasan crashes the kernel trying to check boundaries when using the normal memcpy.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b28c1a14accc79ead…
	https://git.kernel.org/stable/c/75a3bdfeed2f129a2…
	https://git.kernel.org/stable/c/2499b0ac908eefbb8…
	https://git.kernel.org/stable/c/387435f4833f97aab…
	https://git.kernel.org/stable/c/46b3a7a3a36d5833f…
	https://git.kernel.org/stable/c/9b0b3b5e5cae95e09…
	https://git.kernel.org/stable/c/96d6605bf0561d6e5…
	https://git.kernel.org/stable/c/30ef45b89a5961cde…
	https://git.kernel.org/stable/c/398e67e0f5ae04b29…

Impacted products

Vendor

Product

Version

Linux

Affected: b36ab9754efbd7429d214b3b03dc9843882571bd , < b28c1a14accc79ead1e87bbdae53309da60be1e7 (git)
Affected: b36ab9754efbd7429d214b3b03dc9843882571bd , < 75a3bdfeed2f129a2c7d9fd7779382b78e35b014 (git)
Affected: b36ab9754efbd7429d214b3b03dc9843882571bd , < 2499b0ac908eefbb8a217aae609b7a5b5174f330 (git)
Affected: b36ab9754efbd7429d214b3b03dc9843882571bd , < 387435f4833f97aabfd74434ee526e31e8a626ea (git)
Affected: b36ab9754efbd7429d214b3b03dc9843882571bd , < 46b3a7a3a36d5833f14914d1b95c69d28c6a76d6 (git)
Affected: b36ab9754efbd7429d214b3b03dc9843882571bd , < 9b0b3b5e5cae95e09bf0ae4a9bcb58d9b6d57f87 (git)
Affected: b36ab9754efbd7429d214b3b03dc9843882571bd , < 96d6605bf0561d6e568b1dd9265a0f73b5b94f51 (git)
Affected: b36ab9754efbd7429d214b3b03dc9843882571bd , < 30ef45b89a5961cdecf907ecff1ef3374d1de510 (git)
Affected: b36ab9754efbd7429d214b3b03dc9843882571bd , < 398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1 (git)

Linux

Affected: 3.4
Unaffected: 0 , < 3.4 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.149 , ≤ 6.1.* (semver)
Unaffected: 6.6.103 , ≤ 6.6.* (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:43:26.094Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm/mach-tegra/reset.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b28c1a14accc79ead1e87bbdae53309da60be1e7",
              "status": "affected",
              "version": "b36ab9754efbd7429d214b3b03dc9843882571bd",
              "versionType": "git"
            },
            {
              "lessThan": "75a3bdfeed2f129a2c7d9fd7779382b78e35b014",
              "status": "affected",
              "version": "b36ab9754efbd7429d214b3b03dc9843882571bd",
              "versionType": "git"
            },
            {
              "lessThan": "2499b0ac908eefbb8a217aae609b7a5b5174f330",
              "status": "affected",
              "version": "b36ab9754efbd7429d214b3b03dc9843882571bd",
              "versionType": "git"
            },
            {
              "lessThan": "387435f4833f97aabfd74434ee526e31e8a626ea",
              "status": "affected",
              "version": "b36ab9754efbd7429d214b3b03dc9843882571bd",
              "versionType": "git"
            },
            {
              "lessThan": "46b3a7a3a36d5833f14914d1b95c69d28c6a76d6",
              "status": "affected",
              "version": "b36ab9754efbd7429d214b3b03dc9843882571bd",
              "versionType": "git"
            },
            {
              "lessThan": "9b0b3b5e5cae95e09bf0ae4a9bcb58d9b6d57f87",
              "status": "affected",
              "version": "b36ab9754efbd7429d214b3b03dc9843882571bd",
              "versionType": "git"
            },
            {
              "lessThan": "96d6605bf0561d6e568b1dd9265a0f73b5b94f51",
              "status": "affected",
              "version": "b36ab9754efbd7429d214b3b03dc9843882571bd",
              "versionType": "git"
            },
            {
              "lessThan": "30ef45b89a5961cdecf907ecff1ef3374d1de510",
              "status": "affected",
              "version": "b36ab9754efbd7429d214b3b03dc9843882571bd",
              "versionType": "git"
            },
            {
              "lessThan": "398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1",
              "status": "affected",
              "version": "b36ab9754efbd7429d214b3b03dc9843882571bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm/mach-tegra/reset.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.4"
            },
            {
              "lessThan": "3.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: tegra: Use I/O memcpy to write to IRAM\n\nKasan crashes the kernel trying to check boundaries when using the\nnormal memcpy."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:32:21.921Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b28c1a14accc79ead1e87bbdae53309da60be1e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/75a3bdfeed2f129a2c7d9fd7779382b78e35b014"
        },
        {
          "url": "https://git.kernel.org/stable/c/2499b0ac908eefbb8a217aae609b7a5b5174f330"
        },
        {
          "url": "https://git.kernel.org/stable/c/387435f4833f97aabfd74434ee526e31e8a626ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/46b3a7a3a36d5833f14914d1b95c69d28c6a76d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b0b3b5e5cae95e09bf0ae4a9bcb58d9b6d57f87"
        },
        {
          "url": "https://git.kernel.org/stable/c/96d6605bf0561d6e568b1dd9265a0f73b5b94f51"
        },
        {
          "url": "https://git.kernel.org/stable/c/30ef45b89a5961cdecf907ecff1ef3374d1de510"
        },
        {
          "url": "https://git.kernel.org/stable/c/398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1"
        }
      ],
      "title": "ARM: tegra: Use I/O memcpy to write to IRAM",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39794",
    "datePublished": "2025-09-12T15:59:31.226Z",
    "dateReserved": "2025-04-16T07:20:57.132Z",
    "dateUpdated": "2026-01-02T15:32:21.921Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38533 (GCVE-0-2025-38533)

Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2025-08-16 11:12

Title

net: libwx: fix the using of Rx buffer DMA

Summary

In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix the using of Rx buffer DMA The wx_rx_buffer structure contained two DMA address fields: 'dma' and 'page_dma'. However, only 'page_dma' was actually initialized and used to program the Rx descriptor. But 'dma' was uninitialized and used in some paths. This could lead to undefined behavior, including DMA errors or use-after-free, if the uninitialized 'dma' was used. Althrough such error has not yet occurred, it is worth fixing in the code.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/027701180a7bcb64c…
	https://git.kernel.org/stable/c/ba7c793f96c1c2b94…
	https://git.kernel.org/stable/c/05c37b574997892a4…
	https://git.kernel.org/stable/c/5fd77cc6bd9b36843…

Impacted products

Vendor

Product

Version

Linux

Affected: 3c47e8ae113a68da47987750d9896e325d0aeedd , < 027701180a7bcb64c42eab291133ef0c87b5b6c5 (git)
Affected: 3c47e8ae113a68da47987750d9896e325d0aeedd , < ba7c793f96c1c2b944bb6f423d7243f3afc30fe9 (git)
Affected: 3c47e8ae113a68da47987750d9896e325d0aeedd , < 05c37b574997892a40a0e9b9b88a481566b2367d (git)
Affected: 3c47e8ae113a68da47987750d9896e325d0aeedd , < 5fd77cc6bd9b368431a815a780e407b7781bcca0 (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/wangxun/libwx/wx_lib.c",
            "drivers/net/ethernet/wangxun/libwx/wx_type.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "027701180a7bcb64c42eab291133ef0c87b5b6c5",
              "status": "affected",
              "version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
              "versionType": "git"
            },
            {
              "lessThan": "ba7c793f96c1c2b944bb6f423d7243f3afc30fe9",
              "status": "affected",
              "version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
              "versionType": "git"
            },
            {
              "lessThan": "05c37b574997892a40a0e9b9b88a481566b2367d",
              "status": "affected",
              "version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
              "versionType": "git"
            },
            {
              "lessThan": "5fd77cc6bd9b368431a815a780e407b7781bcca0",
              "status": "affected",
              "version": "3c47e8ae113a68da47987750d9896e325d0aeedd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/wangxun/libwx/wx_lib.c",
            "drivers/net/ethernet/wangxun/libwx/wx_type.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: fix the using of Rx buffer DMA\n\nThe wx_rx_buffer structure contained two DMA address fields: \u0027dma\u0027 and\n\u0027page_dma\u0027. However, only \u0027page_dma\u0027 was actually initialized and used\nto program the Rx descriptor. But \u0027dma\u0027 was uninitialized and used in\nsome paths.\n\nThis could lead to undefined behavior, including DMA errors or\nuse-after-free, if the uninitialized \u0027dma\u0027 was used. Althrough such\nerror has not yet occurred, it is worth fixing in the code."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T11:12:25.978Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/027701180a7bcb64c42eab291133ef0c87b5b6c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba7c793f96c1c2b944bb6f423d7243f3afc30fe9"
        },
        {
          "url": "https://git.kernel.org/stable/c/05c37b574997892a40a0e9b9b88a481566b2367d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5fd77cc6bd9b368431a815a780e407b7781bcca0"
        }
      ],
      "title": "net: libwx: fix the using of Rx buffer DMA",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38533",
    "datePublished": "2025-08-16T11:12:25.978Z",
    "dateReserved": "2025-04-16T04:51:24.023Z",
    "dateUpdated": "2025-08-16T11:12:25.978Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38165 (GCVE-0-2025-38165)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2025-11-03 17:34

Title

bpf, sockmap: Fix panic when calling skb_linearize

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix panic when calling skb_linearize The panic can be reproduced by executing the command: ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000 Then a kernel panic was captured: ''' [ 657.460555] kernel BUG at net/core/skbuff.c:2178! [ 657.462680] Tainted: [W]=WARN [ 657.463287] Workqueue: events sk_psock_backlog ... [ 657.469610] <TASK> [ 657.469738] ? die+0x36/0x90 [ 657.469916] ? do_trap+0x1d0/0x270 [ 657.470118] ? pskb_expand_head+0x612/0xf40 [ 657.470376] ? pskb_expand_head+0x612/0xf40 [ 657.470620] ? do_error_trap+0xa3/0x170 [ 657.470846] ? pskb_expand_head+0x612/0xf40 [ 657.471092] ? handle_invalid_op+0x2c/0x40 [ 657.471335] ? pskb_expand_head+0x612/0xf40 [ 657.471579] ? exc_invalid_op+0x2d/0x40 [ 657.471805] ? asm_exc_invalid_op+0x1a/0x20 [ 657.472052] ? pskb_expand_head+0xd1/0xf40 [ 657.472292] ? pskb_expand_head+0x612/0xf40 [ 657.472540] ? lock_acquire+0x18f/0x4e0 [ 657.472766] ? find_held_lock+0x2d/0x110 [ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10 [ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470 [ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10 [ 657.473826] __pskb_pull_tail+0xfd/0x1d20 [ 657.474062] ? __kasan_slab_alloc+0x4e/0x90 [ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510 [ 657.475392] ? __kasan_kmalloc+0xaa/0xb0 [ 657.476010] sk_psock_backlog+0x5cf/0xd70 [ 657.476637] process_one_work+0x858/0x1a20 ''' The panic originates from the assertion BUG_ON(skb_shared(skb)) in skb_linearize(). A previous commit(see Fixes tag) introduced skb_get() to avoid race conditions between skb operations in the backlog and skb release in the recvmsg path. However, this caused the panic to always occur when skb_linearize is executed. The "--rx-strp 100000" parameter forces the RX path to use the strparser module which aggregates data until it reaches 100KB before calling sockmap logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize. To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue. ''' sk_psock_backlog: sk_psock_handle_skb skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue' sk_psock_skb_ingress____________ ↓ | | → sk_psock_skb_ingress_self | sk_psock_skb_ingress_enqueue sk_psock_verdict_apply_________________↑ skb_linearize ''' Note that for verdict_apply path, the skb_get operation is unnecessary so we add 'take_ref' param to control it's behavior.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4dba44333a11522df…
	https://git.kernel.org/stable/c/9718ba6490732dbe7…
	https://git.kernel.org/stable/c/db1d15a26f21f9745…
	https://git.kernel.org/stable/c/3d25fa2d7f127348c…
	https://git.kernel.org/stable/c/e9c1299d813fc0466…
	https://git.kernel.org/stable/c/5ca2e29f6834c64c0…

Impacted products

Vendor

Product

Version

Linux

Affected: 65ad600b9bde68d2d28709943ab00b51ca8f0a1d , < 4dba44333a11522df54b49aa1f2edfaf6ce35fc7 (git)
Affected: 923877254f002ae87d441382bb1096d9e773d56d , < 9718ba6490732dbe70190d42c21deb1440834402 (git)
Affected: a454d84ee20baf7bd7be90721b9821f73c7d23d9 , < db1d15a26f21f97459508c42ae87cabe8d3afc3b (git)
Affected: a454d84ee20baf7bd7be90721b9821f73c7d23d9 , < 3d25fa2d7f127348c818e1dab9e58534f7ac56cc (git)
Affected: a454d84ee20baf7bd7be90721b9821f73c7d23d9 , < e9c1299d813fc04668042690f2c3cc76d013959a (git)
Affected: a454d84ee20baf7bd7be90721b9821f73c7d23d9 , < 5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e (git)
Affected: e6b5e47adb9166e732cdf7e6e034946e3f89f36d (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:54.924Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/skmsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4dba44333a11522df54b49aa1f2edfaf6ce35fc7",
              "status": "affected",
              "version": "65ad600b9bde68d2d28709943ab00b51ca8f0a1d",
              "versionType": "git"
            },
            {
              "lessThan": "9718ba6490732dbe70190d42c21deb1440834402",
              "status": "affected",
              "version": "923877254f002ae87d441382bb1096d9e773d56d",
              "versionType": "git"
            },
            {
              "lessThan": "db1d15a26f21f97459508c42ae87cabe8d3afc3b",
              "status": "affected",
              "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9",
              "versionType": "git"
            },
            {
              "lessThan": "3d25fa2d7f127348c818e1dab9e58534f7ac56cc",
              "status": "affected",
              "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9",
              "versionType": "git"
            },
            {
              "lessThan": "e9c1299d813fc04668042690f2c3cc76d013959a",
              "status": "affected",
              "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9",
              "versionType": "git"
            },
            {
              "lessThan": "5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e",
              "status": "affected",
              "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e6b5e47adb9166e732cdf7e6e034946e3f89f36d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/skmsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.15.189",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "6.1.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix panic when calling skb_linearize\n\nThe panic can be reproduced by executing the command:\n./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000\n\nThen a kernel panic was captured:\n\u0027\u0027\u0027\n[  657.460555] kernel BUG at net/core/skbuff.c:2178!\n[  657.462680] Tainted: [W]=WARN\n[  657.463287] Workqueue: events sk_psock_backlog\n...\n[  657.469610]  \u003cTASK\u003e\n[  657.469738]  ? die+0x36/0x90\n[  657.469916]  ? do_trap+0x1d0/0x270\n[  657.470118]  ? pskb_expand_head+0x612/0xf40\n[  657.470376]  ? pskb_expand_head+0x612/0xf40\n[  657.470620]  ? do_error_trap+0xa3/0x170\n[  657.470846]  ? pskb_expand_head+0x612/0xf40\n[  657.471092]  ? handle_invalid_op+0x2c/0x40\n[  657.471335]  ? pskb_expand_head+0x612/0xf40\n[  657.471579]  ? exc_invalid_op+0x2d/0x40\n[  657.471805]  ? asm_exc_invalid_op+0x1a/0x20\n[  657.472052]  ? pskb_expand_head+0xd1/0xf40\n[  657.472292]  ? pskb_expand_head+0x612/0xf40\n[  657.472540]  ? lock_acquire+0x18f/0x4e0\n[  657.472766]  ? find_held_lock+0x2d/0x110\n[  657.472999]  ? __pfx_pskb_expand_head+0x10/0x10\n[  657.473263]  ? __kmalloc_cache_noprof+0x5b/0x470\n[  657.473537]  ? __pfx___lock_release.isra.0+0x10/0x10\n[  657.473826]  __pskb_pull_tail+0xfd/0x1d20\n[  657.474062]  ? __kasan_slab_alloc+0x4e/0x90\n[  657.474707]  sk_psock_skb_ingress_enqueue+0x3bf/0x510\n[  657.475392]  ? __kasan_kmalloc+0xaa/0xb0\n[  657.476010]  sk_psock_backlog+0x5cf/0xd70\n[  657.476637]  process_one_work+0x858/0x1a20\n\u0027\u0027\u0027\n\nThe panic originates from the assertion BUG_ON(skb_shared(skb)) in\nskb_linearize(). A previous commit(see Fixes tag) introduced skb_get()\nto avoid race conditions between skb operations in the backlog and skb\nrelease in the recvmsg path. However, this caused the panic to always\noccur when skb_linearize is executed.\n\nThe \"--rx-strp 100000\" parameter forces the RX path to use the strparser\nmodule which aggregates data until it reaches 100KB before calling sockmap\nlogic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.\n\nTo fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.\n\n\u0027\u0027\u0027\nsk_psock_backlog:\n    sk_psock_handle_skb\n       skb_get(skb) \u003c== we move it into \u0027sk_psock_skb_ingress_enqueue\u0027\n       sk_psock_skb_ingress____________\n                                       \u2193\n                                       |\n                                       | \u2192 sk_psock_skb_ingress_self\n                                       |      sk_psock_skb_ingress_enqueue\nsk_psock_verdict_apply_________________\u2191          skb_linearize\n\u0027\u0027\u0027\n\nNote that for verdict_apply path, the skb_get operation is unnecessary so\nwe add \u0027take_ref\u0027 param to control it\u0027s behavior."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:42:57.617Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4dba44333a11522df54b49aa1f2edfaf6ce35fc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/9718ba6490732dbe70190d42c21deb1440834402"
        },
        {
          "url": "https://git.kernel.org/stable/c/db1d15a26f21f97459508c42ae87cabe8d3afc3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d25fa2d7f127348c818e1dab9e58534f7ac56cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9c1299d813fc04668042690f2c3cc76d013959a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e"
        }
      ],
      "title": "bpf, sockmap: Fix panic when calling skb_linearize",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38165",
    "datePublished": "2025-07-03T08:36:05.738Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2025-11-03T17:34:54.924Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38589 (GCVE-0-2025-38589)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-09-29 05:54

Title

neighbour: Fix null-ptr-deref in neigh_flush_dev().

Summary

In the Linux kernel, the following vulnerability has been resolved: neighbour: Fix null-ptr-deref in neigh_flush_dev(). kernel test robot reported null-ptr-deref in neigh_flush_dev(). [0] The cited commit introduced per-netdev neighbour list and converted neigh_flush_dev() to use it instead of the global hash table. One thing we missed is that neigh_table_clear() calls neigh_ifdown() with NULL dev. Let's restore the hash table iteration. Note that IPv6 module is no longer unloadable, so neigh_table_clear() is called only when IPv6 fails to initialise, which is unlikely to happen. [0]: IPv6: Attempt to unregister permanent protocol 136 IPv6: Attempt to unregister permanent protocol 17 Oops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07] CPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.12.0-rc6-01246-gf7f52738637f #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570 Code: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f RSP: 0000:ffff88810026f408 EFLAGS: 00010206 RAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640 RBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000 FS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __neigh_ifdown.llvm.6395807810224103582+0x44/0x390 neigh_table_clear+0xb1/0x268 ndisc_cleanup+0x21/0x38 [ipv6] init_module+0x2f5/0x468 [ipv6] do_one_initcall+0x1ba/0x628 do_init_module+0x21a/0x530 load_module+0x2550/0x2ea0 __se_sys_finit_module+0x3d2/0x620 __x64_sys_finit_module+0x76/0x88 x64_sys_call+0x7ff/0xde8 do_syscall_64+0xfb/0x1e8 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f575d6f2719 Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719 RDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004 RBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00 R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000 R13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270 </TASK> Modules linked in: ipv6(+)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d9c4328795697ebc3…
	https://git.kernel.org/stable/c/47fbd7f8df19bdfbe…
	https://git.kernel.org/stable/c/1bbb76a8994868273…

Impacted products

Vendor

Product

Version

Linux

Affected: f7f52738637f4361c108cad36e23ee98959a9006 , < d9c4328795697ebc392a63fece3901999c09cddd (git)
Affected: f7f52738637f4361c108cad36e23ee98959a9006 , < 47fbd7f8df19bdfbe334ee83f35568c9a29221ae (git)
Affected: f7f52738637f4361c108cad36e23ee98959a9006 , < 1bbb76a899486827394530916f01214d049931b3 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/neighbour.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d9c4328795697ebc392a63fece3901999c09cddd",
              "status": "affected",
              "version": "f7f52738637f4361c108cad36e23ee98959a9006",
              "versionType": "git"
            },
            {
              "lessThan": "47fbd7f8df19bdfbe334ee83f35568c9a29221ae",
              "status": "affected",
              "version": "f7f52738637f4361c108cad36e23ee98959a9006",
              "versionType": "git"
            },
            {
              "lessThan": "1bbb76a899486827394530916f01214d049931b3",
              "status": "affected",
              "version": "f7f52738637f4361c108cad36e23ee98959a9006",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/neighbour.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: Fix null-ptr-deref in neigh_flush_dev().\n\nkernel test robot reported null-ptr-deref in neigh_flush_dev(). [0]\n\nThe cited commit introduced per-netdev neighbour list and converted\nneigh_flush_dev() to use it instead of the global hash table.\n\nOne thing we missed is that neigh_table_clear() calls neigh_ifdown()\nwith NULL dev.\n\nLet\u0027s restore the hash table iteration.\n\nNote that IPv6 module is no longer unloadable, so neigh_table_clear()\nis called only when IPv6 fails to initialise, which is unlikely to\nhappen.\n\n[0]:\nIPv6: Attempt to unregister permanent protocol 136\nIPv6: Attempt to unregister permanent protocol 17\nOops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07]\nCPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G                T  6.12.0-rc6-01246-gf7f52738637f #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570\nCode: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 \u003c42\u003e 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f\nRSP: 0000:ffff88810026f408 EFLAGS: 00010206\nRAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640\nRBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000\nFS:  00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n __neigh_ifdown.llvm.6395807810224103582+0x44/0x390\n neigh_table_clear+0xb1/0x268\n ndisc_cleanup+0x21/0x38 [ipv6]\n init_module+0x2f5/0x468 [ipv6]\n do_one_initcall+0x1ba/0x628\n do_init_module+0x21a/0x530\n load_module+0x2550/0x2ea0\n __se_sys_finit_module+0x3d2/0x620\n __x64_sys_finit_module+0x76/0x88\n x64_sys_call+0x7ff/0xde8\n do_syscall_64+0xfb/0x1e8\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f575d6f2719\nCode: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48\nRSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\nRAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719\nRDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004\nRBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00\nR10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000\nR13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270\n \u003c/TASK\u003e\nModules linked in: ipv6(+)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:21.686Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d9c4328795697ebc392a63fece3901999c09cddd"
        },
        {
          "url": "https://git.kernel.org/stable/c/47fbd7f8df19bdfbe334ee83f35568c9a29221ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bbb76a899486827394530916f01214d049931b3"
        }
      ],
      "title": "neighbour: Fix null-ptr-deref in neigh_flush_dev().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38589",
    "datePublished": "2025-08-19T17:03:10.791Z",
    "dateReserved": "2025-04-16T04:51:24.026Z",
    "dateUpdated": "2025-09-29T05:54:21.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38659 (GCVE-0-2025-38659)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:01 – Updated: 2025-09-29 05:55

Title

gfs2: No more self recovery

Summary

In the Linux kernel, the following vulnerability has been resolved: gfs2: No more self recovery When a node withdraws and it turns out that it is the only node that has the filesystem mounted, gfs2 currently tries to replay the local journal to bring the filesystem back into a consistent state. Not only is that a very bad idea, it has also never worked because gfs2_recover_func() will refuse to do anything during a withdraw. However, before even getting to this point, gfs2_recover_func() dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before commit 04133b607a78 ("gfs2: Prevent double iput for journal on error") and is a NULL pointer dereference since then. Simply get rid of self recovery to fix that.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1a91ba12abef628b4…
	https://git.kernel.org/stable/c/f5426ffbec971a8f7…
	https://git.kernel.org/stable/c/6784367b2f3cd7b89…
	https://git.kernel.org/stable/c/97c94c7dbddc34d35…
	https://git.kernel.org/stable/c/deb016c1669002e48…

Impacted products

Vendor

Product

Version

Linux

Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < 1a91ba12abef628b43cada87478328274d988e88 (git)
Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < f5426ffbec971a8f7346a57392d3a901bdee5a9b (git)
Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < 6784367b2f3cd7b89103de35764f37f152590dbd (git)
Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < 97c94c7dbddc34d353c83b541b3decabf98d04af (git)
Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < deb016c1669002e48c431d6fd32ea1c20ef41756 (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/gfs2/util.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1a91ba12abef628b43cada87478328274d988e88",
              "status": "affected",
              "version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
              "versionType": "git"
            },
            {
              "lessThan": "f5426ffbec971a8f7346a57392d3a901bdee5a9b",
              "status": "affected",
              "version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
              "versionType": "git"
            },
            {
              "lessThan": "6784367b2f3cd7b89103de35764f37f152590dbd",
              "status": "affected",
              "version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
              "versionType": "git"
            },
            {
              "lessThan": "97c94c7dbddc34d353c83b541b3decabf98d04af",
              "status": "affected",
              "version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
              "versionType": "git"
            },
            {
              "lessThan": "deb016c1669002e48c431d6fd32ea1c20ef41756",
              "status": "affected",
              "version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/gfs2/util.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: No more self recovery\n\nWhen a node withdraws and it turns out that it is the only node that has\nthe filesystem mounted, gfs2 currently tries to replay the local journal\nto bring the filesystem back into a consistent state.  Not only is that\na very bad idea, it has also never worked because gfs2_recover_func()\nwill refuse to do anything during a withdraw.\n\nHowever, before even getting to this point, gfs2_recover_func()\ndereferences sdp-\u003esd_jdesc-\u003ejd_inode.  This was a use-after-free before\ncommit 04133b607a78 (\"gfs2: Prevent double iput for journal on error\")\nand is a NULL pointer dereference since then.\n\nSimply get rid of self recovery to fix that."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:55:41.837Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1a91ba12abef628b43cada87478328274d988e88"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5426ffbec971a8f7346a57392d3a901bdee5a9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6784367b2f3cd7b89103de35764f37f152590dbd"
        },
        {
          "url": "https://git.kernel.org/stable/c/97c94c7dbddc34d353c83b541b3decabf98d04af"
        },
        {
          "url": "https://git.kernel.org/stable/c/deb016c1669002e48c431d6fd32ea1c20ef41756"
        }
      ],
      "title": "gfs2: No more self recovery",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38659",
    "datePublished": "2025-08-22T16:01:02.448Z",
    "dateReserved": "2025-04-16T04:51:24.031Z",
    "dateUpdated": "2025-09-29T05:55:41.837Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38517 (GCVE-0-2025-38517)

Vulnerability from cvelistv5 – Published: 2025-08-16 10:55 – Updated: 2025-08-16 10:55

Title

lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users()

Summary

In the Linux kernel, the following vulnerability has been resolved: lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() alloc_tag_top_users() attempts to lock alloc_tag_cttype->mod_lock even when the alloc_tag_cttype is not allocated because: 1) alloc tagging is disabled because mem profiling is disabled (!alloc_tag_cttype) 2) alloc tagging is enabled, but not yet initialized (!alloc_tag_cttype) 3) alloc tagging is enabled, but failed initialization (!alloc_tag_cttype or IS_ERR(alloc_tag_cttype)) In all cases, alloc_tag_cttype is not allocated, and therefore alloc_tag_top_users() should not attempt to acquire the semaphore. This leads to a crash on memory allocation failure by attempting to acquire a non-existent semaphore: Oops: general protection fault, probably for non-canonical address 0xdffffc000000001b: 0000 [#3] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000000d8-0x00000000000000df] CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G D 6.16.0-rc2 #1 VOLUNTARY Tainted: [D]=DIE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:down_read_trylock+0xaa/0x3b0 Code: d0 7c 08 84 d2 0f 85 a0 02 00 00 8b 0d df 31 dd 04 85 c9 75 29 48 b8 00 00 00 00 00 fc ff df 48 8d 6b 68 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 88 02 00 00 48 3b 5b 68 0f 85 53 01 00 00 65 ff RSP: 0000:ffff8881002ce9b8 EFLAGS: 00010016 RAX: dffffc0000000000 RBX: 0000000000000070 RCX: 0000000000000000 RDX: 000000000000001b RSI: 000000000000000a RDI: 0000000000000070 RBP: 00000000000000d8 R08: 0000000000000001 R09: ffffed107dde49d1 R10: ffff8883eef24e8b R11: ffff8881002cec20 R12: 1ffff11020059d37 R13: 00000000003fff7b R14: ffff8881002cec20 R15: dffffc0000000000 FS: 00007f963f21d940(0000) GS:ffff888458ca6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f963f5edf71 CR3: 000000010672c000 CR4: 0000000000350ef0 Call Trace: <TASK> codetag_trylock_module_list+0xd/0x20 alloc_tag_top_users+0x369/0x4b0 __show_mem+0x1cd/0x6e0 warn_alloc+0x2b1/0x390 __alloc_frozen_pages_noprof+0x12b9/0x21a0 alloc_pages_mpol+0x135/0x3e0 alloc_slab_page+0x82/0xe0 new_slab+0x212/0x240 ___slab_alloc+0x82a/0xe00 </TASK> As David Wang points out, this issue became easier to trigger after commit 780138b12381 ("alloc_tag: check mem_profiling_support in alloc_tag_init"). Before the commit, the issue occurred only when it failed to allocate and initialize alloc_tag_cttype or if a memory allocation fails before alloc_tag_init() is called. After the commit, it can be easily triggered when memory profiling is compiled but disabled at boot. To properly determine whether alloc_tag_init() has been called and its data structures initialized, verify that alloc_tag_cttype is a valid pointer before acquiring the semaphore. If the variable is NULL or an error value, it has not been properly initialized. In such a case, just skip and do not attempt to acquire the semaphore. [harry.yoo@oracle.com: v3]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/febc0b5dbabda4145…
	https://git.kernel.org/stable/c/22bf79c0c2301b6e1…
	https://git.kernel.org/stable/c/99af22cd34688cc0d…

Impacted products

Vendor

Product

Version

Linux

Affected: 1438d349d16b78d88f9e978a4a5496f078c8191b , < febc0b5dbabda414565bdfaaaa59d26f787d5fe7 (git)
Affected: 1438d349d16b78d88f9e978a4a5496f078c8191b , < 22bf79c0c2301b6e15a688220284b147774d277e (git)
Affected: 1438d349d16b78d88f9e978a4a5496f078c8191b , < 99af22cd34688cc0d535a1919e0bea4cbc6c1ea1 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "lib/alloc_tag.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "febc0b5dbabda414565bdfaaaa59d26f787d5fe7",
              "status": "affected",
              "version": "1438d349d16b78d88f9e978a4a5496f078c8191b",
              "versionType": "git"
            },
            {
              "lessThan": "22bf79c0c2301b6e15a688220284b147774d277e",
              "status": "affected",
              "version": "1438d349d16b78d88f9e978a4a5496f078c8191b",
              "versionType": "git"
            },
            {
              "lessThan": "99af22cd34688cc0d535a1919e0bea4cbc6c1ea1",
              "status": "affected",
              "version": "1438d349d16b78d88f9e978a4a5496f078c8191b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "lib/alloc_tag.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users()\n\nalloc_tag_top_users() attempts to lock alloc_tag_cttype-\u003emod_lock even\nwhen the alloc_tag_cttype is not allocated because:\n\n  1) alloc tagging is disabled because mem profiling is disabled\n     (!alloc_tag_cttype)\n  2) alloc tagging is enabled, but not yet initialized (!alloc_tag_cttype)\n  3) alloc tagging is enabled, but failed initialization\n     (!alloc_tag_cttype or IS_ERR(alloc_tag_cttype))\n\nIn all cases, alloc_tag_cttype is not allocated, and therefore\nalloc_tag_top_users() should not attempt to acquire the semaphore.\n\nThis leads to a crash on memory allocation failure by attempting to\nacquire a non-existent semaphore:\n\n  Oops: general protection fault, probably for non-canonical address 0xdffffc000000001b: 0000 [#3] SMP KASAN NOPTI\n  KASAN: null-ptr-deref in range [0x00000000000000d8-0x00000000000000df]\n  CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G      D             6.16.0-rc2 #1 VOLUNTARY\n  Tainted: [D]=DIE\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n  RIP: 0010:down_read_trylock+0xaa/0x3b0\n  Code: d0 7c 08 84 d2 0f 85 a0 02 00 00 8b 0d df 31 dd 04 85 c9 75 29 48 b8 00 00 00 00 00 fc ff df 48 8d 6b 68 48 89 ea 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 88 02 00 00 48 3b 5b 68 0f 85 53 01 00 00 65 ff\n  RSP: 0000:ffff8881002ce9b8 EFLAGS: 00010016\n  RAX: dffffc0000000000 RBX: 0000000000000070 RCX: 0000000000000000\n  RDX: 000000000000001b RSI: 000000000000000a RDI: 0000000000000070\n  RBP: 00000000000000d8 R08: 0000000000000001 R09: ffffed107dde49d1\n  R10: ffff8883eef24e8b R11: ffff8881002cec20 R12: 1ffff11020059d37\n  R13: 00000000003fff7b R14: ffff8881002cec20 R15: dffffc0000000000\n  FS:  00007f963f21d940(0000) GS:ffff888458ca6000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f963f5edf71 CR3: 000000010672c000 CR4: 0000000000350ef0\n  Call Trace:\n   \u003cTASK\u003e\n   codetag_trylock_module_list+0xd/0x20\n   alloc_tag_top_users+0x369/0x4b0\n   __show_mem+0x1cd/0x6e0\n   warn_alloc+0x2b1/0x390\n   __alloc_frozen_pages_noprof+0x12b9/0x21a0\n   alloc_pages_mpol+0x135/0x3e0\n   alloc_slab_page+0x82/0xe0\n   new_slab+0x212/0x240\n   ___slab_alloc+0x82a/0xe00\n   \u003c/TASK\u003e\n\nAs David Wang points out, this issue became easier to trigger after commit\n780138b12381 (\"alloc_tag: check mem_profiling_support in alloc_tag_init\").\n\nBefore the commit, the issue occurred only when it failed to allocate and\ninitialize alloc_tag_cttype or if a memory allocation fails before\nalloc_tag_init() is called.  After the commit, it can be easily triggered\nwhen memory profiling is compiled but disabled at boot.\n\nTo properly determine whether alloc_tag_init() has been called and its\ndata structures initialized, verify that alloc_tag_cttype is a valid\npointer before acquiring the semaphore.  If the variable is NULL or an\nerror value, it has not been properly initialized.  In such a case, just\nskip and do not attempt to acquire the semaphore.\n\n[harry.yoo@oracle.com: v3]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T10:55:04.217Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/febc0b5dbabda414565bdfaaaa59d26f787d5fe7"
        },
        {
          "url": "https://git.kernel.org/stable/c/22bf79c0c2301b6e15a688220284b147774d277e"
        },
        {
          "url": "https://git.kernel.org/stable/c/99af22cd34688cc0d535a1919e0bea4cbc6c1ea1"
        }
      ],
      "title": "lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38517",
    "datePublished": "2025-08-16T10:55:04.217Z",
    "dateReserved": "2025-04-16T04:51:24.023Z",
    "dateUpdated": "2025-08-16T10:55:04.217Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38675 (GCVE-0-2025-38675)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:04 – Updated: 2026-01-11 16:29

Title

xfrm: state: initialize state_ptrs earlier in xfrm_state_find

Summary

In the Linux kernel, the following vulnerability has been resolved: xfrm: state: initialize state_ptrs earlier in xfrm_state_find In case of preemption, xfrm_state_look_at will find a different pcpu_id and look up states for that other CPU. If we matched a state for CPU2 in the state_cache while the lookup started on CPU1, we will jump to "found", but the "best" state that we got will be ignored and we will enter the "acquire" block. This block uses state_ptrs, which isn't initialized at this point. Let's initialize state_ptrs just after taking rcu_read_lock. This will also prevent a possible misuse in the future, if someone adjusts this function.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6bf2daafc51bcb927…
	https://git.kernel.org/stable/c/463562f9591742be6…
	https://git.kernel.org/stable/c/94d077c331730510d…

Impacted products

Vendor

Product

Version

Linux

Affected: a16871c7832ea6435abb6e0b58289ae7dcb7e4fc , < 6bf2daafc51bcb9272c0fdff2afd38217337d0d3 (git)
Affected: e952837f3ddb0ff726d5b582aa1aad9aa38d024d , < 463562f9591742be62ddde3b426a0533ed496955 (git)
Affected: e952837f3ddb0ff726d5b582aa1aad9aa38d024d , < 94d077c331730510d5611b438640a292097341f0 (git)
Affected: b86dc510308d7a8955f3f47a4fea4bef887653e4 (git)
Affected: dd4c2a174994238d55ab54da2545543d36f4e0d0 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.12.41 , ≤ 6.12.* (semver)
Unaffected: 6.15.9 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/xfrm/xfrm_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6bf2daafc51bcb9272c0fdff2afd38217337d0d3",
              "status": "affected",
              "version": "a16871c7832ea6435abb6e0b58289ae7dcb7e4fc",
              "versionType": "git"
            },
            {
              "lessThan": "463562f9591742be62ddde3b426a0533ed496955",
              "status": "affected",
              "version": "e952837f3ddb0ff726d5b582aa1aad9aa38d024d",
              "versionType": "git"
            },
            {
              "lessThan": "94d077c331730510d5611b438640a292097341f0",
              "status": "affected",
              "version": "e952837f3ddb0ff726d5b582aa1aad9aa38d024d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b86dc510308d7a8955f3f47a4fea4bef887653e4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dd4c2a174994238d55ab54da2545543d36f4e0d0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/xfrm/xfrm_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.41",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.9",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.6.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: state: initialize state_ptrs earlier in xfrm_state_find\n\nIn case of preemption, xfrm_state_look_at will find a different\npcpu_id and look up states for that other CPU. If we matched a state\nfor CPU2 in the state_cache while the lookup started on CPU1, we will\njump to \"found\", but the \"best\" state that we got will be ignored and\nwe will enter the \"acquire\" block. This block uses state_ptrs, which\nisn\u0027t initialized at this point.\n\nLet\u0027s initialize state_ptrs just after taking rcu_read_lock. This will\nalso prevent a possible misuse in the future, if someone adjusts this\nfunction."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:29:22.708Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6bf2daafc51bcb9272c0fdff2afd38217337d0d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/463562f9591742be62ddde3b426a0533ed496955"
        },
        {
          "url": "https://git.kernel.org/stable/c/94d077c331730510d5611b438640a292097341f0"
        }
      ],
      "title": "xfrm: state: initialize state_ptrs earlier in xfrm_state_find",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38675",
    "datePublished": "2025-08-22T16:04:12.688Z",
    "dateReserved": "2025-04-16T04:51:24.031Z",
    "dateUpdated": "2026-01-11T16:29:22.708Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38469 (GCVE-0-2025-38469)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-07-28 11:21

Title

KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls kvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host for more than one event channel potr (nr_ports > 1). After the kmalloc_array(), the error paths need to go through the "out" label, but the call to kvm_read_guest_virt() does not. [Adjusted commit message. - Paolo]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3ee59c38ae7369ad1…
	https://git.kernel.org/stable/c/fd627ac8a5cff4d45…
	https://git.kernel.org/stable/c/061c553c66bc1638c…
	https://git.kernel.org/stable/c/5a53249d149f48b55…

Impacted products

Vendor

Product

Version

Linux

Affected: 92c58965e9656dc6e682a8ffe520fac0fb256d13 , < 3ee59c38ae7369ad1f7b846e05633ccf0d159fab (git)
Affected: 92c58965e9656dc6e682a8ffe520fac0fb256d13 , < fd627ac8a5cff4d45269f164b13ddddc0726f2cc (git)
Affected: 92c58965e9656dc6e682a8ffe520fac0fb256d13 , < 061c553c66bc1638c280739999224c8000fd4602 (git)
Affected: 92c58965e9656dc6e682a8ffe520fac0fb256d13 , < 5a53249d149f48b558368c5338b9921b76a12f8c (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/xen.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3ee59c38ae7369ad1f7b846e05633ccf0d159fab",
              "status": "affected",
              "version": "92c58965e9656dc6e682a8ffe520fac0fb256d13",
              "versionType": "git"
            },
            {
              "lessThan": "fd627ac8a5cff4d45269f164b13ddddc0726f2cc",
              "status": "affected",
              "version": "92c58965e9656dc6e682a8ffe520fac0fb256d13",
              "versionType": "git"
            },
            {
              "lessThan": "061c553c66bc1638c280739999224c8000fd4602",
              "status": "affected",
              "version": "92c58965e9656dc6e682a8ffe520fac0fb256d13",
              "versionType": "git"
            },
            {
              "lessThan": "5a53249d149f48b558368c5338b9921b76a12f8c",
              "status": "affected",
              "version": "92c58965e9656dc6e682a8ffe520fac0fb256d13",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/xen.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls\n\nkvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host\nfor more than one event channel potr (nr_ports \u003e 1).\n\nAfter the kmalloc_array(), the error paths need to go through the\n\"out\" label, but the call to kvm_read_guest_virt() does not.\n\n[Adjusted commit message. - Paolo]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:21:30.992Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3ee59c38ae7369ad1f7b846e05633ccf0d159fab"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd627ac8a5cff4d45269f164b13ddddc0726f2cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/061c553c66bc1638c280739999224c8000fd4602"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a53249d149f48b558368c5338b9921b76a12f8c"
        }
      ],
      "title": "KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38469",
    "datePublished": "2025-07-28T11:21:30.992Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-07-28T11:21:30.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38569 (GCVE-0-2025-38569)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-11-03 17:39

Title

benet: fix BUG when creating VFs

Summary

In the Linux kernel, the following vulnerability has been resolved: benet: fix BUG when creating VFs benet crashes as soon as SRIOV VFs are created: kernel BUG at mm/vmalloc.c:3457! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+ #1 PREEMPT(voluntary) [...] RIP: 0010:vunmap+0x5f/0x70 [...] Call Trace: <TASK> __iommu_dma_free+0xe8/0x1c0 be_cmd_set_mac_list+0x3fe/0x640 [be2net] be_cmd_set_mac+0xaf/0x110 [be2net] be_vf_eth_addr_config+0x19f/0x330 [be2net] be_vf_setup+0x4f7/0x990 [be2net] be_pci_sriov_configure+0x3a1/0x470 [be2net] sriov_numvfs_store+0x20b/0x380 kernfs_fop_write_iter+0x354/0x530 vfs_write+0x9b9/0xf60 ksys_write+0xf3/0x1d0 do_syscall_64+0x8c/0x3d0 be_cmd_set_mac_list() calls dma_free_coherent() under a spin_lock_bh. Fix it by freeing only after the lock has been released.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3697e37e012bbd2bb…
	https://git.kernel.org/stable/c/975e73b9102d844a3…
	https://git.kernel.org/stable/c/f80b34ebc57921640…
	https://git.kernel.org/stable/c/46d44a23a3723a89d…
	https://git.kernel.org/stable/c/c377ba2be9430d165…
	https://git.kernel.org/stable/c/0ddfe8b127ef1149f…
	https://git.kernel.org/stable/c/d5dc09ee5d74277bc…
	https://git.kernel.org/stable/c/f4e4e0c4bc4d799d6…
	https://git.kernel.org/stable/c/5a40f8af2ba1b9bdf…

Impacted products

Vendor

Product

Version

Linux

Affected: 797bb9439c0489bbea4b8808297ec7a569098667 , < 3697e37e012bbd2bb5a5b467689811ba097b2eff (git)
Affected: 7cfae8627511361f90a1a22dfae556c3fbc5bd8d , < 975e73b9102d844a3dc3f091ad631c56145c8b4c (git)
Affected: 671aaa17bd3153e25526934f92307169ce927b5e , < f80b34ebc579216407b128e9d155bfcae875c30f (git)
Affected: 4393452e6c0c027971ec9bcc9557f52e63db3f0a , < 46d44a23a3723a89deeb65b13cddb17f8d9f2700 (git)
Affected: 41d731e7920387ea13e2fb440a1e235686faeeb9 , < c377ba2be9430d165a98e4b782902ed630bc7546 (git)
Affected: fd1ef3b1bdd3fec683ebd19eb3acc6a2cb60b5c6 , < 0ddfe8b127ef1149fddccb79db6e6eaba7738e7d (git)
Affected: 1a82d19ca2d6835904ee71e2d40fd331098f94a0 , < d5dc09ee5d74277bc47193fe28ce8703e229331b (git)
Affected: 1a82d19ca2d6835904ee71e2d40fd331098f94a0 , < f4e4e0c4bc4d799d6fa39055acdbc3af066cd13e (git)
Affected: 1a82d19ca2d6835904ee71e2d40fd331098f94a0 , < 5a40f8af2ba1b9bdf46e2db10e8c9710538fbc63 (git)
Affected: 227a829c9067bf03b1967e7e0b1a6777fd57edef (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:57.223Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/emulex/benet/be_cmds.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3697e37e012bbd2bb5a5b467689811ba097b2eff",
              "status": "affected",
              "version": "797bb9439c0489bbea4b8808297ec7a569098667",
              "versionType": "git"
            },
            {
              "lessThan": "975e73b9102d844a3dc3f091ad631c56145c8b4c",
              "status": "affected",
              "version": "7cfae8627511361f90a1a22dfae556c3fbc5bd8d",
              "versionType": "git"
            },
            {
              "lessThan": "f80b34ebc579216407b128e9d155bfcae875c30f",
              "status": "affected",
              "version": "671aaa17bd3153e25526934f92307169ce927b5e",
              "versionType": "git"
            },
            {
              "lessThan": "46d44a23a3723a89deeb65b13cddb17f8d9f2700",
              "status": "affected",
              "version": "4393452e6c0c027971ec9bcc9557f52e63db3f0a",
              "versionType": "git"
            },
            {
              "lessThan": "c377ba2be9430d165a98e4b782902ed630bc7546",
              "status": "affected",
              "version": "41d731e7920387ea13e2fb440a1e235686faeeb9",
              "versionType": "git"
            },
            {
              "lessThan": "0ddfe8b127ef1149fddccb79db6e6eaba7738e7d",
              "status": "affected",
              "version": "fd1ef3b1bdd3fec683ebd19eb3acc6a2cb60b5c6",
              "versionType": "git"
            },
            {
              "lessThan": "d5dc09ee5d74277bc47193fe28ce8703e229331b",
              "status": "affected",
              "version": "1a82d19ca2d6835904ee71e2d40fd331098f94a0",
              "versionType": "git"
            },
            {
              "lessThan": "f4e4e0c4bc4d799d6fa39055acdbc3af066cd13e",
              "status": "affected",
              "version": "1a82d19ca2d6835904ee71e2d40fd331098f94a0",
              "versionType": "git"
            },
            {
              "lessThan": "5a40f8af2ba1b9bdf46e2db10e8c9710538fbc63",
              "status": "affected",
              "version": "1a82d19ca2d6835904ee71e2d40fd331098f94a0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "227a829c9067bf03b1967e7e0b1a6777fd57edef",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/emulex/benet/be_cmds.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "5.4.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "6.1.131",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "6.6.83",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.12.19",
                  "vulnerable": true

CERTFR-2025-AVI-1075

Solutions

Action not permitted

CERTFR-2025-AVI-1075

Solutions

CVE-2025-38707 (GCVE-0-2025-38707)

CVE-2025-40026 (GCVE-0-2025-40026)

CVE-2025-38227 (GCVE-0-2025-38227)

CVE-2025-38566 (GCVE-0-2025-38566)

CVE-2025-38483 (GCVE-0-2025-38483)

CVE-2025-40300 (GCVE-0-2025-40300)

CVE-2025-38510 (GCVE-0-2025-38510)

CVE-2025-38665 (GCVE-0-2025-38665)

CVE-2025-39817 (GCVE-0-2025-39817)

CVE-2025-39844 (GCVE-0-2025-39844)

CVE-2025-38472 (GCVE-0-2025-38472)

CVE-2022-50327 (GCVE-0-2022-50327)

CVE-2025-38622 (GCVE-0-2025-38622)

CVE-2025-38683 (GCVE-0-2025-38683)

CVE-2025-38439 (GCVE-0-2025-38439)

CVE-2025-38556 (GCVE-0-2025-38556)

CVE-2025-38631 (GCVE-0-2025-38631)

CVE-2025-39809 (GCVE-0-2025-39809)

CVE-2025-38648 (GCVE-0-2025-38648)

CVE-2025-38626 (GCVE-0-2025-38626)

CVE-2025-38437 (GCVE-0-2025-38437)

CVE-2025-39806 (GCVE-0-2025-39806)

CVE-2025-38609 (GCVE-0-2025-38609)

CVE-2024-35867 (GCVE-0-2024-35867)

CVE-2025-38555 (GCVE-0-2025-38555)

CVE-2025-38610 (GCVE-0-2025-38610)

CVE-2025-38547 (GCVE-0-2025-38547)

CVE-2025-38602 (GCVE-0-2025-38602)

CVE-2025-39812 (GCVE-0-2025-39812)

CVE-2025-38512 (GCVE-0-2025-38512)

CVE-2025-40027 (GCVE-0-2025-40027)

CVE-2024-50095 (GCVE-0-2024-50095)

CVE-2025-38666 (GCVE-0-2025-38666)

CVE-2025-21715 (GCVE-0-2025-21715)

CVE-2025-38573 (GCVE-0-2025-38573)

CVE-2025-39734 (GCVE-0-2025-39734)

CVE-2025-39808 (GCVE-0-2025-39808)

CVE-2023-53074 (GCVE-0-2023-53074)

CVE-2025-38470 (GCVE-0-2025-38470)

CVE-2025-38615 (GCVE-0-2025-38615)

CVE-2025-38724 (GCVE-0-2025-38724)

CVE-2025-38562 (GCVE-0-2025-38562)

CVE-2025-38443 (GCVE-0-2025-38443)

CVE-2022-49026 (GCVE-0-2022-49026)

CVE-2025-38530 (GCVE-0-2025-38530)

CVE-2024-36331 (GCVE-0-2024-36331)

CVE-2025-40109 (GCVE-0-2025-40109)

CVE-2025-38546 (GCVE-0-2025-38546)

CVE-2025-38503 (GCVE-0-2025-38503)

CVE-2025-38507 (GCVE-0-2025-38507)

CVE-2025-39697 (GCVE-0-2025-39697)

CVE-2025-38525 (GCVE-0-2025-38525)

CVE-2025-38653 (GCVE-0-2025-38653)

CVE-2025-38624 (GCVE-0-2025-38624)

CVE-2025-38480 (GCVE-0-2025-38480)

CVE-2025-38662 (GCVE-0-2025-38662)

CVE-2025-38582 (GCVE-0-2025-38582)

CVE-2025-38553 (GCVE-0-2025-38553)

CVE-2025-38473 (GCVE-0-2025-38473)

CVE-2025-38586 (GCVE-0-2025-38586)

CVE-2025-39724 (GCVE-0-2025-39724)

CVE-2025-39714 (GCVE-0-2025-39714)

CVE-2025-39853 (GCVE-0-2025-39853)

CVE-2024-50061 (GCVE-0-2024-50061)

CVE-2025-38532 (GCVE-0-2025-38532)

CVE-2025-39845 (GCVE-0-2025-39845)

CVE-2025-38614 (GCVE-0-2025-38614)

CVE-2025-39846 (GCVE-0-2025-39846)

CVE-2025-38537 (GCVE-0-2025-38537)

CVE-2025-40028 (GCVE-0-2025-40028)

CVE-2025-39894 (GCVE-0-2025-39894)

CVE-2025-37968 (GCVE-0-2025-37968)

CVE-2025-38528 (GCVE-0-2025-38528)

CVE-2025-39681 (GCVE-0-2025-39681)

CVE-2025-37958 (GCVE-0-2025-37958)

CVE-2025-39683 (GCVE-0-2025-39683)

CVE-2025-39848 (GCVE-0-2025-39848)